Control: 3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive
Description
You should verify that the file permissions on the docker.socket file are correctly set to 644 or more restrictively.
The docker.socket file contains sensitive parameters that may alter the behavior of the Docker remote API. It should therefore be writeable only by root in order to ensure that it is not modified by less privileged users.
Remediation
Step 1: Find out the file location:
systemctl show -p FragmentPath docker.socket
Step 2: : If the file does not exist, this recommendation is not applicable. If the file does
exist, you should execute the command below, including the correct file path to set the
file permissions to 644. For example,
chmod 644 /usr/lib/systemd/system/docker.socket
Default Value
This file may not be present on the system and in that case, this recommendation is not
applicable. By default, if the file is present, the permissions should be set to 644 or more restrictively.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_3_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_3_4 --shareSQL
This control uses a named query:
exec_permissions_644_docker_socket