iCompaas Support

Profile Applicability:

• Level 1 

Description:

Docker registry certificates are critical for establishing secure communication between Docker and remote registries. These certificate files, typically located in /etc/docker/certs.d/<registry-name>, should be owned by root:root to ensure that unauthorized users cannot modify them.

Rationale:

The /etc/docker/certs.d/<registry-name> directory stores registry certificates used for Docker authentication. These files must be owned and group-owned by root to ensure they cannot be tampered with by less privileged users, which could compromise Docker's secure communication.

Impact:

Pros:

• Prevents unauthorized access to or modification of registry certificates.

• Enhances the overall security of Docker by ensuring that certificates remain intact.

Cons:

• Misconfigured ownership may lead to unauthorized users modifying or tampering with the certificates.
  

Default Value:

By default, the ownership of registry certificate files should be set to root:root.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Knowledge of the Docker registry configuration and certificate management.

Remediation

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the ownership of the registry certificate files:
   

   stat -c %U:%G /etc/docker/certs.d/* | grep -v root:root

Using AWS CLI:

1. Connect to the EC2 instance.

2. Run the following command to check the ownership:
   

   stat -c %U:%G /etc/docker/certs.d/* | grep -v root:root

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the ownership of the registry certificate files to root:root:
   

   sudo chown root:root /etc/docker/certs.d/*

Using AWS CLI:

1. Use SSM to change the ownership of the certificate files:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/certs.d/*"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the ownership of the registry certificate files to their previous state if necessary:
   

   sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/*

   
   

Using AWS CLI:

1. Use SSM to revert the ownership:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/*"]'

References:

• Docker Registry Insecure Setup Documentation