Profile Applicability:

  • Level 2

Description:

The /etc/sysconfig/docker file, which contains configuration parameters for Docker, should have its ownership set to root:root to ensure that only the root user can modify it. This is critical for maintaining the integrity and security of Docker’s configuration.

Rationale:

The /etc/sysconfig/docker file contains sensitive configuration settings for Docker, including options that control how Docker starts and operates. Unauthorized modification of this file could lead to security vulnerabilities or incorrect configurations. Ensuring the file is owned by root:root prevents unauthorized access and modification.

Impact:

Pros:

  • Ensures that only authorized users (root) can modify the Docker configuration.

  • Prevents unauthorized changes to Docker's startup parameters, improving security and stability.

Cons:

  • Requires periodic checks to ensure the ownership remains correct, especially after system updates or changes.

Default Value:

  • By default, the /etc/sysconfig/docker file should be owned by root:root. However, it could be altered by administrative errors or unauthorized access.

Pre-requisites:

  • Administrative privileges on the Docker host system.

  • Access to the file system to inspect and modify file ownership.

Remediation:

Test Plan:

Using AWS Console:

  • Log in to the EC2 instance running Docker.

  • Verify the ownership of the /etc/sysconfig/docker file:

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to check the ownership of the /etc/sysconfig/docker file:

    ls -l /etc/sysconfig/docker

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Set the ownership of the /etc/sysconfig/docker file to root:root:

    sudo chown root:root /etc/sysconfig/docker

  3. Restart Docker to ensure the changes take effect:

Using AWS CLI:

  1. Use SSM to modify the ownership of the /etc/sysconfig/docker file and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /etc/sysconfig/docker && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Revert the ownership of the /etc/sysconfig/docker file if necessary:

    sudo chown <previous-owner>:<previous-group> /etc/sysconfig/docker

  3. Restart Docker to apply the changes:

Using AWS CLI:

  1. Use SSM to revert the ownership and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /etc/sysconfig/docker && sudo systemctl restart docker"]'

References: