Profile Applicability:
Level 1
Description:
Docker images should be regularly scanned for security vulnerabilities. Once vulnerabilities are detected, the affected images should be rebuilt with the necessary security patches, and new containers should be instantiated from these updated images.
Rationale:
Vulnerabilities in Docker images can be exploited if not regularly patched. Image vulnerability scanning tools help identify potential issues, and applying security patches ensures that the containers are running with the most secure and up-to-date codebase. Not patching images or using outdated versions may leave the system vulnerable to known exploits.
Impact:
Pros:
Helps maintain a secure Docker environment by ensuring vulnerabilities are patched regularly.
Reduces the risk of container compromise due to known vulnerabilities.
Cons:
Requires regular scanning and rebuilding of images, which can introduce overhead in maintenance.
Vulnerability assessment tools may return false positives, requiring careful evaluation.
Default Value:
By default, containers and images are not automatically updated to address missing operating system security patches.
Pre-requisites:
Access to vulnerability scanning tools.
Administrative privileges on the host system to rebuild and restart containers.
Remediation:
Test Plan:
Using AWS Console:
Navigate to the EC2 instance where Docker is running.
Run the Docker command to list all running containers:
docker ps --quiet
For each container, use the package manager inside the container to check for available security patches. Alternatively, use a vulnerability assessment tool to scan all images.
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to list all images on the system:
docker images
Implementation Plan:
Using AWS Console:
Use Docker vulnerability scanning tools such as Clair, Anchore Engine, or Trivy to scan the images for security issues.
Rebuild the Docker images by using the latest version of the base image:
docker build -t <image-name> <Dockerfile>
Restart the containers with the newly built images:
docker-compose down docker-compose up
Using AWS CLI:
Use SSM to initiate the scanning and rebuilding process:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/anchore-engine scan <image-name>"]'
After scanning, rebuild and restart the containers with the updated images:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker build -t <image-name> <Dockerfile> && docker-compose down && docker-compose up"]'
Backout Plan:
Using AWS Console:
If any issues arise with the rebuilt images, revert to the previous image version:
docker-compose down docker-compose up --no-build
Using AWS CLI:
Revert the containers to their previous state using the last known good image:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker-compose down && docker-compose up --no-build"]'
References: