Security scans on container hosts show files under /var/lib/containers/*/diff/proc as having insecure permissions
Issue
- When performing CIS or STIG security scans using various security software and appliances on Red Hat Enterprise Linux systems running containers, either using Red Hat supported
podman
or third-party container engines such asdocker
, warnings for insecure file permissions may appear like so:
/var/lib/containers/storage/overlay/$CONTAINER_LAYER_UUID/diff/proc/sys/kernel/ns_last_pid
owner: root, group: root, permissions: 0666
- This may cite the STIG rule of "There must be no world-writable files on the system" for various versions of Red Hat Enterprise Linux.
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.