Profile Applicability:

  • Level 1

Description:

The TLS CA certificate file, used to authenticate Docker registry communication, should have its ownership set to root:root to ensure that unauthorized users cannot modify the certificate, which could undermine secure communication.

Rationale:

The ownership of the TLS CA certificate file must be restricted to root:root to prevent unauthorized modification by non-administrative users. Modifying the certificate could allow an attacker to intercept or manipulate Docker's secure communication, leading to a security compromise.

Impact:

Pros:

  • Ensures the integrity of the TLS certificate by restricting modification to root users only.

  • Enhances Docker's security by preventing unauthorized access to the certificate file.

Cons:

  • Requires periodic checks to ensure the certificate file ownership remains correct, especially after system changes or updates.

Default Value:

By default, the TLS CA certificate file is owned by root:root, unless modified by administrative error or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file ownership.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the ownership of the TLS CA certificate file:

    ls -l /etc/docker/certs.d/<registry>/ca.crt

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the ownership of the TLS CA certificate file:

    ls -l /etc/docker/certs.d/<registry>/ca.crt

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the ownership of the TLS CA certificate file to root:root:

    sudo chown root:root /etc/docker/certs.d/<registry>/ca.crt

  3. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to modify the ownership of the TLS CA certificate file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/certs.d/<registry>/ca.crt && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the ownership of the TLS CA certificate file if necessary:

    sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/ca.crt

  3. Restart Docker:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the ownership and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/ca.crt && sudo systemctl restart docker"]'

References: