iCompaas Support

Profile Applicability:

• Level 1 

Description:

The PIDs cgroup limit ensures that the number of processes in a container is controlled. Without this limit, containers could spawn an excessive number of processes, potentially leading to resource exhaustion or denial-of-service attacks.

Rationale:

Limiting the number of processes that a container can spawn prevents containers from overwhelming the system with too many processes. It helps maintain the stability and reliability of both the container and the host system.

Impact:

Pros:

• Reduces the risk of a container consuming all available system resources by spawning too many processes.

• Helps in managing system resources more effectively.

Cons:

• Setting a very low PID limit could potentially affect containers that require more processes to run properly.

Default Value:

By default, Docker does not set a specific limit on the number of processes a container can spawn.

Pre-requisites:

• Docker must be installed and configured on the system.

• Administrative privileges to configure container limits.

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.

2. Ensure the Docker command includes the --pids-limit option.

3. You can check the PID limit using the following:

docker inspect <container_id> | grep "PidsLimit"

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to inspect the container's PID limit:

docker inspect <container_id> | grep "PidsLimit"

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. When running or creating a container, use the --pids-limit option to set a maximum number of processes:     

     docker run --pids-limit 100 my_container_image

3. Alternatively, update an existing container configuration to include this limit.

Using AWS CLI:

1. Use the following command to run a Docker container with a PID limit:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --pids-limit 100 my_container_image"]'

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.

2. Edit the Docker run command to remove or adjust the --pids-limit option to a higher value or to the default.

3. Restart the Docker container with:

docker restart <container_id>

Using AWS CLI:

1. Use SSM to run the container without the PID limit or with a higher value:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run my_container_image"]'

References:

• CIS Docker Benchmark v1.7

• Docker Documentation: https://docs.docker.com/