iCompaas Support

 Profile Applicability:

• Level 1
  

Description:

By default, Docker starts containers with a restricted set of Linux kernel capabilities. Docker supports the addition and removal of capabilities. You should remove any capabilities that are not required for the container's proper functioning. Specifically, the NET_RAW capability should be removed if not explicitly needed, as it can allow an attacker to create spoofed network traffic.

Rationale:

Using Linux kernel capabilities, processes do not need to run as the root user to perform necessary tasks. Restricting the kernel capabilities reduces the attack surface and limits the risk of privilege escalation within the container.

Impact:

Pros:

• Reduces the risk of privilege escalation attacks.
  

• Limits the capabilities granted to containerized processes, improving security.
  

Cons:

• Some applications may require specific kernel capabilities to function, so careful review of required capabilities is necessary.
  

Default Value:

By default, Docker assigns a set of basic capabilities to containers. This includes capabilities such as NET_RAW, which should be dropped if not needed.

Pre-requisites:

• Access to Docker daemon and configuration files.
  

• Administrative privileges to modify Docker settings.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Inspect the running containers for their Linux kernel capabilities using Docker commands.
   
3. Ensure that unnecessary capabilities like NET_RAW are removed if not required.
   

Using AWS CLI:

1. Connect to the EC2 instance.
   
2. Run the following command to inspect the Docker containers for the added and removed Linux capabilities:
   

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance.
   Modify the Docker container settings to drop unneeded capabilities, such as NET_RAW, using the following command:

   docker run --cap-drop=NET_RAW <Run arguments> <Container Image Name or ID> <Command>

2. Restart the Docker container:

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to remotely configure the container and drop unnecessary capabilities:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --cap-drop=NET_RAW <Run arguments> <Container Image Name or ID> <Command>"]'

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.
   Modify the Docker container settings to restore any previously dropped capabilities if needed:

   docker run --cap-add=NET_RAW <Run arguments> <Container Image Name or ID> <Command>

2. Restart Docker:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the changes made to the capabilities:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --cap-add=NET_RAW <Run arguments> <Container Image Name or ID> <Command>"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/engine/security/#linux-kernel-capabilities