iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The Docker container process namespace should not be shared with the host system. This prevents containers from having access to the host's process space, which could allow a container to interfere with or observe processes running on the host.

Rationale:

Sharing the process namespace between the host and containers can lead to potential security risks. A container could access and manipulate the host's process information, increasing the risk of privilege escalation or unauthorized access to the host system.

Impact:

Pros:

• Prevents containers from accessing or interacting with the host’s process namespace, enhancing isolation and security.
  

• Reduces the risk of a container escaping and gaining access to critical system processes.
  

Cons:

• May restrict certain use cases where containers need to interact with host processes, but these are generally rare and can be avoided.
  

Default Value:

By default, containers do not share the host’s process namespace unless explicitly specified in the Docker run command or Docker Compose configuration.

Pre-requisites:

• Administrative access to the host system running Docker.
  

• Understanding of Docker command-line options and configuration files.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Check the Docker container configuration or deployment files (like docker run commands or docker-compose.yml) to ensure the --pid host option is not being used.
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run the following command to list all running containers and verify that none of them have the --pid host flag:
   

docker ps --filter "pid=host"

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Review the container configurations, including the docker run commands or docker-compose.yml files.
   
3. Ensure that the --pid flag is not set to host. If it is, remove it.
   
4. Restart the Docker containers:
   
   

Using AWS CLI:

1. Use SSM to remotely update the Docker configuration and restart any affected containers.
   
2. Run the following command to ensure that containers are not using the host's process namespace:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker ps --filter \"pid=host\""]'

Backout Plan:

Using AWS Console:

1. If the host’s process namespace was previously shared, ensure that containers are properly isolated by removing the --pid host setting from the configuration files.
   
2. Restart Docker containers

Using AWS CLI:

• Use SSM to revert the change if necessary, ensuring the containers no longer share the host's process namespace.
  

• Run the following command to stop and restart the container with updated configuration:
  

  aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker restart $(docker ps -q)"]'

  
  

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/