-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.14.0
-
None
-
No
-
Approved
-
False
-
Description of problem:
Observation from CISv1.4 pdf: 1.1.9 Ensure that the Container Network Interface file permissions are set to 600 or more restrictive “Container Network Interface provides various networking options for overlay networking. You should consult their documentation and restrict their respective file permissions to maintain the integrity of those files. Those files should be writable by only the administrators on the system.” To conform with CIS benchmarksChange, the /var/run/multus/cni/net.d/*.conf files on nodes should be updated to 600. $ for i in $(oc get pods -n openshift-multus -l app=multus -oname); do oc exec -n openshift-multus $i -- /bin/bash -c "stat -c \"%a %n\" /host/var/run/multus/cni/net.d/*.conf"; done 644 /host/var/run/multus/cni/net.d/80-openshift-network.conf 644 /host/var/run/multus/cni/net.d/80-openshift-network.conf 644 /host/var/run/multus/cni/net.d/80-openshift-network.conf 644 /host/var/run/multus/cni/net.d/80-openshift-network.conf 644 /host/var/run/multus/cni/net.d/80-openshift-network.conf 644 /host/var/run/multus/cni/net.d/80-openshift-network.conf
Version-Release number of selected component (if applicable):
4.14.0-0.nightly-2023-07-20-215234
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
The file permissions of /var/run/multus/cni/net.d/*.conf on nodes is 644.
Expected results:
The file permissions of /var/run/multus/cni/net.d/*.conf on nodes should be updated to 600
Additional info:
- blocks
-
OCPBUGS-22932 The file permissions of /var/run/multus/cni/net.d/*.conf on nodes should be updated to 600 to conform with CIS benchmarks
- Verified
- is cloned by
-
OCPBUGS-22932 The file permissions of /var/run/multus/cni/net.d/*.conf on nodes should be updated to 600 to conform with CIS benchmarks
- Verified
- links to
-
RHSA-2023:5006 OpenShift Container Platform 4.14.z security update