Ensure that unnecessary packages are not installed in the container
Print
Created by: iCompaas Tech Support
Modified on: Tue, 29 Apr, 2025 at 6:49 AM
Profile Applicability:
Description:
Containers should only include the necessary packages required for their functionality. Installing unnecessary packages increases the attack surface and adds complexity to the container, potentially introducing vulnerabilities or performance issues.
Rationale:
Containers should be lightweight and contain only the dependencies required to run the application. Unnecessary packages can introduce security vulnerabilities and increase the container’s size, which impacts performance and maintainability. By minimizing installed packages, you reduce the potential for exploitation.
Impact:
Pros:
Reduces the container's attack surface by minimizing installed software.
Improves the container's security and performance.
Cons:
Requires ongoing maintenance and verification to ensure only necessary packages are installed.
Default Value:
Docker images may come with unnecessary packages installed depending on the base image used.
Pre-requisites:
Administrative privileges to inspect and modify container images.
Understanding of the required dependencies for the container.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Inspect the installed packages inside a running container:
docker run -it <image-name> dpkg -l (for Debian-based images)
docker run -it <image-name> rpm -qa (for RHEL-based images)
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to check the installed packages inside the container:
docker run -it <image-name> dpkg -l (for Debian-based images)
docker run -it <image-name> rpm -qa (for RHEL-based images)
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Build a new Docker image that only installs the necessary packages:
Rebuild and run the container to ensure it only contains the necessary packages.
Using AWS CLI:
Use SSM to build a Docker image that contains only the necessary packages:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker build -t custom-image ."]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Remove unnecessary packages from the container:
docker run -it <image-name> apt-get purge <unnecessary-package> (for Debian-based images)
docker run -it <image-name> yum remove <unnecessary-package> (for RHEL-based images)
Using AWS CLI:
Use SSM to remove unnecessary packages from the container:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run -it <image-name> apt-get purge <unnecessary-package>"]'
References:
iCompaas is the author of this solution article.
Did you find it helpful?
Yes
No
Send feedback Sorry we couldn't be helpful. Help us improve this article with your feedback.