Profile Applicability:

  • Level 1

Description:

The docker.socket file, which allows communication between the Docker client and Docker daemon, should have its permissions set to 660 (read and write for the owner and group, no permissions for others) or more restrictively. This ensures that only authorized users in the docker group can communicate with the Docker daemon.

Rationale:

By restricting the permissions on the docker.socket file, you reduce the risk of unauthorized access. Only users in the docker group should be allowed to communicate with the Docker daemon, preventing non-administrative users from executing Docker commands and potentially compromising the system.

Impact:

Pros:

  • Restricts Docker daemon access to authorized users only, reducing the attack surface

  • Enhances security by preventing unauthorized access to Docker’s internal communication.

Cons:

  • Requires careful management of the docker group to ensure only trusted users have access.

Default Value:

By default, the docker.socket file permissions are typically set to 660, but this can be modified by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file permissions.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the permissions of the docker.socket file:

    ls -l /lib/systemd/system/docker.socket

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the permissions of the docker.socket file:

    ls -l /lib/systemd/system/docker.socket

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the permissions of the docker.socket file to 660:

    sudo chmod 660 /lib/systemd/system/docker.socket
  3. Reload the systemd daemon to apply any changes:

    sudo systemctl daemon-reload
  4. Restart Docker to ensure the changes take effect:

Using AWS CLI:

  1. Use SSM to modify the permissions of the docker.socket file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 660 /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the permissions of the docker.socket file if necessary:

    sudo chmod 644 /lib/systemd/system/docker.socket


  3. Reload systemd and restart Docker:

Using AWS CLI:

  1. Use SSM to revert the permissions and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /lib/systemd/system/docker.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References: