Profile Applicability:

  • Level 1

Description:

The root filesystem for a container should be mounted as read-only. This ensures that no files can be modified during runtime, enhancing security by preventing unauthorized changes to the container filesystem.

Rationale:

Mounting the root filesystem as read-only reduces the risk of container compromise. If an attacker gains access to a container, they won't be able to modify critical system files or inject malicious binaries, thus increasing the container's security.

Impact:

Pros:

  • Prevents unauthorized modifications to the container’s filesystem, improving security.

  • Reduces the risk of privilege escalation through file system modifications.

Cons:

  • Some applications that require writing to the filesystem may not function properly unless configured to write to specific directories or volumes.

Default Value:

By default, the root filesystem is mounted as read-write.

Pre-requisites:

  • Docker must be installed and running on the system.

  • Administrative privileges to modify Docker container configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.
  2. Review the Docker container configuration to ensure that the root filesystem is mounted as read-only.
  3. Check the container's runtime settings for the --read-only flag to verify if it is enabled.

Using AWS CLI:

  1. Connect to the EC2 instance.
  2. Run the following command to check if the root filesystem is mounted as read-only:
docker inspect <container_name> --format '{{.HostConfig.ReadOnly}}'


Implementation Plan:

Using AWS Console:

  1. Edit the Docker run command or the container's configuration file to include the --read-only flagEnsure that any directories that require write access are mounted as volumes with proper permissions.
  2. Restart the container:

Using AWS CLI:

  1. Use SSM to remotely configure the container to mount the root filesystem as read-only.
  2. Run the following command to launch a container with the root filesystem mounted as read-only:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --read-only <image_name>"]'


Backout Plan:

Using AWS Console:

  1. Edit the Docker run command or the container's configuration to remove the --read-only flag.
  2. Restart the container:

Using AWS CLI:

  1. Use SSM to revert the container to the previous configuration without the --read-only flag.
  2. Run the following command:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run <image_name>"]'


References: