Profile Applicability:
Level 1
Description:
The registry certificate files used by Docker for secure communications should have their permissions set to 444 (read-only for everyone) or more restrictive. This prevents unauthorized modifications while allowing Docker to read the certificate for secure communication with container registries.
Rationale:
Allowing write permissions on the registry certificate file can expose it to unauthorized changes. By restricting permissions to 444 or more restrictive, you ensure that the certificate file remains secure and unmodified by non-administrative users.
Impact:
Pros:
Secures the registry certificate file by preventing unauthorized modifications.
Helps protect the integrity of the secure communication channel between Docker and the registry.
Cons:
If the certificate file needs to be updated, the permissions will need to be temporarily modified, which can be an additional step in maintenance.
Default Value:
By default, the registry certificate file might have 644 permissions, allowing the root user to modify the file.
Pre-requisites:
Administrative privileges on the Docker host system.
Access to the file system to inspect and modify permissions.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Verify the permissions of the registry certificate file:
ls -l /etc/docker/certs.d/<registry>/ca.crt
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to check the permissions of the certificate file:
ls -l /etc/docker/certs.d/<registry>/ca.crt
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Set the permissions of the registry certificate file to 444:
sudo chmod 444 /etc/docker/certs.d/<registry>/ca.crt
Restart Docker to apply the changes:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to modify the permissions of the certificate file and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 444 /etc/docker/certs.d/<registry>/ca.crt && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Revert the permissions of the registry certificate file if necessary:
sudo chmod 644 /etc/docker/certs.d/<registry>/ca.crt
Restart Docker:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to revert the permissions and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/docker/certs.d/<registry>/ca.crt && sudo systemctl restart docker"]'
References:
Docker Registry Security: https://docs.docker.com/registry/insecure/