iCompaas Support

Profile Applicability:

• Level 2
  

Description:

Docker exec commands should not be run with the --privileged flag, as it grants extended privileges to containers. This can potentially lead to security risks, including the ability to modify critical system components.

Rationale:

The --privileged flag gives the container additional privileges, such as access to host devices and the ability to modify kernel parameters, which can be exploited by attackers. Avoiding this flag ensures that containers run with the least privilege, minimizing the attack surface.

Impact:

Pros:

• Ensures that containers operate with minimal privileges, reducing the potential for security breaches.
  

• Improves overall security posture by restricting access to the host system.
  
  

Cons:

• Some containers may need elevated privileges to perform certain actions, so this may limit functionality in specific use cases.
  

Default Value:

By default, Docker exec commands do not use the --privileged flag unless explicitly specified.

Pre-requisites:

• Docker must be installed and configured on the system.
  

• Ensure that users do not have unnecessary privileges that allow using the --privileged flag.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Review Docker exec commands to ensure that the --privileged flag is not being used.
   
3. Check if any Docker containers are running with elevated privileges.
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run the following command to list running containers and check if --privileged is being used:
   

   docker ps --filter "status=running"

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Run Docker commands without using the --privileged flag.
   
3. If a container needs elevated privileges, consider using the appropriate permissions or capabilities instead of --privileged.
   

Using AWS CLI:

1. Ensure that no containers are started with the --privileged flag.
   
2. Run the following command to stop and remove any containers running with elevated privileges:
   

docker ps -a --filter "status=running" --filter "privileged=true"

• Then stop and remove those containers:

  docker stop <container_id>
  docker rm <container_id>

  
  

Backout Plan:

Using AWS Console:

1. If containers with the --privileged flag were removed, you can restart them with the appropriate privileges and configurations as necessary.
   
2. Ensure to limit the use of elevated privileges for containers.
   

Using AWS CLI:

1. Revert the change by running containers with the --privileged flag if needed for specific cases.
   
2. Use the following command to restart a container with the --privileged flag:
   

   docker exec --privileged <container_id> <command>

   References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/