Profile Applicability:

  • Level 2

Description:

SELinux is a security feature available on some Linux distributions, such as Red Hat and Fedora. It adds an additional layer of security by enforcing Mandatory Access Control (MAC) policies. When enabled, SELinux can help secure Docker containers and limit the potential impact of container escapes.

Rationale:

SELinux provides an extra layer of security by enforcing strict access control policies for Docker containers, which helps prevent malicious actions and reduces the risk of unauthorized access to the system. If SELinux is applicable for your Linux OS, enabling it enhances the overall security posture of your Docker environment.

Impact:

Pros:

  • Increases security by applying a more restrictive access control model to containers.

  • Prevents containers from interacting with the host system in unintended ways.

Cons:

  • Misconfiguration of SELinux policies can potentially break container functionality if not handled correctly.

  • Requires ongoing management of SELinux policies and configurations.

Default Value:

By default, no SELinux security options are applied on containers.

Pre-requisites:

  • SELinux must be supported and available on the host Linux system (e.g., Red Hat, Fedora).

  • Administrative access to modify Docker daemon settings and SELinux configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance hosting Docker.
  2. Check the Docker daemon configuration file (/etc/docker/daemon.json) for the SELinux setting.
  3. Ensure that SELinux security options are enabled by checking the SELinux status using:
sestatus

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to check if SELinux security options are applied to Docker containers:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }} MountLabel={{ .MountLabel }} ProcessLabel={{ .ProcessLabel }}'

Implementation Plan:

Using AWS Console:

  1. Connect to the EC2 instance.

Edit the /etc/docker/daemon.json file and add the following configuration to enable SELinux:

{

  "selinux-enabled": true

}
  • Restart the Docker daemon:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to remotely update the Docker configuration file and restart Docker.
  2. Run the following command to enable SELinux:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{\\\"selinux-enabled\\\": true}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance.
  2. Edit the /etc/docker/daemon.json file to remove or revert the SELinux configuration.
  3. Restart Docker:
sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the SELinux configuration and restart Docker.
  2. Run the following command:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'

References: