iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The UTS (UNIX Time Sharing) namespace allows containers to have their own hostname and domain name. The host system's UTS namespace should not be shared with containers to prevent containers from affecting the host’s identity and networking configurations.

Rationale:

By ensuring that the UTS namespace is not shared, containers are isolated in terms of hostname and domain name. This limits the potential for a container to alter the system hostname and prevents interference with networking configurations on the host.

Impact:

Pros:

• Improves security by preventing containers from altering the host system’s hostname or domain name.
  

• Increases container isolation, reducing the risk of cross-container attacks via the network.
  

Cons:

• May require additional configuration when you need containers to be aware of specific host networking configurations.
  

Default Value:

• By default, Docker does not share the UTS namespace unless explicitly configured.
  

Pre-requisites:

• Docker must be installed and running on the host system.
  

• Ensure that containers are not started with the --uts flag that would cause them to share the host's UTS namespace.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Check the command used to run containers (through the Docker service or ECS task) to verify that the --uts flag is not set.
   

Using AWS CLI:

1. Connect to the EC2 instance.
   
2. Run the following command to check the container's settings:
   

docker inspect <container_id> --format '{{ .HostConfig.UTS }}'

       3. Ensure the result indicates the container does not share the host's UTS namespace.

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Ensure that Docker containers are started without the --uts flag, either by editing the Docker run command or the ECS task definition.
   
3. Restart the container service if necessary to apply the changes.
   

Using AWS CLI:

1. Use SSM to modify the command or task definition that starts the containers.
   
2. Run the following command to ensure containers are started without the UTS namespace shared:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --hostname <new_host_name> <image_name>"]'

Backout Plan:

Using AWS Console:

1. Revert the Docker container settings to share the UTS namespace if needed (use the --uts flag).
   
2. Restart Docker and containers to apply the changes.
   

Using AWS CLI:

1. Use SSM to reconfigure the container to share the host’s UTS namespace.
   
2. Run the following command:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --uts host <image_name>"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Documentation: https://docs.docker.com/