Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-16790

The file permissions of /var/run/multus/cni/net.d/*.conf on nodes should be updated to 600 to conform with CIS benchmarks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.14.0
    • 4.14.0
    • Networking / multus
    • None
    • No
    • Approved
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       

      Observation from CISv1.4 pdf:
      1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive
      “Container Network Interface provides various networking options for overlay networking.
      You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system.”
       
      To conform with CIS benchmarksChange, the /var/run/multus/cni/net.d/*.conf files on nodes should be updated to 600.
      
      $ for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%a %n\" /host/var/run/multus/cni/net.d/*.conf"; done
      644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
      644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
      644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
      644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
      644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
      644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
      

      Version-Release number of selected component (if applicable):

      4.14.0-0.nightly-2023-07-20-215234

      How reproducible:

       

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      The file permissions of /var/run/multus/cni/net.d/*.conf on nodes is 644.

      Expected results:

      The file permissions of /var/run/multus/cni/net.d/*.conf on nodes should be updated to 600
      

      Additional info:

       

              pliurh Peng Liu
              xiyuan@redhat.com Xiaojie Yuan
              Zhanqi Zhao Zhanqi Zhao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: