Profile Applicability:

  • Level 1 

Description:

The docker.socket file, which handles communication between the Docker client and daemon, should have its permissions set to 644 or more restrictive. This ensures that only authorized users (typically root) can modify it, preventing unauthorized changes to the Docker configuration.

Rationale:

The docker.socket file controls access to the Docker daemon, and its permissions should be set to restrict write access to only root. If other users have write access, they could modify the socket file and potentially compromise the Docker daemon.

Impact:

Pros:

  • Secures the Docker socket, ensuring that only authorized users can modify its configuration.

  • Helps prevent security risks and unauthorized access to the Docker daemon.

Cons:

  • Requires periodic checks to ensure the file permissions remain correct.

Default Value:

By default, the docker.socket file may not be present or could have the wrong permissions if manually configured incorrectly.

Pre-requisites:

  • Administrative privileges on the Docker host.

  • Access to the Docker system files.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the permissions of the docker.socket file:

    stat -c %a /lib/systemd/system/docker.socket

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to verify the file permissions:

    stat -c %a /lib/systemd/system/docker.socket

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the file permissions of docker.socket to 644 or more restrictive:

    sudo chmod 644 /lib/systemd/system/docker.socket

  3. Reload systemd to apply the changes:

    sudo systemctl daemon-reload

  4. Restart Docker:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to set the correct file permissions and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the file permissions to the previous configuration if needed:

    sudo chmod <previous-permissions> /lib/systemd/system/docker.socket


  3. Reload systemd and restart Docker:

    sudo systemctl daemon-reload
    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the file permissions and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod <previous-permissions> /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References: