Harden Docker with CIS – (P4) Docker Daemon configuration files

So in P3 (Part 1 and Part 2) of the Harden Docker with CIS series, we covered Docker daemon configurations. In this post, we’ll take up the “Docker Daemon configuration files” module of the CIS benchmark (CIS Docker Benchmark v1.2.0). There are twenty-two items in total.

CIS ControlDescription
3.1Ensure that the docker.service file ownership is set to root:root
3.2Ensure that docker.service file permissions are appropriately set 644
3.3Ensure that docker.socket file ownership is set to root:root
3.4Ensure that docker.socket file permissions are set to 644 or more restrictive
3.5Ensure that the /etc/docker directory ownership is set to root:root
3.6Ensure that /etc/docker directory permissions are set to 755 or more restrictively
3.7Ensure that registry certificate file ownership is set to root:root
3.8Ensure that registry certificate file permissions are set to 444 or more restrictively
3.9Ensure that TLS CA certificate file ownership is set to root:root
3.10Ensure that TLS CA certificate file permissions are set to 444 or more restrictively
3.11Ensure that Docker server certificate file ownership is set to root:root
3.12Ensure that the Docker server certificate file permissions are set to 444 or more restrictively
3.13Ensure that the Docker server certificate key file ownership is set to root:root
3.14Ensure that the Docker server certificate key file permissions are set to 400
3.15Ensure that the Docker socket file ownership is set to root:docker
3.16Ensure that the Docker socket file permissions are set to 660 or more restrictively
3.17Ensure that the daemon.json file ownership is set to root:root
3.18Ensure that daemon.json file permissions are set to 644 or more restrictive
3.19Ensure that the /etc/default/docker file ownership is set to root:root
3.20Ensure that the /etc/sysconfig/docker file ownership is set to root:root
3.21Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively
3.22Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively

Most of these controls revolve around setting up permissions and ownership of various docker files. Thus I’ll club most of them together for easy execution.

Section 1: Ownership of files is set to root:root

CIS ControlDescription
3.1Ensure that the docker.service file ownership is set to root:root
3.3Ensure that docker.socket file ownership is set to root:root
3.5Ensure that the /etc/docker directory ownership is set to root:root
3.7Ensure that registry certificate file ownership is set to root:root
3.9Ensure that TLS CA certificate file ownership is set to root:root
3.11Ensure that Docker server certificate file ownership is set to root:root
3.13Ensure that the Docker server certificate key file ownership is set to root:root
3.17Ensure that the daemon.json file ownership is set to root:root
3.19Ensure that the /etc/default/docker file ownership is set to root:root
3.20Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Usuall not present)

NOTE: Items 3.9, 3.11, and 3.13 require us to setup docker TLS communication, which we haven’t right now. Thus I’ll complete this section when I write about that.

Find paths for docker.service and docker.socket files
$ systemctl show -p FragmentPath docker.service FragmentPath=/lib/systemd/system/docker.service $ systemctl show -p FragmentPath docker.socket FragmentPath=/lib/systemd/system/docker.socket
Code language: Bash (bash)

Once we have identified all the required paths to the files we can go ahead and run the chown command

$ sudo chown root:root /lib/systemd/system/docker.service /lib/systemd/system/docker.socket /etc/docker /etc/docker/daemon.json /etc/default/docker /etc/docker/certs.d/registry.jtnydv.local/*
Code language: Bash (bash)

Section 2: Certificate permissions are set to 444 or restrictive

CIS ControlDescription
3.8Ensure that registry certificate file permissions are set to 444 or more restrictively
3.10Ensure that TLS CA certificate file permissions are set to 444 or more restrictively
3.12Ensure that the Docker server certificate file permissions are set to 444 or more restrictively

NOTE: Items 3.8 and 3.12 require us to setup docker TLS communication, which we haven’t right now. Thus I’ll complete this section when I write about that.

$ sudo chmod 444 /etc/docker/certs.d/registry.jtnydv.local/*

Section 3 : Set file permissions to 644 or restrictive

CIS ControlDescription
3.2Ensure that docker.service file permissions are appropriately set 644
3.4Ensure that docker.socket file permissions are set to 644 or more restrictive
3.18Ensure that daemon.json file permissions are set to 644 or more restrictive
3.21Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (N/A)
3.22Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively
$ sudo chmod 644 /lib/systemd/system/docker.service /lib/systemd/system/docker.socket /etc/docker /etc/docker/daemon.json /etc/default/docker
Code language: Bash (bash)

Section 4: Miscellaneous ownership and file permissions

CIS ControlDescription
3.6Ensure that /etc/docker directory permissions are set to 755 or more restrictively
3.14Ensure that the Docker server certificate key file permissions are set to 400
3.15Ensure that the Docker socket file ownership is set to root:docker
3.16Ensure that the Docker socket file permissions are set to 660 or more restrictively

NOTE: Item 3.14 requires us to setup docker TLS communication, which we haven’t right now. Thus I’ll complete this section when I write about that.

3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively
$ sudo chmod 755 /etc/docker
Code language: Bash (bash)
3.15 Ensure that the Docker socket file ownership is set to root:docker
$ sudo chown root:docker /var/run/docker.sock
Code language: Bash (bash)
3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively
$ sudo chmod 660 /var/run/docker.sock
Code language: Bash (bash)

This completes our “Docker Daemon configuration files” section of the CIS Docker Benchmarks. We’ll continue with the other sections in future posts.

If you have questions or need help setting things up, reach out to me @jtnydv