Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
OpenShift must set the sticky bit for world-writable directories.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-257551 | CNTR-OS-000590 | SV-257551r921596_rule | Medium |
| Description |
|---|
| Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delete files within the directory, which can introduce security risks. By removing these permissions or setting the sticky bit, OpenShift restricts modifications to the directory's owner and prevents unauthorized or unintended changes by other users. |
| STIG | Date |
|---|---|
| Red Hat OpenShift Container Platform 4.12 Security Technical Implementation Guide | 2023-08-28 |
Details
| Check Text ( C-61286r921594_chk ) |
|---|
| Verify that all world-writable directories have the sticky bit set. List any world-writeable directories that do not have the sticky bit set by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find / -type d \( -perm -0002 -a ! -perm -1000 ! -path "/var/lib/containers/*" ! -path "/var/lib/kubelet/pods/*" ! -path "/sysroot/ostree/deploy/*" \) -print 2>/dev/null' 2>/dev/null; done If there are any directories listed in the results, this is a finding. |
| Fix Text (F-61210r921595_fix) |
|---|
| Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit by executing the following: oc debug node/ where node_name: The name of the node to connect to (oc get node) XXXX: Either 1777 (sticky bit) or 0755 (remove group and world write permission) |