3.9 Ensure that TLS CA certificate file ownership is set to root:root

Information

You should verify that the TLS CA certificate file (the file that is passed along with the --tlscacert parameter) is individually owned and group owned by root.

Rationale:

The TLS CA certificate file should be protected from any tampering. It is used to authenticate the Docker server based on a given CA certificate. It must be therefore be individually owned and group owned by root to ensure that it cannot be modified by less privileged users.

Impact:

None.

Solution

You should execute the following command:

chown root:root <path to TLS CA certificate file>

This sets the individual ownership and group ownership for the TLS CA certificate file to root.

Default Value:

By default, the ownership and group-ownership for TLS CA certificate file is correctly set to root.

See Also

https://workbench.cisecurity.org/files/4532