Profile Applicability:

  • Level 2

Description:

A daemon-wide custom seccomp profile should be applied to Docker to enhance the security posture of the container runtime. Seccomp (Secure Computing Mode) profiles limit the system calls available to containers, helping to reduce the attack surface by restricting the container’s ability to interact with the host system.

Rationale:

By applying a custom seccomp profile, Docker containers are prevented from using system calls that could be exploited by attackers. Using a custom seccomp profile tailored to the needs of the container environment ensures that unnecessary or risky system calls are blocked, reducing the likelihood of privilege escalation or other types of attacks.

Impact:

Pros:

  • Reduces the risk of privilege escalation by restricting the system calls that containers can use.

  • Increases the overall security of the Docker environment by implementing a policy that applies globally to all containers.

Cons:

  • Misconfiguration of seccomp profiles can result in containers being unable to execute certain operations or applications, requiring careful testing and validation.

  • Managing and maintaining custom profiles can add operational overhead.

Default Value:

Docker applies a default seccomp profile (default.json) unless a custom profile is configured.

Pre-requisites:

  • Docker installed and running.

  • Administrative privileges to modify Docker's seccomp settings.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Check the Docker configuration to verify that a custom seccomp profile is applied

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to verify the seccomp profile being used:

docker info | grep "Security Options"

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Modify the Docker daemon configuration file /etc/docker/daemon.json to specify a custom seccomp profile:

    {
  "seccomp-profile": "/path/to/custom-seccomp-profile.json"
}

  1. Restart Docker to apply the changes:

Using AWS CLI:

  1. Use SSM to remotely apply the custom seccomp profile and restart Docker

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"seccomp-profile\": \"/path/to/custom-seccomp-profile.json\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert to the default seccomp profile by editing the /etc/docker/daemon.json file:

    {
  "seccomp-profile": "/path/to/default-seccomp-profile.json"
}

  1. Restart Docker:

Using AWS CLI:

  1. Use SSM to revert to the default seccomp profile and restart Docker:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"seccomp-profile\": \"/path/to/default-seccomp-profile.json\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

References: