Profile Applicability:

  • Level 2

Description:

The /etc/default/docker file, which contains configuration settings for the Docker daemon, should have its permissions set to 644 (readable by everyone but writable only by the owner) or more restrictively. This ensures that only authorized users (typically root) can modify the file, while others can read it as needed.

Rationale:

The /etc/default/docker file is critical for configuring the Docker daemon. If unauthorized users can modify this file, it could affect Docker’s functionality or security. By setting the file permissions to 644, you ensure that only root can modify it, while other users can only read it. This prevents tampering with the Docker configuration.

Impact:

Pros:

  1. Secures the Docker configuration file by preventing unauthorized write access.

  2. Allows authorized users to read the configuration without modifying it.

Cons:

  1. If the file needs to be updated, the permissions must be temporarily changed, adding an extra step in the management process.

Default Value:

By default, the /etc/default/docker file permissions are typically set to 644 unless modified by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file permissions.

Remediation:

Test Plan:

Using AWS Console:

  • Log in to the EC2 instance running Docker.

  • Verify the permissions of the /etc/default/docker file:

    ls -l /etc/default/docker

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the permissions of the /etc/default/docker file:

    ls -l /etc/default/docker

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the permissions of the /etc/default/docker file to 644:

    sudo chmod 644 /etc/default/docker

  3. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to modify the permissions of the /etc/default/docker file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/default/docker && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the permissions of the /etc/default/docker file if necessary:

    sudo chmod 644 /etc/default/docker

  3. Restart Docker:

    sudo systemctl restart docker


Using AWS CLI:

  1. Use SSM to revert the permissions and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/default/docker && sudo systemctl restart docker"]'

References: