iCompaas Support

Profile Applicability:

• Level 1 

Description:

The containerd.socket file, used for communication between Docker and containerd, should have its ownership set to root:root. This ensures that only authorized users (typically root) can modify or replace the socket file, preventing unauthorized access to containerd services.

Rationale:

The containerd.socket file is crucial for communication between Docker and containerd, and its security is important to prevent unauthorized access to containerd's internals. Allowing non-root users to own this file could lead to potential security breaches, such as unauthorized access to container management or manipulation of Docker’s container runtime.

Impact:

Pros:

• Ensures that only root users can modify or access the socket file, enhancing security.

• Prevents unauthorized users from tampering with the communication channel between Docker and containerd.

Cons:

• Requires periodic checks to ensure that ownership is maintained correctly, especially after system updates or changes.

Default Value:

• By default, the containerd.socket file should be owned by root:root. However, it could be altered by administrative errors or unauthorized access.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify ownership.

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.

2. Verify the ownership of the containerd.socket file:
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to check the ownership of the containerd.socket file:
   

   ls -l /lib/systemd/system/containerd.socket

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the ownership of the containerd.socket file to root:root:
   

   sudo chown root:root /lib/systemd/system/containerd.socket

3. Reload the systemd daemon to apply any changes:
   

   sudo systemctl daemon-reload

4. Restart Docker to ensure the changes take effect:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to modify the ownership of the containerd.socket file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown root:root /lib/systemd/system/containerd.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the ownership of the containerd.socket file if necessary:
   

   sudo chown <previous-owner>:<previous-group> /lib/systemd/system/containerd.socket

   
   

3. Reload systemd and restart Docker:
   

   sudo systemctl daemon-reload
   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the ownership and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chown <previous-owner>:<previous-group> /lib/systemd/system/containerd.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

References:

• Docker Documentation - Docker Socket