iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Sensitive host system directories, such as /, /boot, /dev, /etc, /lib, /lib64, /proc, /sys, and /usr, should not be mounted as container volumes, particularly in read-write mode.

Rationale:

Mounting sensitive directories, especially in read-write mode, can lead to security vulnerabilities. Attackers with access to the container could modify system-critical files, compromising the security and integrity of the host system.

Impact:

None: No immediate impact, but it ensures security by avoiding unauthorized access to critical system directories.

Default Value:

Docker does not mount any sensitive host system directories to containers by default. However, users can manually mount them, which may lead to security risks.

Pre-requisites:

• Docker must be installed on the host system.
  

• Administrative privileges to view and modify container mount points.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Run the command to review currently mounted directories. 

3.  docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}

4. Ensure no sensitive directories are mounted to containers, particularly in read-write mode.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   
2. Run the following command to inspect container volumes:

   docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'

Implementation Plan:

Using AWS Console:

1. Connect to the EC2 instance.
   
2. Verify if any sensitive host directories are mounted to containers.
   
3. Modify the container configurations to ensure sensitive directories are not mounted or only mounted as read-only if necessary.
   
4. Restart the containers to apply the changes:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to check and modify the container mount configurations.
   
2. Run the following command to check for sensitive host directories:

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'"]'
   

3. If any sensitive directories are found, update the container configuration to avoid mounting them in read-write mode.
   

Backout Plan:

Using AWS Console:

1. If changes need to be reverted, connect to the EC2 instance.
   
2. Remove the sensitive directory mounts from container configurations and restart Docker:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert any changes made to the container mount points:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/storage/volumes/