iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The TLS CA certificate file, used for secure Docker registry communication, should have its permissions set to 444 (read-only for everyone) or more restrictively. This ensures that the certificate file remains unmodified by unauthorized users, maintaining the integrity of secure communication.

Rationale:

Allowing write permissions on the TLS CA certificate file could expose it to unauthorized changes, potentially leading to man-in-the-middle (MITM) attacks or other security breaches. By setting the permissions to 444, you ensure that the certificate remains intact and readable by Docker but not modifiable by unauthorized users.

Impact:

Pros:

• Prevents unauthorized users from modifying the TLS certificate, ensuring that communication with the Docker registry remains secure.

• Reduces the risk of security breaches caused by certificate manipulation.

Cons:

• If the certificate needs to be updated, the permissions will need to be temporarily adjusted, which adds an additional step in certificate management.

Default Value:

By default, the TLS CA certificate file might have 644 permissions, which allows modification by the root user. It should be changed to 444 to restrict write access.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify permissions.

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the permissions of the TLS CA certificate file:
   

   ls -l /etc/docker/certs.d/<registry>/ca.crt

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to check the permissions of the TLS CA certificate file:
   

   ls -l /etc/docker/certs.d/<registry>/ca.crt

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the permissions of the TLS CA certificate file to 444:
   

   sudo chmod 444 /etc/docker/certs.d/<registry>/ca.crt

3. Restart Docker to ensure the changes take effect:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to modify the permissions of the TLS CA certificate file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 444 /etc/docker/certs.d/<registry>/ca.crt && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the permissions of the TLS CA certificate file if necessary:
   

   sudo chmod 644 /etc/docker/certs.d/<registry>/ca.crt

3. Restart Docker:
   

   sudo systemctl restart docker

   
   

Using AWS CLI:

1. Use SSM to revert the permissions and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/docker/certs.d/<registry>/ca.crt && sudo systemctl restart docker"]'

References:

• Docker TLS Security Documentation

• Docker Registry Insecure Configuration