Profile Applicability:
Level 2
Description:
Removing setuid and setgid permissions in Docker images can help prevent privilege escalation attacks within containers. These permissions allow users to execute programs with the privileges of the file owner, which can be a potential security risk if misused.
Rationale:
setuid and setgid permissions can be exploited for privilege escalation. While these permissions may be required for legitimate operations in certain applications, they should be removed from containers when they are not necessary. Each image should be reviewed to ensure that only programs which need setuid or setgid permissions retain them.
Impact:
Pros:
Reduces the risk of privilege escalation within containers.
Improves overall security posture by minimizing unnecessary elevated privileges.
Cons:
Removing these permissions may break executables that require them. Therefore, careful evaluation should be performed to ensure legitimate programs are not impacted by this change.
Default Value:
Not applicable. Docker does not automatically remove setuid and setgid permissions. This configuration requires manual intervention during the image building process.
Pre-requisites:
Administrative privileges on the Docker host.
Access to the Dockerfile used to build the image.
Remediation:
Test Plan:
Using AWS Console:
Navigate to the EC2 instance running Docker.
Run the command to list the executables that have setuid or setgid permissions.
docker export <IMAGE ID> | tar -tv 2>/dev/null | grep -E '^[\-rwx].*(s|S).*\s[0-9]'
Review the output and ensure that only necessary executables have these permissions.
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to check for executables with setuid or setgid permissions:
docker export <IMAGE ID> | tar -tv 2>/dev/null | grep -E '^[\-rwx].*(s|S).*\s[0-9]'
Implementation Plan:
Using AWS Console:
Connect to the EC2 instance.
Build the image and push it to the registry.
Verify that setuid and setgid permissions have been removed.
Using AWS CLI:
Use SSM to remotely run the Dockerfile command to remove setuid and setgid permissions.
Run the following command to update the image:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["find / -perm /6000 -type f -exec chmod a-s {} \; || true"]'
Backout Plan:
Using AWS Console:
Connect to the EC2 instance.
Revert any changes made to the Dockerfile.
Remove the line if necessary.
RUN find / -perm /6000 -type f -exec chmod a-s {} \;Rebuild and redeploy the image.
Using AWS CLI:
Use SSM to revert changes made to the image.
Run the following command to restore any modified permissions (if applicable):
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["restore-previous-permissions"]'
References:
CIS Docker Benchmark v1.7
Docker Security Documentation: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities