iCompaas Support

 Profile Applicability:

• Level 1 

Description:

Mounting the Docker socket inside containers allows the container to interact with the Docker daemon, potentially leading to privilege escalation or unauthorized access to host system resources. To secure the system, the Docker socket should not be mounted inside containers unless absolutely necessary.

Rationale:

Allowing a container to have access to the Docker socket gives it the ability to manage Docker containers and interact with the host system, which can lead to severe security vulnerabilities. Ensuring the Docker socket is not mounted inside containers limits the container's ability to escalate privileges or perform unauthorized actions.

Impact:

Pros:

• Enhances container security by preventing unauthorized access to the Docker daemon and the host system.
  

• Prevents privilege escalation attacks.
  

Cons:

• If the Docker socket is required for specific use cases, restricting access could limit container functionality.
  

Default Value:

By default, Docker does not mount the Docker socket inside containers unless explicitly configured to do so in the container’s run command.

Pre-requisites:

• Access to the Docker configuration and container management system.
  

• Administrative privileges to view and configure container execution settings.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance where Docker is running.

2. Check if any container is running with the Docker socket mounted. This can be done by examining the container run command for 

   -v /var/run/docker.sock:/var/run/docker.sock.

   
   

Using AWS CLI:

1. Connect to the EC2 instance.
   

2. Run the following command to list all containers and check if any contain the Docker socket mount:
   

docker ps --filter "mount=/var/run/docker.sock"

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Inspect all active containers to check if the Docker socket is mounted.
   

3. Modify any Docker container creation or run command to ensure the Docker socket is not mounted.
   

For example, ensure the run command does not include -

v /var/run/docker.sock:/var/run/docker.sock.

Using AWS CLI:

1. Use SSM to remotely check and modify any containers with the Docker socket mounted.
   

2. Run the following command to list containers:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker ps --filter \"mount=/var/run/docker.sock\""]'

3. If any containers are found with the mount, modify the run command to remove the Docker socket mount.
   

Backout Plan:

Using AWS Console:

1. If you need to revert this change, ensure that the Docker socket is re-added only to trusted containers that need it.
   

   1. Edit the container’s configuration to include the mount if necessary and restart the container.
      

Using AWS CLI:

1. Use SSM to re-add the Docker socket to the container (if necessary) by modifying the container run command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run -v /var/run/docker.sock:/var/run/docker.sock container_name"]'

References:

• Docker Security Best Practices
  

• CIS Docker Benchmark v1.7