Profile Applicability:

  • Level 1

Description:

The Docker server certificate key file, which is used for secure TLS communication between the Docker client and daemon, should have its permissions set to 400 (read-only for the root user). This ensures that the key file cannot be modified or read by unauthorized users, maintaining the integrity of secure communications.

Rationale:

The server certificate key is a sensitive file that must remain protected to ensure secure communication. If unauthorized users gain access to the key, they could potentially intercept or decrypt traffic between the Docker client and daemon. By setting the permissions to 400, the file is protected from modifications, while still allowing the Docker daemon to read it for secure communication.

Impact:

Pros:

  • Protects the Docker server certificate key file by preventing unauthorized access or modifications.

  • Helps maintain the confidentiality and integrity of the TLS key used for secure communication.

Cons:

  • If the certificate key file needs to be updated, the permissions must be temporarily changed, adding an extra step to the process.

Default Value:

By default, the Docker server certificate key file may have 644 permissions, which allow read and write access to the root user and read access to others. It should be changed to 400 to secure it.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify permissions.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the permissions of the Docker server certificate key file:

    ls -l /etc/docker/certs.d/<registry>/server-key.pem

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the permissions of the Docker server certificate key file:

    ls -l /etc/docker/certs.d/<registry>/server-key.pem

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the permissions of the Docker server certificate key file to 400:

    sudo chmod 400 /etc/docker/certs.d/<registry>/server-key.pem

  3. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to modify the permissions of the Docker server certificate key file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 400 /etc/docker/certs.d/<registry>/server-key.pem && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the permissions of the Docker server certificate key file if necessary:

    sudo chmod 644 /etc/docker/certs.d/<registry>/server-key.pem

  3. Restart Docker:

Using AWS CLI:

  1. Use SSM to revert the permissions and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/docker/certs.d/<registry>/server-key.pem && sudo systemctl restart docker"]'

References: