Control: 3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively
Description
You should verify that all the registry certificate files (usually found under
/etc/docker/certs.d/<registry-name> directory) have permissions of 444 or are set
more restrictively.
Note that, by default, this directory might not exist if no registry certificate files are in place.
The /etc/docker/certs.d/<registry-name> directory contains Docker registry
certificates. These certificate files must have permissions of 444 or more restrictive
permissions in order to ensure that unprivileged users do not have full access to them.
Remediation
The following command could be executed:
find /etc/docker/certs.d/ -type f -exec chmod 0444 {} \;
This would set the permissions for the registry certificate files to 444.
Default Value
By default, the permissions for registry certificate files might not be 444. The default file
permissions are governed by the system or user specific umask values which are
defined within the operating system itself.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_3_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_3_8 --shareSQL
This control uses a named query:
exec_permissions_444_registry_certificate