iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Mount propagation defines how mounts are shared between containers and the host. If mount propagation mode is set to "shared," it can allow containers to manipulate mounts on the host system, which may expose the system to risks. Ensuring this setting is not enabled helps reduce the potential attack surface.

Rationale:

Shared mount propagation could allow containers to alter system mounts, potentially leading to unintentional or malicious changes. Disabling shared mount propagation ensures that the container's mounts are isolated from the host, reducing the risk of accidental or unauthorized access to the host system.

Impact:

Pros:

• Increases security by isolating container mounts from the host system.
  

• Reduces potential risks of unintentional mount propagation between containers and host.
  

Cons:

• May require adjusting certain container configurations if they rely on shared mount propagation.
  

Default Value:

By default, Docker containers use private mount propagation, meaning mounts are isolated to the container.

Pre-requisites:

• Access to Docker configuration and administrative privileges on the host system.
  

• Knowledge of how containers and mount propagation are configured.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Review container runtime configurations and verify that mount propagation mode is not set to "shared."
   
3. Check the /etc/docker/daemon.json configuration for related settings.
   

Using AWS CLI:

1. Connect to the EC2 instance.
   
2. Run the following command to inspect mount propagation for running containers:
   

docker inspect --format '{{ .HostConfig.Mounts }}' <container_name_or_id>

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   
2. Modify the container runtime configuration (e.g., /etc/docker/daemon.json) to ensure the propagation mode is not set to shared.
   
3. Restart Docker to apply the changes

Using AWS CLI:

1. Use SSM to remotely modify the mount propagation setting and restart Docker.
   
2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"mounts\": {\"propagation\": \"private\"}}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Connect to the EC2 instance.
   
2. Revert the /etc/docker/daemon.json configuration to allow shared mount propagation if necessary.
   
3. Restart Docker with:
   
   

Using AWS CLI:

1. Use SSM to revert the configuration and restart Docker:
   Run the following command:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'

References:

• Docker Documentation on Mount Propagation