Profile Applicability:

  • Level 1 

Description:

The docker.socket file, which allows communication between the Docker client and Docker daemon, should have its ownership set to root:docker. This allows members of the docker group to communicate with Docker without giving root access, while still restricting unauthorized access.

Rationale:

Proper ownership of the docker.socket file ensures that only authorized users (members of the docker group) can interact with the Docker daemon. This prevents unauthorized users from having unrestricted access to Docker commands, which could result in security vulnerabilities.

Impact:

Pros:

  • Allows secure access to Docker for users who need to interact with the daemon

  • Prevents unauthorized users from accessing the Docker daemon, reducing the potential attack surface.

Cons:

  • Requires careful management of the docker group to ensure that only trusted users are added.

Default Value:

By default, the docker.socket file is typically owned by root:docker, but this can be modified by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify ownership.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the ownership of the docker.socket file:

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the ownership of the docker.socket file:

    ls -l /lib/systemd/system/docker.socket

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the ownership of the docker.socket file to root:docker:

    sudo chown root:docker /lib/systemd/system/docker.socket

  3. Reload the systemd daemon to apply any changes:

    sudo systemctl daemon-reload

  4. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to modify the ownership of the docker.socket file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:docker /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the ownership of the docker.socket file if necessary:

    sudo chown root:root /lib/systemd/system/docker.socket

  3. Reload systemd and restart Docker:

    sudo systemctl daemon-reload
    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the ownership and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References: