Profile Applicability:
Level 1
Description:
Containers should be restricted from acquiring additional privileges beyond what is required. This can be done by ensuring that the container is not running in privileged mode and does not have access to sensitive resources or unnecessary capabilities.
Rationale:
Granting additional privileges to containers increases the attack surface and can lead to the compromise of the host system. By restricting privileges, the security of the containerized environment is improved, reducing the likelihood of a successful attack.
Impact:
Pros:
Enhances security by minimizing the risk of privilege escalation within containers.
Limits the attack surface by ensuring containers only have access to necessary resources.
Cons:
Some containers may require additional privileges to operate, such as access to hardware or specific system resources, which could impact functionality.
Default Value:
By default, containers do not have access to privileged mode unless specified in the Docker run command. However, certain capabilities may still be granted if not explicitly restricted.
Pre-requisites:
Docker must be installed and configured.
Access to the Docker configuration and container runtime options.
Remediation:
Test Plan:
Using AWS Console:
Navigate to the EC2 instance running Docker.
Check if any containers are running with the --privileged flag or have unrestricted access to resources. This can be done by reviewing the Docker run configurations or examining the running containers via the Docker console.
Using AWS CLI:
Connect to the EC2 instance.
Run the following command to check if any containers are running in privileged mode:
docker ps --filter "privileged=true"
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Ensure that no container is started with the --privileged flag by inspecting the Docker run command or editing the Docker Compose file.
If containers are found to be running with additional privileges, stop them and restart with the required permissions using a restricted run command.
Example: docker run --name my_container --cap-drop=ALL my_image
Using AWS CLI:
Use SSM to remotely ensure that containers are not started with the --privileged option.
Run the following command to check for privileged containers:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker ps --filter \"privileged=true\""]'
Backout Plan:
Using AWS Console:
If containers were mistakenly started with privileged access, stop the container and restart it without the privileged flag.
Example: docker stop my_container && docker rm my_container Then, restart without the --privileged flag: docker run --name my_container --cap-drop=ALL my_image
Using AWS CLI:
Use SSM to stop and restart the container without the privileged flag:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop my_container && docker rm my_container && docker run --cap-drop=ALL my_image"]'
References:
CIS Docker Benchmark v1.7
Docker Documentation: https://docs.docker.com/