iCompaas Support

Profile Applicability:

• Level 1

Description:

The Docker server certificate file, used to authenticate the Docker daemon in TLS communication, should have its permissions set to 444 (read-only for everyone) or more restrictive. This ensures that only authorized users can read the certificate file, preventing unauthorized modifications.

Rationale:

By restricting permissions to 444 or more restrictive, you ensure that only the root user can modify the certificate, while others can only read it. This prevents unauthorized users from tampering with the certificate, which could potentially compromise the secure communication between Docker client and daemon.

Impact:

Pros:

• Ensures that the Docker server certificate remains secure by preventing unauthorized modifications

• Enhances the overall security posture of Docker communication.

Cons:

• If the certificate needs to be updated, the permissions must be temporarily changed, adding an extra step for certificate management.

Default Value:

By default, the Docker server certificate file might have 644 permissions, which allows the root user to modify the file. It should be changed to 444 or more restrictive to secure it.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify permissions.

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the permissions of the Docker server certificate file:
   

   ls -l /etc/docker/certs.d/<registry>/server-cert.pem

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to check the permissions of the Docker server certificate file:
   

   ls -l /etc/docker/certs.d/<registry>/server-cert.pem

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the permissions of the Docker server certificate file to 444:
   

   sudo chmod 444 /etc/docker/certs.d/<registry>/server-cert.pem

3. Restart Docker to ensure the changes take effect:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to modify the permissions of the Docker server certificate file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 444 /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the permissions of the Docker server certificate file if necessary:
   

   sudo chmod 644 /etc/docker/certs.d/<registry>/server-cert.pem

3. Restart Docker:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the permissions and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/docker/certs.d/<registry>/server-cert.pem && sudo systemctl restart docker"]'

References:

• Docker CLI - Daemon Socket Option

• Docker TLS Security

• Docker Registry Insecure Setup