Profile Applicability:

  • Level 1 

Description:

The docker.service file, typically located in /etc/systemd/system/ or /lib/systemd/system/, is responsible for defining how Docker is started and managed by systemd. It is important to ensure that this file is owned by the root:root user and group to prevent unauthorized modifications.

Rationale:

The docker.service file controls the Docker daemon and its configuration. Allowing non-root users to have ownership of this file can lead to security vulnerabilities, as it could be modified by unauthorized users, potentially compromising the entire Docker setup.

Impact:

Pros:

  • Ensures that only authorized system administrators can modify the docker.service file.

  • Enhances the overall security of the Docker configuration by preventing unauthorized access to critical service files.

Cons:

  • The ownership of the file needs to be regularly audited to ensure proper configuration, though this is generally not a complex task.

Default Value:

The docker.service file is typically owned by root:root by default, unless manually changed.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file ownership.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the ownership of the docker.service file:

    ls -l /etc/systemd/system/docker.service

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to verify the ownership of the docker.service file:

    ls -l /etc/systemd/system/docker.service

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Ensure the ownership of the docker.service file is set to root:root:

    sudo chown root:root /etc/systemd/system/docker.service

  1. Restart Docker to ensure the changes take effect:

    sudo systemctl daemon-reload
sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to change the ownership of the docker.service file and restart Docker:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/systemd/system/docker.service && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  • Log in to the EC2 instance.

  • Revert the ownership of the docker.service file if needed:

    sudo chown <previous-owner>:<previous-group> /etc/systemd/system/docker.service

  • Restart Docker to apply the changes:

Using AWS CLI:

  1. Use SSM to revert the ownership of the docker.service file:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/systemd/system/docker.service && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References:

  • Docker Systemd Service File Documentation

  • CIS Docker Benchmark