Profile Applicability:
Level 1
Description:
Docker containers should be restricted from acquiring new privileges (such as root privileges) during runtime. This can be configured by setting the --no-new-privileges flag, which prevents containers from escalating their privileges during execution.
Rationale:
Allowing containers to acquire new privileges could lead to privilege escalation, especially if the container is compromised. By restricting privilege escalation, you can ensure that even if a container is breached, the attacker cannot gain root-level access to the host system.
Impact:
Pros:
Improves security by preventing privilege escalation inside containers.
Helps mitigate attacks where an attacker gains access to a container and tries to exploit the container to escalate privileges.
Cons:
May require additional configuration to ensure all containers are properly restricted.
Some containers may require elevated privileges, so testing is required to ensure compatibility.
Default Value:
By default, Docker containers are not restricted from acquiring new privileges unless explicitly configured.
Pre-requisites:
Docker installed and running.
Administrative privileges to modify Docker daemon or container configurations.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Check if the --no-new-privileges flag is applied by inspecting a running container:
docker inspect --format '{{.HostConfig.NoNewPrivileges}}' <container_id>
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to verify if the --no-new-privileges flag is set for the container:
docker inspect --format '{{.HostConfig.NoNewPrivileges}}' <container_id>
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Ensure that the --no-new-privileges flag is applied to all containers either by default or during container runtime. To add it to container execution:
docker run --no-new-privileges <other-options> <image-name>
- Alternatively, you can configure it in Docker's default settings for all containers by modifying the /etc/docker/daemon.json file to include:
{ "security-opt": ["no-new-privileges"] }
- Restart Docker to apply the configuration:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to ensure the --no-new-privileges flag is added to all containers by modifying the default Docker daemon settings:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"security-opt\": [\"no-new-privileges\"]}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Remove the --no-new-privileges flag from the container or Docker configuration by modifying the /etc/docker/daemon.json file:
{ "security-opt": [] }
- Restart Docker:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to remove the --no-new-privileges flag and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"security-opt\": []}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'
References: