Profile Applicability:

  • Level 2

Description:

The /etc/sysconfig/docker file, which contains configuration parameters for the Docker daemon on certain Linux distributions (such as CentOS or RHEL), should have its permissions set to 644 (readable by everyone but writable only by the root user) or more restrictively. This ensures that unauthorized users cannot modify the Docker configuration.

Rationale:

The /etc/sysconfig/docker file contains important settings that affect how Docker behaves. If this file is writable by unauthorized users, it could lead to configuration changes that affect Docker's functionality or security. By setting the file permissions to 644, the file is protected from unauthorized modifications while allowing it to be readable by other users as necessary.

Impact:

Pros:

  • Ensures that only authorized users (root) can modify the Docker daemon’s configuration, reducing the risk of unauthorized changes.

  • Helps protect Docker from accidental or malicious configuration changes.

Cons:

  • If the file needs to be updated, the permissions must be temporarily adjusted, which adds an additional step to configuration management.

Default Value:

By default, the /etc/sysconfig/docker file permissions are typically set to 644 unless modified by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file permissions.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Verify the permissions of the /etc/sysconfig/docker file

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the permissions of the /etc/sysconfig/docker file:

    ls -l /etc/sysconfig/docker

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the permissions of the /etc/sysconfig/docker file to 644:

    sudo chmod 644 /etc/sysconfig/docker

  3. Restart Docker to ensure the changes take effect:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to modify the permissions of the /etc/sysconfig/docker file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/sysconfig/docker && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the permissions of the /etc/sysconfig/docker file if necessary:

    sudo chmod 644 /etc/sysconfig/docker


  3. Restart Docker:

    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to revert the permissions and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /etc/sysconfig/docker && sudo systemctl restart docker"]'

References: