CIS Benchmarks -- Docker Hosts --3.8

Question

CIS Benchmarks -- Docker Hosts --3.8

amitaqua opened this issue 4 years ago · 4 comments

Seems we only check the first folder and not the whole deep path.
For example, I might have:
/etc/docker/cert.d/cdn.redhat.com/redhat-entitlement-authority.crt
So we only check the permissions on /etc/docker/cert.d/* and thus we see the permission on the subfolder but not on the file under that subfolder.

Answer 1 · 2020-06-03T08:58:28.000Z

Hey ! You are very correct this is indeed an issue and that's why I opened a ticket about it to CIS https://workbench.cisecurity.org/benchmarks/4198/tickets/10849
We follow their books as much as possible, so we will wait until it will get answer from them

Answer 2 · 2020-06-10T11:48:26.000Z

We got a reply: https://workbench.cisecurity.org/tickets/10896

Nice catch, what do you think of: find /etc/docker/certs.d/ -type f -exec stat -c "%a %n" {} ; and find /etc/docker/certs.d/ -type f -exec chmod 0444 {} ;
I've updated the recommendation.

For now, I will make a PR and update those changes but we won't approve it until those changes are official

Answer 3 · 2020-09-17T04:37:24.000Z

Hi @yoavrotems - any updates regarding this one?
It seems it is not yet resolved based on my testing from the other day.

Answer 4 · 2020-09-17T07:53:40.000Z

There is a solution (The draft PR mention in the above) but we want to wait for cis to update thier spec, but it seems to take them a while, maybe we should consider not wait? @lizrice