Docker Enterprise socket file ownership must be set to root:docker.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235865	DKER-EE-005310	SV-235865r627722_rule		High

Description
Verify that the Docker socket file is owned by root and group-owned by docker. Docker daemon runs as root. The default UNIX socket hence must be owned by root. If any other user or process owns this socket, then it might be possible for that non-privileged user or process to interact with Docker daemon. Also, such a non-privileged user or process might interact with containers. This is neither secure nor desired behavior. Additionally, the Docker installer creates a UNIX group called docker. Users can be added to this group, and then those users would be able to read and write to default Docker UNIX socket. The membership to the docker group is tightly controlled by the system administrator. If any other group owns this socket, then it might be possible for members of that group to interact with Docker daemon. Also, such a group might not be as tightly controlled as the docker group. This is neither secure nor desired behavior. Hence, the default Docker UNIX socket file must be owned by root and group-owned by docker to maintain the integrity of the socket file. By default, the ownership and group-ownership for Docker socket file is correctly set to root:docker.

Description

Verify that the Docker socket file is owned by root and group-owned by docker. Docker daemon runs as root. The default UNIX socket hence must be owned by root. If any other user or process owns this socket, then it might be possible for that non-privileged user or process to interact with Docker daemon. Also, such a non-privileged user or process might interact with containers. This is neither secure nor desired behavior. Additionally, the Docker installer creates a UNIX group called docker. Users can be added to this group, and then those users would be able to read and write to default Docker UNIX socket. The membership to the docker group is tightly controlled by the system administrator. If any other group owns this socket, then it might be possible for members of that group to interact with Docker daemon. Also, such a group might not be as tightly controlled as the docker group. This is neither secure nor desired behavior. Hence, the default Docker UNIX socket file must be owned by root and group-owned by docker to maintain the integrity of the socket file. By default, the ownership and group-ownership for Docker socket file is correctly set to root:docker.

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2021-03-26

Details

Check Text ( C-39084r627720_chk )
Ensure that Docker socket file ownership is set to root:docker. Execute the below command to verify that the Docker socket file is owned by root and group-owned by docker: stat -c %U:%G /var/run/docker.sock If docker.sock file ownership is not set to root:docker, this is a finding.

Fix Text (F-39047r627721_fix)
chown root:docker /var/run/docker.sock This sets the ownership to root and group-ownership to docker for default Docker socket file.