[CRITICAL] Secure Docker and systemd configurations - eliminate root privileges #4
Description
Problem Statement
Both Docker and systemd configurations run the metrics agent with root privileges, violating the principle of least privilege and creating unnecessary security risks. The current setup exposes the system to privilege escalation attacks and potential container breakouts.
Impact Assessment
- Severity: Critical
- Impact: Privilege escalation, container breakout, system compromise
- Affected Components: Container deployment, systemd service, host system security
- Security Risk: High - Root access can lead to complete system compromise
- Compliance: Violates security hardening standards (CIS, NIST)
Technical Details
Current Vulnerable Configuration
Docker Configuration (Dockerfile)
# Line 70: Dangerous root user
USER rootSystemd Configuration (packaging/systemd/sc-metrics-agent.service)
# Lines 8-9: Running as root
User=root
Group=rootSecurity Issues
- Unnecessary Privileges: Agent doesn't need root for most operations
- Attack Surface: Root access increases impact of vulnerabilities
- Container Security: Violates container security best practices
- Audit Compliance: Fails security hardening requirements
Acceptance Criteria
- Remove root user from Docker configuration
- Implement proper Linux capabilities for required operations
- Configure systemd to run as non-root user
- Add security hardening to systemd service
- Implement proper file permissions and ownership
- Add AppArmor/SELinux security profiles
- Configure resource limits and constraints
- Add security scanning to CI/CD pipeline
Implementation Guidelines
- Docker Security Hardening:
# Use non-root user
RUN addgroup -g 1001 -S sc-agent && \
adduser -u 1001 -S sc-agent -G sc-agent
# Set proper capabilities instead of root
USER 1001:1001
# Add capabilities for specific operations
RUN setcap cap_sys_ptrace,cap_dac_read_search+ep /app/sc-agent- Systemd Security Enhancement:
[Service]
Type=simple
User=sc-agent
Group=sc-agent
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/sc-agent
CapabilityBoundingSet=CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
AmbientCapabilities=CAP_SYS_PTRACE CAP_DAC_READ_SEARCH
# Resource limits
LimitNOFILE=65536
LimitMEMLOCK=infinity- Required Capabilities Analysis:
CAP_SYS_PTRACE: For process metrics collectionCAP_DAC_READ_SEARCH: For reading system files- Remove all other unnecessary capabilities
Security Enhancements
Container Security
- Use distroless base image
- Implement multi-stage builds
- Add security scanning
- Enable read-only filesystem
- Configure resource limits
Systemd Security
- Enable systemd security features
- Configure proper file permissions
- Add process isolation
- Implement resource constraints
Testing Requirements
- Security tests for privilege escalation
- Container security scanning
- Systemd configuration validation
- Integration tests with reduced privileges
- Performance impact assessment
Configuration Changes Required
- Create dedicated user account:
sudo useradd -r -s /bin/false -d /var/lib/sc-agent sc-agent
sudo mkdir -p /var/lib/sc-agent
sudo chown sc-agent:sc-agent /var/lib/sc-agent- File permission updates:
sudo chmod 750 /usr/local/bin/sc-metrics-agent
sudo chown sc-agent:sc-agent /usr/local/bin/sc-metrics-agentMigration Strategy
- Phase 1: Test with reduced privileges in development
- Phase 2: Update Docker configuration
- Phase 3: Update systemd service
- Phase 4: Deploy with monitoring
- Phase 5: Validate security improvements
Related Issues
- Depends on: Metrics collection capability analysis ([CRITICAL] Fix fake data generation in metrics collectors #1)
- Blocks: Container security compliance ([TESTING] Add comprehensive security and integration test coverage #12)
- Related to: Audit logging implementation ([DOCUMENTATION] Comprehensive documentation and compliance framework #13)
- Impacts: Performance monitoring accuracy
Definition of Done
- Docker runs as non-root user
- Systemd service uses dedicated user account
- All security hardening measures implemented
- Capabilities reduced to minimum required
- Security tests passing
- Performance impact < 1%
- Security review approved