Profile Applicability:

  • Level 2

Description:

The daemon.json file, which contains configuration settings for the Docker daemon, should have its ownership set to root:root to ensure that only the root user can modify it. This is crucial to prevent unauthorized changes to Docker’s configuration.

Rationale:

The daemon.json file is a critical component of Docker's configuration. Allowing non-root users to own or modify this file could lead to potential security vulnerabilities. Unauthorized modifications to the Docker daemon settings could result in unintended behavior or security compromises.

Impact:

Pros:

  • Ensures that only authorized users (root) can modify the Docker daemon configuration.

  • Protects the integrity of Docker's configuration by preventing unauthorized tampering.

Cons:

  • Requires periodic checks to ensure that ownership is maintained properly, especially if the file is updated.

Default Value:

By default, the daemon.json file should be owned by root:root. However, it could be modified by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify ownership.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the ownership of the daemon.json file:

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the ownership of the daemon.json file:

    ls -l /etc/docker/daemon.json

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the ownership of the daemon.json file to root:root:

    sudo chown root:root /etc/docker/daemon.json

  3. Restart Docker to ensure the changes take effect:

Using AWS CLI:

  1. Use SSM to modify the ownership of the daemon.json file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the ownership of the daemon.json file if necessary:

    sudo chown <previous-owner>:<previous-group> /etc/docker/daemon.json

  3. Restart Docker to apply the changes:

Using AWS CLI:

  1. Use SSM to revert the ownership and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/docker/daemon.json && sudo systemctl restart docker"]'

References: