iCompaas Support

Profile Applicability:

• Level 1 
  

Description:

Using the --privileged flag in Docker grants all Linux kernel capabilities to the container, which overrides both the --cap-add and --cap-drop flags. This grants the container excessive privileges, including access to devices and kernel functionalities, which can compromise the security of the host system. This flag should be avoided unless absolutely necessary for specific use cases.

Rationale:

The --privileged flag provides containers with all the capabilities of the host system, essentially giving the container the same privileges as the host. This can create significant security risks, as the container could potentially modify the host system or execute malicious actions. Containers should be run with the minimum privileges required.

Impact:

Pros:

• Reduces the attack surface by ensuring containers do not run with unnecessary privileges.
  

• Enhances security by applying the principle of least privilege to containers.
  

Cons:

• Some containers may require elevated privileges for certain tasks, which could be restricted if this recommendation is followed.
  

Default Value:

By default, containers do not run with the --privileged flag and have limited capabilities.

Pre-requisites:

• Ensure that containers are not started with the --privileged flag.
  

• Administrative privileges are required to configure Docker to avoid privileged containers.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Run the following command to inspect the running containers:
   

   docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'

3. Ensure that the output returns Privileged=false for all containers.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   
2. Run the following command to check the Docker containers' privileges:

   docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. When running a container, ensure that the --privileged flag is not used. For example, do not run the following command:
   

   docker stop <container_id>
   docker run --interactive --tty <image> /bin/bash

Using AWS CLI:

1. Ensure that the --privileged flag is not used when starting containers.
   
2. Example of correct usage:

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --interactive --tty centos /bin/bash"]'

Backout Plan:

Using AWS Console:

1. If any container is running with the --privileged flag, stop the container and restart it without the flag. You can use:
   

   docker stop <container_id>
   docker run --interactive --tty <image> /bin/bash

Using AWS CLI:

1. Use SSM to stop any privileged containers and restart them without the --privileged flag:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop <container_id> && docker run --interactive --tty <image> /bin/bash"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities