Profile Applicability:
Level 1
Description:
The docker.service file, which is used by systemd to manage the Docker daemon, must have appropriate file permissions. The file should be owned by root and be writable only by the root user to prevent unauthorized modifications.
Rationale:
Proper file permissions on the docker.service file are crucial for securing the Docker configuration. Allowing non-root users to modify this file could lead to unauthorized changes in the Docker daemon's behavior, which could compromise the host system or containers.
Impact:
Pros:
Ensures that only authorized users (root) can modify the Docker service configuration.
Prevents unauthorized tampering with Docker's service configuration, reducing potential attack vectors.
Cons:
Requires regular checks to ensure file permissions are maintained correctly.
Default Value:
By default, the docker.service file should have permissions set to 644 or 755 with root:root as the owner.
Pre-requisites:
Administrative privileges to inspect and modify file permissions.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Verify the file permissions on docker.service:
ls -l /etc/systemd/system/docker.service
Using AWS CLI:
Connect to the EC2 instance.
Run the following command to check the file permissions of the docker.service file:
ls -l /etc/systemd/system/docker.service
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Set the correct permissions for the docker.service file:
sudo chmod 644 /etc/systemd/system/docker.service
Ensure that the ownership is set to root:root:
sudo chown root:root /etc/systemd/system/docker.service
Reload systemd to apply any configuration changes:
sudo systemctl daemon-reload
Restart Docker to ensure the changes take effect:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to modify the permissions and ownership of the docker.service file:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/systemd/system/docker.service && sudo chown root:root /etc/systemd/system/docker.service && sudo systemctl daemon-reload && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Revert the file permissions and ownership if necessary:
sudo chmod 755 /etc/systemd/system/docker.service sudo chown root:root /etc/systemd/system/docker.service
Reload systemd and restart Docker:
sudo systemctl daemon-reload sudo systemctl restart docker
Using AWS CLI:
Use SSM to revert the permissions and ownership and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 755 /etc/systemd/system/docker.service && sudo chown root:root /etc/systemd/system/docker.service && sudo systemctl daemon-reload && sudo systemctl restart docker"]'
References:
Systemd Service File Permissions Documentation
CIS Docker Benchmark