Profile Applicability:
Level 1
Description:
A dedicated user should be created for running Docker containers. This ensures that containers run with their own non-root user instead of root privileges, reducing the risk of privilege escalation in case a container is compromised.
Rationale:
Running containers as root poses a significant security risk because any vulnerabilities or misconfigurations in the container could lead to complete system compromise. By creating a user specifically for containers, you ensure that containers only have access to the necessary resources and cannot escalate to root privileges on the host system.
Impact:
Pros:
Enhances security by isolating containers from the host system.
Prevents containers from using root privileges, limiting potential damage in the event of a breach.
Cons:
Some containers or applications might require additional configuration or permissions to run as a non-root user.
Default Value:
By default, Docker containers are run with root privileges unless explicitly configured to use a non-root user.
Pre-requisites:
Administrative privileges on the Docker host system.
Understanding of the containers that will be run and their user requirements.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Verify if a non-root user has been created for container execution by checking the /etc/passwd file:
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to check if a container user exists:
cat /etc/passwd | grep <container-user-name>
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Create a non-root user for Docker containers:
sudo useradd dockeruser
Add the user to the docker group to allow it to run Docker commands:
sudo usermod -aG docker dockeruser
Verify the user creation:
cat /etc/passwd | grep dockeruser
Restart Docker if necessary for the user configuration to take effect.
Using AWS CLI:
Use SSM to create a non-root user and add it to the docker group:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo useradd dockeruser && sudo usermod -aG docker dockeruser"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Remove the non-root user if necessary:
sudo userdel dockeruser
Remove the user from the docker group if needed:
sudo gpasswd -d dockeruser docker
Using AWS CLI:
Use SSM to delete the non-root user:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo userdel dockeruser"]'
References: