turbot/docker_compliance
GitHub
Loading controls...

Control: 3.23 Ensure that the Containerd socket file ownership is set to root:root

Description

You should verify that the Containerd socket file is owned by root and group owned by root.

Containerd is an underlying component used by Docker to create and manage containers. It provides a socket file similar to the Docker socket, which must be protected from unauthorized access. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Containerd daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior.

Unlike the Docker socket, there is usually no requirement for non-privileged users to connect to the socket, so the ownership should be root:root.

Remediation

You should execute the following command

chown root:root /run/containerd/containerd.sock

This sets the ownership to root and group ownership to root for the default Containerd socket file.

Default Value

By default, the ownership and group ownership for the Containerd socket file is correctly set to root:root

Usage

Run the control in your terminal:

steampipe check docker_compliance.control.cis_v160_3_23

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share docker_compliance.control.cis_v160_3_23

SQL

This control uses a named query:

exec_ownership_root_root_docker_containerd_socket

Tags