UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235854 DKER-EE-005200 SV-235854r627689_rule Medium
Description
Verify that the docker.socket file permissions are correctly set to 644 or more restrictive. docker.socket file contains sensitive parameters that may alter the behavior of Docker remote API. Hence, it should be writable only by root to maintain the integrity of the file. This file may not be present on the system. In that case, this recommendation is not applicable. By default, if the file is present, the file permissions for this file are correctly set to 644.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-39073r627687_chk )
Ensure that docker.socket file permissions are set to 644 or more restrictive.

Step 1: Find out the file location:

systemctl show -p FragmentPath docker.socket

Step 2: If the file does not exist, this is not a finding. If the file exists, execute the below command with the correct file path to verify that the file permissions are set to 644 or more restrictive.

stat -c %a /usr/lib/systemd/system/docker.socket

If the file permissions are not set to 644 or a more restrictive permission, this is a finding.
Fix Text (F-39036r627688_fix)
Step 1: Find out the file location:

systemctl show -p FragmentPath docker.socket

Step 2: If the file exists, execute the below command with the correct file path to set the file permissions to 644.

Example:
chmod 644 /usr/lib/systemd/system/docker.socket