iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Containers should not share the host's network namespace, as doing so can introduce risks by allowing containers to have direct access to the host network. Instead, containers should use their own isolated network namespace to improve security and control.

Rationale:

Sharing the host's network namespace exposes the host network to potential vulnerabilities from within the container. Isolating containers from the host's network reduces the attack surface and enhances security by preventing unauthorized access to critical network resources.

Impact:

Pros:

• Improves the isolation between the container and the host network.
  

• Reduces the potential attack surface on the host machine.
  

Cons:

• May require additional configuration for container-to-container communication, as containers are no longer on the host network.
  

Default Value:

By default, Docker containers are assigned to their own network namespace, unless the --network host option is used during container creation.

Pre-requisites:

• Docker must be installed and configured on the host system.
  

• Administrative privileges to manage Docker containers and network configurations.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Verify the container's network mode by inspecting the container's settings or logs.
   
3. Ensure that the container is not using --network host when created. This ensures the container has its own network namespace.
   

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run the following command to check the container's network mode:

   docker inspect <container_name_or_id> --format '{{.HostConfig.NetworkMode}}'

3. Confirm that the network mode is not set to host.
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. When creating a container, avoid using the --network host flag to ensure that the container uses its own isolated network namespace.
   

3. Example:

   docker run --name <container_name> --network bridge <image_name>

Using AWS CLI:

1. Use SSM to run a script that ensures containers are created with their own network namespace.
   

2. Example:

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --name <container_name> --network bridge <image_name>"]'

Backout Plan:

Using AWS Console:

1. If containers are mistakenly created with the host network, stop and remove the containers.
   
2. Re-create the containers with the correct network setting (--network bridge or custom network).
   

Using AWS CLI:

1. Use SSM to stop and remove any containers created with the host network mode:

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker stop <container_name> && docker rm <container_name>"]'

2. Re-create the container using the correct network setting:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --name <container_name> --network bridge <image_name>"]'

References:

• Docker Networking Documentation

• CIS Docker Benchmark v1.7