Profile Applicability:

  • Level 1

Description:

The docker.socket file, typically located in /lib/systemd/system/docker.socket, is responsible for the communication between the Docker client and Docker daemon. It is important to ensure that this file is owned by root:root to prevent unauthorized modifications or access.

Rationale:

The docker.socket file is a critical part of Docker's configuration and controls access to the Docker daemon. Allowing non-root users to own or modify this file can lead to security vulnerabilities, such as unauthorized access to the Docker API or tampering with the Docker service.

Impact:

Pros:

  • Ensures that only the root user has control over Docker’s communication socket.

  • Reduces the risk of unauthorized users or processes tampering with Docker's internal communication mechanisms.

Cons:

  • Requires periodic checks to ensure that ownership is not inadvertently changed.

Default Value:

By default, the docker.socket file is typically owned by root:root, but ownership can be modified by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file ownership.

Remediation

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the ownership of the docker.socket file:

    ls -l /lib/systemd/system/docker.socket

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to verify the ownership of the docker.socket file:

    ls -l /lib/systemd/system/docker.socket

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the ownership of the docker.socket file to root:root:

    sudo chown root:root /lib/systemd/system/docker.socket
  3. Reload the systemd daemon to apply any changes:

    sudo systemctl daemon-reload
  4. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to change the ownership of the docker.socket file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the ownership of the docker.socket file if necessary:

    sudo chown <previous-owner>:<previous-group> /lib/systemd/system/docker.socket


  3. Reload systemd and restart Docker:

    sudo systemctl daemon-reload
    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the ownership of the docker.socket file:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References: