iCompaas Support

Profile Applicability:

• Level 1
  

Description:

AppArmor is an effective and easy-to-use Linux application security system available on certain Linux distributions such as Debian and Ubuntu. When enabled, it enforces security policies on Docker containers to restrict their capabilities and protect the system from various security threats.

Rationale:

AppArmor helps to secure the Linux operating system and applications by restricting their access to system resources according to pre-defined profiles. Enabling AppArmor profiles for Docker containers ensures that security policies are enforced to prevent unauthorized actions.

Impact:

Pros:

• Provides an additional layer of security by restricting container behavior.
  

• Helps in reducing the attack surface by enforcing security policies.
  

Cons:

• Misconfigured AppArmor profiles can cause operational issues with containers, potentially leading to downtime or reduced performance.
  

Default Value:

By default, Docker applies the docker-default AppArmor profile to containers. This profile is generated by Docker and loaded into the kernel.

Pre-requisites:

• AppArmor must be installed and available on the Linux OS.
  

• Administrative privileges to modify Docker configurations and enforce AppArmor profiles.
  

Remediation:

Test Plan:

Using AWS Console:

1. Navigate to the EC2 instance running Docker.
   
2. Check if AppArmor is installed and verify the AppArmor profile by inspecting the running containers.
   
3. Ensure that the containers have a valid AppArmor profile applied.
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   
2. Run the following command to check if an AppArmor profile is applied:
   

   docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Verify that AppArmor is installed using the package manager.
   
3. If AppArmor is not installed, install it using:

   sudo apt-get install apparmor

4. Create or import a custom AppArmor profile for Docker containers, or use Docker's default profile.
   
5. Apply the profile by launching containers with the --security-opt="apparmor:PROFILENAME" flag:
   

   docker run --interactive --tty --security-opt="apparmor:PROFILENAME" ubuntu /bin/bash

Using AWS CLI:

1. Use SSM to remotely apply the AppArmor profile.
   
2. Run the following command to apply AppArmor to a Docker container:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --interactive --tty --security-opt=\"apparmor:PROFILENAME\" ubuntu /bin/bash"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. If an issue occurs, remove or revert the custom AppArmor profile.
   
3. Restart the container or Docker service to remove the applied profile.
   

Using AWS CLI:

1. Use SSM to remove the AppArmor profile and restart Docker:

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --interactive --tty ubuntu /bin/bash"]'

   
   

References:

• CIS Docker Benchmark v1.7

• Docker AppArmor Documentation: https://docs.docker.com/engine/security/apparmor/