Profile Applicability:
Level 2
Description:
Verify the authenticity of packages before installing them into images.
Rationale:
Installing packages without verification can lead to vulnerabilities and risks if the packages are not from trusted sources.
Impact:
Ensures the installed packages are secure and trustworthy.
Requires additional steps to verify the authenticity of each package.
Default Value:
Not applicable.
Pre-requisites:
Ensure secure package management tools are used (e.g., GPG keys for RPM-based systems).
Remediation:
Test Plan:
Using AWS Console:
- Check the Dockerfile to ensure GPG keys or another secure method are used to verify package authenticity.
- Run docker history <IMAGE ID> for each image to verify how package authenticity is determined.
Using AWS CLI:
- Use SSM to check the package installation methods:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker history <IMAGE_ID>"]'
Implementation Plan:
Using AWS Console:
- Modify the Dockerfile to use secure package management tools.
- Rebuild the Docker image:
docker build -t <IMAGE_NAME> .
Using AWS CLI:
- Use SSM to update the Dockerfile and rebuild the image:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \"s/apt-get install/apt-get install --verify-key <GPG_KEY>/g\" Dockerfile && docker build -t <IMAGE_NAME> ."]'
Backout Plan:
Using AWS Console:
- Revert the Dockerfile changes to allow non-secure package installs.
- Rebuild the Docker image:
docker build -t <IMAGE_NAME> .
Using AWS CLI:
- Use SSM to revert the changes:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \"s/--verify-key <GPG_KEY>//g\" Dockerfile && docker build -t <IMAGE_NAME> ."]'
References:
CIS Docker Benchmark v1.7
RedHat GPG Verify: https://www.redhat.com/sysadmin/rpm-gpg-verify-packages