Profile Applicability:

  • Level 1

Description:

User namespaces provide a security mechanism that allows processes to have different user and group IDs (UIDs and GIDs) inside the container than they do on the host. This check ensures that the host's user namespaces are not shared with containers, which could lead to security risks if a container is able to escalate privileges.

Rationale:

Sharing user namespaces between the host and container can potentially lead to privilege escalation attacks. By ensuring the namespaces are not shared, it isolates the user environments between the host and containers, improving security.

Impact:

Pros:

  • Enhances the isolation between the host and containers, reducing the risk of privilege escalation.

  • Aligns with best practices for container security.

Cons:

  • Some applications might need access to shared namespaces, which may require further configuration.

Default Value:

By default, Docker does not share user namespaces between the host and containers unless explicitly configured.

Pre-requisites:

  • Docker installed and running on the host system.

  • Administrative privileges on the host system.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.

  2. Check Docker's configuration file (usually /etc/docker/daemon.json) for any configuration related to user namespaces.

  3. Ensure that no settings are enabling shared user namespaces between the host and containers.

Using AWS CLI:

  1. Connect to the EC2 instance.

  2. Run the following command to verify if the Docker daemon is using a shared user namespace:

docker info | grep "Userns"

Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance.

  2. Ensure that the /etc/docker/daemon.json file does not have any settings related to the userns-remap key that would enable the host's user namespaces to be shared with containers.

If necessary, disable user namespace sharing by ensuring that the configuration is set like this:

{
  "userns-remap": "default"
}

  1. Restart Docker to apply the changes:

sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to ensure that the Docker configuration is updated remotely.

  2. Run the following command to modify the Docker configuration if needed:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"userns-remap\": \"default\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance.

  2. Revert any changes made to the /etc/docker/daemon.json file.

  3. Restart Docker:

sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the Docker configuration.

  2. Run the following command to remove any changes and restart Docker:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]

References: