CIS compliance scans fail on container hosts with "Ensure sticky bit is set on all world writable directories"

Solution Verified - Updated -

Issue

  • When running security scanning software that checks CIS compliance on Red Hat Enterprise Linux hosts running container tooling such as docker or podman, security scans may fail with:
Ensure sticky bit is set on all world writable directories
  • The directories and files explicitly listed as problematic by the above rule are part of container filesystems or images, notably within the graphRoot paths on the host.
    • For root users, this is usually /var/lib/docker or /var/lib/containers by default.
    • For rootless users, this is usually $HOME/.local/share/containers by default.

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content