Profile Applicability:

  • Level 1 

Description:

The docker.service file, which is used by systemd to manage the Docker daemon, must have appropriate file permissions. The file should be owned by root and be writable only by the root user to prevent unauthorized modifications.

Rationale:

Proper file permissions on the docker.service file are crucial for securing the Docker configuration. Allowing non-root users to modify this file could lead to unauthorized changes in the Docker daemon's behavior, which could compromise the host system or containers.

Impact:

Pros:

  • Ensures that only authorized users (root) can modify the Docker service configuration.

  • Prevents unauthorized tampering with Docker's service configuration, reducing potential attack vectors.

Cons:

Requires regular checks to ensure file permissions are maintained correctly.

Default Value:

By default, the docker.service file should have permissions set to 644 or 755 with root:root as the owner.

Pre-requisites:

Administrative privileges to inspect and modify file permissions.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the file permissions on docker.service:

    ls -l /etc/systemd/system/docker.service


Using AWS CLI:

  1. Connect to the EC2 instance.

  2. Run the following command to check the file permissions of the docker.service file:

    ls -l /etc/systemd/system/docker.service

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the correct permissions for the docker.service file:

    sudo chmod 644 /etc/systemd/system/docker.service


  1. Ensure that the ownership is set to root:root:

    sudo chown root:root /etc/systemd/system/docker.service

  1. Reload systemd to apply any configuration changes:

    sudo systemctl daemon-reload

  1. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker


Using AWS CLI:

  1. Use SSM to modify the permissions and ownership of the docker.service file:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/systemd/system/docker.service && sudo chown root:root /etc/systemd/system/docker.service && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the file permissions and ownership if necessary:

    sudo chmod 755 /etc/systemd/system/docker.service
    sudo chown root:root /etc/systemd/system/docker.service

  1. Reload systemd and restart Docker:

    sudo systemctl daemon-reload
    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the permissions and ownership and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 755 /etc/systemd/system/docker.service && sudo chown root:root /etc/systemd/system/docker.service && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References:

  1. Systemd Service File Permissions Documentation

  2. Docker Official Documentation

  3. CIS Docker Benchmark