3.15 Verify that Docker socket file ownership is set to root:docker

Information

Verify that the Docker socket file is owned by 'root' and group-owned by 'docker'.Docker daemon runs as 'root'. The default Unix socket hence must be owned by 'root'. If
any other user or process owns this socket, then it might be possible for that non-
privileged user or process to interact with Docker daemon. Also, such a non-privileged user
or process might interact with containers. This is neither secure nor desired behavior.Additionally, the Docker installer creates a Unix group called 'docker'. You can add users to
this group, and then those users would be able to read and write to default Docker Unix
socket. The membership to the 'docker' group is tightly controlled by the system
administrator. If any other group owns this socket, then it might be possible for members
of that group to interact with Docker daemon. Also, such a group might not be as tightly
controlled as the 'docker' group. This is neither secure nor desired behavior.Hence, the default Docker Unix socket file must be owned by 'root' and group-owned by
'docker' to maintain the integrity of the socket file.

Solution

chown root-docker /var/run/docker.sock
This would set the ownership to 'root' and group-ownership to 'docker' for default Docker
socket file.
Impact-None.Default Value-By default, the ownership and group-ownership for Docker socket file is correctly set to
'root-docker'.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 5cada1757fad9596b9ecdaccfe6026d4cbf99db816532c8a92c078f93c811aae