iCompaas Support

Profile Applicability:

• Level 1

Description:

The containerd.socket file, which allows communication between Docker and containerd, should have its permissions set to 660 (read and write for the owner and group, no permissions for others) or more restrictively. This ensures that only authorized users (typically root and users in the Docker group) can access and modify the socket file.

Rationale:

Restricting the permissions on the containerd.socket file ensures that only root or users in the Docker group can access and modify the socket file. This prevents unauthorized users from interacting with the Docker daemon and containerd, reducing the potential for attacks or unauthorized modifications.

Impact:

Pros:

• Enhances security by limiting access to the socket file to authorized users.

• Prevents unauthorized interactions with the containerd service.
  

Cons:

• Requires careful management of group membership (Docker group) to ensure that only trusted users have access.

Default Value:

By default, the containerd.socket file permissions may be set to 660, but this can be changed by administrative errors or unauthorized access.

Pre-requisites:

• Administrative privileges on the Docker host system.

• Access to the file system to inspect and modify file permissions.

Remediation:

Test Plan:

Using AWS Console:

• Log in to the EC2 instance running Docker.

• Verify the permissions of the containerd.socket file:

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.

2. Run the following command to check the permissions of the containerd.socket file:
   

   ls -l /lib/systemd/system/containerd.socket

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Set the permissions of the containerd.socket file to 660:
   

   sudo chmod 660 /lib/systemd/system/containerd.socket

3. Reload the systemd daemon to apply any changes:
   

   sudo systemctl daemon-reload

4. Restart Docker to ensure the changes take effect:

Using AWS CLI:

1. Use SSM to modify the permissions of the containerd.socket file and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 660 /lib/systemd/system/containerd.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.

2. Revert the permissions of the containerd.socket file if necessary:
   

   sudo chmod 644 /lib/systemd/system/containerd.socket

3. Reload systemd and restart Docker:
   

   sudo systemctl daemon-reload
   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to revert the permissions and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo chmod 644 /lib/systemd/system/containerd.socket && sudo systemctl daemon-reload && sudo systemctl restart docker"]'

   
   

References:

• Docker Documentation - Docker Socket