Profile Applicability:

  • Level 1 

Description:

The Docker container's process namespace should not be shared with the host system. This is to ensure that the container’s processes are isolated from the host’s processes and that the host system’s process IDs are not exposed to containers.

Rationale:

Sharing the process namespace can lead to potential security risks, where a container could gain visibility into or manipulate the processes running on the host system. Ensuring isolation between the host's process namespace and containers strengthens security by preventing unauthorized access.

Impact:

Pros:

  • Ensures process isolation, reducing the risk of security breaches.

  • Helps maintain the confidentiality of the host's process environment.

Cons:

  • May require additional configuration to ensure that containers do not inadvertently share the process namespace with the host.

Default Value:

  • By default, Docker containers use their own process namespace and do not share the host's namespace unless explicitly configured.

Pre-requisites:

  • Docker installed and running on the host system.

  • Administrative access to Docker configuration files and container settings.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance running Docker.
  2. Run the following command to check the namespaces used by the container:
docker inspect <container_id> | grep "Process"


Using AWS CLI:

  1. Connect to the EC2 instance.
  2. Run the following command to check the namespace configuration for a specific container:
docker inspect --format '{{.HostConfig.PidMode}}' <container_id>


Implementation Plan:

Using AWS Console:

  1. To ensure the host’s process namespace is not shared, configure the Docker container to use its own process namespace by setting the --pid option to host if it is not already configured.
  2. Restart the Docker container to apply the changes:

Using AWS CLI:

  1. Use SSM to remotely set the appropriate configuration for the Docker container.
  2. Run the following command to configure the container's process namespace:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --pid=container:<container_id> <image_name>"]'


Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance.
  2. Modify the container settings to revert the process namespace to the default host namespace.
    Example: Run the container without the     --pid option to share the host’s process namespace.
  3. Restart Docker:

Using AWS CLI:

  • Revert the configuration using SSM to allow the container to share the host’s process namespace:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --pid=host <image_name>"]'


References: