Profile Applicability:
Level 1
Description:
The root filesystem for a container should be mounted as read-only. This ensures that no files can be modified during runtime, enhancing security by preventing unauthorized changes to the container filesystem.
Rationale:
Mounting the root filesystem as read-only reduces the risk of container compromise. If an attacker gains access to a container, they won't be able to modify critical system files or inject malicious binaries, thus increasing the container's security.
Impact:
Pros:
Prevents unauthorized modifications to the container’s filesystem, improving security.
Reduces the risk of privilege escalation through file system modifications.
Cons:
Some applications that require writing to the filesystem may not function properly unless configured to write to specific directories or volumes.
Default Value:
By default, the root filesystem is mounted as read-write.
Pre-requisites:
Docker must be installed and running on the system.
Administrative privileges to modify Docker container configurations.
Remediation:
Test Plan:
Using AWS Console:
- Navigate to the EC2 instance running Docker.
- Review the Docker container configuration to ensure that the root filesystem is mounted as read-only.
- Check the container's runtime settings for the --read-only flag to verify if it is enabled.
Using AWS CLI:
- Connect to the EC2 instance.
- Run the following command to check if the root filesystem is mounted as read-only:
docker inspect <container_name> --format '{{.HostConfig.ReadOnly}}'
Implementation Plan:
Using AWS Console:
- Edit the Docker run command or the container's configuration file to include the --read-only flagEnsure that any directories that require write access are mounted as volumes with proper permissions.
- Restart the container:
Using AWS CLI:
- Use SSM to remotely configure the container to mount the root filesystem as read-only.
- Run the following command to launch a container with the root filesystem mounted as read-only:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --read-only <image_name>"]'
Backout Plan:
Using AWS Console:
- Edit the Docker run command or the container's configuration to remove the --read-only flag.
- Restart the container:
Using AWS CLI:
- Use SSM to revert the container to the previous configuration without the --read-only flag.
- Run the following command:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run <image_name>"]'
References:
CIS Docker Benchmark v1.7
Docker Documentation: https://docs.docker.com/