Control: 3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively
Description
You should verify that the /etc/docker
directory permissions are correctly set to 755
or more
restrictively
The /etc/docker
directory contains certificates and keys in addition to various sensitive
files. It should therefore only be writeable by root
to ensure that it can not be modified
by a less privileged user.
Remediation
You should run the following command:
chmod 755 /etc/docker
This sets the permissions for the directory to 755
.
Default Value
By default, the permissions for this directory are set to 755
.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_3_6
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_3_6 --share
SQL
This control uses a named query:
with os_output as ( select btrim(stdout_output, E' \n\r\t') as os, _ctx ->> 'connection_name' as os_conn from exec_command where command = 'uname -s'), hostname as ( select btrim(stdout_output, E' \n\r\t') as host, _ctx ->> 'connection_name' as host_conn, _ctx from exec_command where command = 'hostname'),
linux_output as ( select stdout_output, stderr_output, _ctx ->> 'connection_name' as conn from exec_command, os_output where os_conn = _ctx ->> 'connection_name' and command = 'stat -c %a /etc/docker')select host as resource, case when os.os ilike '%Darwin%' then 'skip' when o.stderr_output like '%No such file or directory%' then 'skip' when o.stdout_output like '%755%' then 'ok' else 'alarm' end as status, case when os.os ilike '%Darwin%' then host || ' /etc/docker does not exist on ' || os.os || ' OS.' when o.stderr_output like '%No such file or directory%' then host || ' recommendation is not applicable as the file is unavailable.' else host || ' /etc/docker directory permission set to ' || (btrim(o.stdout_output, E' \n\r\t')) || '.' end as reason , h._ctx ->> 'connection_name' as connection_namefrom hostname as h, os_output as os, linux_output as owhere os.os_conn = h.host_conn and h.host_conn = o.conn;