iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The root filesystem for a container should be mounted as read-only. This ensures that no files can be modified during runtime, enhancing security by preventing unauthorized changes to the container filesystem.

Rationale:

Mounting the root filesystem as read-only reduces the risk of container compromise. If an attacker gains access to a container, they won't be able to modify critical system files or inject malicious binaries, thus increasing the container's security.

Impact:

Pros:

• Prevents unauthorized modifications to the container’s filesystem, improving security.
  

• Reduces the risk of privilege escalation through file system modifications.
  

Cons:

• Some applications that require writing to the filesystem may not function properly unless configured to write to specific directories or volumes.
  

Default Value:

By default, the root filesystem is mounted as read-write.

Pre-requisites:

• Docker must be installed and running on the system.
  

• Administrative privileges to modify Docker container configurations.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Review the Docker container configuration to ensure that the root filesystem is mounted as read-only.
   
3. Check the container's runtime settings for the --read-only flag to verify if it is enabled.
   

Using AWS CLI:

1. Connect to the EC2 instance.
   
2. Run the following command to check if the root filesystem is mounted as read-only:

docker inspect <container_name> --format '{{.HostConfig.ReadOnly}}'

Implementation Plan:

Using AWS Console:

1. Edit the Docker run command or the container's configuration file to include the --read-only flagEnsure that any directories that require write access are mounted as volumes with proper permissions.
2. Restart the container:

Using AWS CLI:

1. Use SSM to remotely configure the container to mount the root filesystem as read-only.
   
2. Run the following command to launch a container with the root filesystem mounted as read-only:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --read-only <image_name>"]'

Backout Plan:

Using AWS Console:

1. Edit the Docker run command or the container's configuration to remove the --read-only flag.
   
2. Restart the container:
   
   

Using AWS CLI:

1. Use SSM to revert the container to the previous configuration without the --read-only flag.
   
2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run <image_name>"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/