iCompaas Support

Profile Applicability:

• Level 1 

Description:

The Docker server certificate file, used to authenticate the Docker daemon in TLS communication, should have its ownership set to root:root to ensure that only the root user can modify or replace it.

Rationale:

The Docker server certificate file is a critical component for ensuring secure communication between the Docker client and daemon. Allowing non-root users to own this file could lead to unauthorized access, tampering, or replacement of the certificate, potentially compromising the security of Docker communications.

Impact:

Pros:

• Ensures that only the root user can modify or access the Docker server certificate, reducing the risk of unauthorized manipulation.

• Helps maintain the integrity of the certificate, which is crucial for secure communication between Docker components.

Cons:

• Requires periodic checks to ensure that ownership is maintained properly.

Default Value:

By default, the Docker server certificate file should be owned by root:root. However, it could be modified by mistake or through unauthorized access.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify ownership.

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the ownership of the Docker server certificate file (typically located in /etc/docker or /etc/docker/certs.d):
   

   ls -l /etc/docker/certs.d/<registry>/server-cert.pem

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to check the ownership of the server certificate file:
   

   ls -l /etc/docker/certs.d/<registry>/server-cert.pem

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the ownership of the Docker server certificate file to root:root:
   

   sudo chown root:root /etc/docker/certs.d/<registry>/server-cert.pem

3. Restart Docker to ensure the changes take effect:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to modify the ownership of the Docker server certificate file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the ownership of the Docker server certificate file if necessary:
   

   sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-cert.pem

3. Restart Docker to apply the changes:
   

   sudo systemctl restart docker

   
   

Using AWS CLI:

1. Use SSM to revert the ownership and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'

References:

• Docker TLS Security

• Docker Registry Insecure Configuration