iCompaas Support

Profile Applicability:

• Level 1 

Description:

The Docker server certificate key file, which is used for secure TLS communication between the Docker client and Docker daemon, should have its ownership set to root:root. This ensures that only authorized users (i.e., the root user) can modify or replace the certificate key file, protecting it from unauthorized access.

Rationale:

The Docker server certificate key file is crucial for secure communication. Unauthorized users with write access to the key file could potentially replace it with a compromised certificate, exposing the Docker daemon to security vulnerabilities. By ensuring the key file is owned by root:root, access is restricted to authorized administrators, minimizing the risk of compromise.

Impact:

Pros:

• Secures the Docker server certificate key file by restricting access to root users only.

• Ensures that the integrity of the certificate key is maintained, preventing unauthorized access or tampering.

Cons:

• Requires periodic checks to ensure proper ownership is maintained, especially if the certificate is updated or replaced.

Default Value:

The default ownership for the Docker server certificate key file is typically root:root, but this can be modified during configuration or due to administrative errors.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify ownership.

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the ownership of the Docker server certificate key file (typically located in /etc/docker or /etc/docker/certs.d):
   

   ls -l /etc/docker/certs.d/<registry>/server-key.pem

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to check the ownership of the server certificate key file:
   

   ls -l /etc/docker/certs.d/<registry>/server-key.pem

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the ownership of the Docker server certificate key file to root:root:
   

   sudo chown root:root /etc/docker/certs.d/<registry>/server-key.pem

3. Restart Docker to ensure the changes take effect:

Using AWS CLI:

1. Use SSM to modify the ownership of the Docker server certificate key file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/certs.d/<registry>/server-key.pem && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the ownership of the Docker server certificate key file if necessary:
   

   sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-key.pem

3. Restart Docker to apply the changes:

Using AWS CLI:

1. Use SSM to revert the ownership and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/certs.d/<registry>/server-key.pem && sudo systemctl restart docker"]'

References:

• Docker TLS Security

• Docker Insecure Registry Reference