3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively

Information

You should verify that all the registry certificate files (usually found under /etc/docker/certs.d/<registry-name> directory) have permissions of 444 or are set more restrictively.

Note that, by default, this directory might not exist if no registry certificate files are in place.

Rationale:

The /etc/docker/certs.d/<registry-name> directory contains Docker registry certificates. These certificate files must have permissions of 444or more restrictive permissions in order to ensure that unprivileged users do not have full access to them..

Impact:

None.

Solution

You should execute the following command:

find /etc/docker/certs.d/ -type f -exec chmod 0444 {} ;

This would set the permissions for the registry certificate files to 444.

Default Value:

By default, the permissions for registry certificate files might not be 444. The default file permissions are governed by the system or user specific umask values which are defined within the operating system itself.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 02dc6b25f0adbd9a697fce4b6707854762960bb44d5421f04e420e331c02e1ec