Control: 3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively
Description
You should verify that the Containerd socket file has permissions of 660 or are configured more restrictively.
Only root and the members of the root group should be allowed to read and write to the default Containerd Unix socket. The Containerd socket file should therefore have permissions of 660 or more restrictive permissions.
Remediation
You should execute the following command
chmod 660 /run/containerd/containerd.sock
This sets the file permissions of the Containerd socket file to 660.
Default Value
By default, the permissions for the Containerd socket file is correctly set to 660.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_3_24Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_3_24 --shareSQL
This control uses a named query:
exec_permissions_600_docker_containerd_socket