iCompaas Support

Profile Applicability:

• Level 2
  

Description:

Docker allows the docker exec command to execute commands in a running container. It is important to ensure that the --user=root option is not used in docker exec commands to prevent containers from executing processes with root privileges, which can increase the attack surface.

Rationale:

Running commands as the root user within containers can expose the container to privilege escalation attacks. Ensuring that the --user=root option is not used helps maintain the principle of least privilege, reducing the risk of an attacker gaining elevated permissions within a container.

Impact:

Pros:

• Enhances container security by reducing the attack surface.
  

• Ensures that only users with appropriate privileges can execute commands within containers.
  

Cons:

• May require adjustments to container configurations if certain applications need root access, although this should be avoided if possible.
  

Default Value:

By default, Docker allows the --user=root option, meaning it is possible to execute commands with root privileges in the container.

Pre-requisites:

• Ensure that non-root users are configured to run containers and that root privileges are not necessary for the containerized applications.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Inspect the Docker command logs or any automated processes that might use docker exec with the --user=root option.
   
3. Ensure that no docker exec commands are executed with root privileges.
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run the following command to check for containers running with the --user=root option:
   

   docker ps -q | xargs -I {} docker inspect --format '{{.Config.User}}' {}

Implementation Plan:

Using AWS Console:

• Ensure that any docker exec commands are executed by users with appropriate permissions, not as root.
  

• Modify any scripts or automated tasks that may invoke docker exec with the --user=root option.
  

• Restart the containers if necessary to apply these changes.
  

Using AWS CLI:

• Update the container execution policies to ensure that docker exec commands are not invoked with root privileges.
  

• If using automation tools, modify scripts to explicitly set non-root users:
  

  aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker exec --user non-root-user <container_id> <command>"]'

Backout Plan:

Using AWS Console:

1. Revert any changes made to container execution configurations that prevented the use of docker exec with root privileges.
   
2. Ensure that any necessary commands that require root access are appropriately handled with the principle of least privilege.
   

Using AWS CLI:

1. If necessary, revert to using docker exec with the --user=root option for containers that require root-level access, though this is not recommended.
   

References:

• Docker Security Documentation
  

• CIS Docker Benchmark