Profile Applicability:
Level 1
Description:
The docker.socket file, typically located in /lib/systemd/system/docker.socket, is responsible for the communication between the Docker client and Docker daemon. It is important to ensure that this file is owned by root:root to prevent unauthorized modifications or access.
Rationale:
The docker.socket file is a critical part of Docker's configuration and controls access to the Docker daemon. Allowing non-root users to own or modify this file can lead to security vulnerabilities, such as unauthorized access to the Docker API or tampering with the Docker service.
Impact:
Pros:
Ensures that only the root user has control over Docker’s communication socket.
Reduces the risk of unauthorized users or processes tampering with Docker's internal communication mechanisms.
Cons:
Requires periodic checks to ensure that ownership is not inadvertently changed.
Default Value:
By default, the docker.socket file is typically owned by root:root, but ownership can be modified by administrative errors or unauthorized access.
Pre-requisites:
Administrative privileges on the Docker host system.
Access to the file system to inspect and modify file ownership.
Remediation
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Verify the ownership of the docker.socket file:
ls -l /lib/systemd/system/docker.socket
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to verify the ownership of the docker.socket file:
ls -l /lib/systemd/system/docker.socket
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Set the ownership of the docker.socket file to root:root:
sudo chown root:root /lib/systemd/system/docker.socket
Reload the systemd daemon to apply any changes:
sudo systemctl daemon-reload
Restart Docker to ensure the changes take effect:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to change the ownership of the docker.socket file and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Revert the ownership of the docker.socket file if necessary:
sudo chown <previous-owner>:<previous-group> /lib/systemd/system/docker.socket
Reload systemd and restart Docker:
sudo systemctl daemon-reload sudo systemctl restart docker
Using AWS CLI:
Use SSM to revert the ownership of the docker.socket file:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'
References: