Profile Applicability:

  • Level 1 

Description:

The Docker server certificate file, used to authenticate the Docker daemon in TLS communication, should have its ownership set to root:root to ensure that only the root user can modify or replace it.

Rationale:

The Docker server certificate file is a critical component for ensuring secure communication between the Docker client and daemon. Allowing non-root users to own this file could lead to unauthorized access, tampering, or replacement of the certificate, potentially compromising the security of Docker communications.

Impact:

Pros:

  • Ensures that only the root user can modify or access the Docker server certificate, reducing the risk of unauthorized manipulation.

  • Helps maintain the integrity of the certificate, which is crucial for secure communication between Docker components.

Cons:

  • Requires periodic checks to ensure that ownership is maintained properly.

Default Value:

By default, the Docker server certificate file should be owned by root:root. However, it could be modified by mistake or through unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify ownership.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the ownership of the Docker server certificate file (typically located in /etc/docker or /etc/docker/certs.d):

    ls -l /etc/docker/certs.d/<registry>/server-cert.pem

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the ownership of the server certificate file:

    ls -l /etc/docker/certs.d/<registry>/server-cert.pem

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the ownership of the Docker server certificate file to root:root:

    sudo chown root:root /etc/docker/certs.d/<registry>/server-cert.pem

  3. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to modify the ownership of the Docker server certificate file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the ownership of the Docker server certificate file if necessary:

    sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-cert.pem

  3. Restart Docker to apply the changes:

    sudo systemctl restart docker


Using AWS CLI:

  1. Use SSM to revert the ownership and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'

References: