iCompaas Support

Profile Applicability:

• Level 1

Description:

The docker.socket file, typically located in /lib/systemd/system/docker.socket, is responsible for the communication between the Docker client and Docker daemon. It is important to ensure that this file is owned by root:root to prevent unauthorized modifications or access.

Rationale:

The docker.socket file is a critical part of Docker's configuration and controls access to the Docker daemon. Allowing non-root users to own or modify this file can lead to security vulnerabilities, such as unauthorized access to the Docker API or tampering with the Docker service.

Impact:

Pros:

• Ensures that only the root user has control over Docker’s communication socket.

• Reduces the risk of unauthorized users or processes tampering with Docker's internal communication mechanisms.

Cons:

• Requires periodic checks to ensure that ownership is not inadvertently changed.

Default Value:

By default, the docker.socket file is typically owned by root:root, but ownership can be modified by administrative errors or unauthorized access.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify file ownership.

Remediation

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the ownership of the docker.socket file:

   ls -l /lib/systemd/system/docker.socket

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to verify the ownership of the docker.socket file:
   

   ls -l /lib/systemd/system/docker.socket

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the ownership of the docker.socket file to root:root:
   

   sudo chown root:root /lib/systemd/system/docker.socket

3. Reload the systemd daemon to apply any changes:
   

   sudo systemctl daemon-reload

4. Restart Docker to ensure the changes take effect:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to change the ownership of the docker.socket file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the ownership of the docker.socket file if necessary:
   

   sudo chown <previous-owner>:<previous-group> /lib/systemd/system/docker.socket

   
   

3. Reload systemd and restart Docker:
   

   sudo systemctl daemon-reload
   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the ownership of the docker.socket file:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References:

• Docker Daemon Socket Option