OpenShift must set the sticky bit for world-writable directories.

An XCCDF Rule

Description

<VulnDiscussion>Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delete files within the directory, which can introduce security risks. By removing these permissions or setting the sticky bit, OpenShift restricts modifications to the directory's owner and prevents unauthorized or unintended changes by other users.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257551r961149_rule
Severity: Medium
References: CCI-001090
Updated: 17 days ago

Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit by executing the following:

oc debug node/<node_name> -- chroot /host /bin/bash -c 'chmod XXXX <directory>'

where
  node_name: The name of the node to connect to (oc get node)  XXXX:  Either 1777 (sticky bit) or 0755 (remove group and world write permission)
  <directory>: The directory on which to correct the permissions

OpenShift must set the sticky bit for world-writable directories.

Description

Remediation - Manual Procedure