Profile Applicability:
Level 1
Description:
The Docker server certificate file, used to authenticate the Docker daemon in TLS communication, should have its ownership set to root:root to ensure that only the root user can modify or replace it.
Rationale:
The Docker server certificate file is a critical component for ensuring secure communication between the Docker client and daemon. Allowing non-root users to own this file could lead to unauthorized access, tampering, or replacement of the certificate, potentially compromising the security of Docker communications.
Impact:
Pros:
Ensures that only the root user can modify or access the Docker server certificate, reducing the risk of unauthorized manipulation.
Helps maintain the integrity of the certificate, which is crucial for secure communication between Docker components.
Cons:
Requires periodic checks to ensure that ownership is maintained properly.
Default Value:
By default, the Docker server certificate file should be owned by root:root. However, it could be modified by mistake or through unauthorized access.
Pre-requisites:
Administrative privileges on the Docker host system.
Access to the file system to inspect and modify ownership.
Remediation:
Test Plan:
Using AWS Console:
Log in to the EC2 instance running Docker.
Verify the ownership of the Docker server certificate file (typically located in /etc/docker or /etc/docker/certs.d):
ls -l /etc/docker/certs.d/<registry>/server-cert.pem
Using AWS CLI:
Connect to the EC2 instance where Docker is running.
Run the following command to check the ownership of the server certificate file:
ls -l /etc/docker/certs.d/<registry>/server-cert.pem
Implementation Plan:
Using AWS Console:
Log in to the EC2 instance.
Set the ownership of the Docker server certificate file to root:root:
sudo chown root:root /etc/docker/certs.d/<registry>/server-cert.pem
Restart Docker to ensure the changes take effect:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to modify the ownership of the Docker server certificate file and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'
Backout Plan:
Using AWS Console:
Log in to the EC2 instance.
Revert the ownership of the Docker server certificate file if necessary:
sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-cert.pem
Restart Docker to apply the changes:
sudo systemctl restart docker
Using AWS CLI:
Use SSM to revert the ownership and restart Docker:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'
References: