OpenShift must set the sticky bit for world-writable directories.

STIG ID: CNTR-OS-000590  |  SRG: SRG-APP-000243-CTR-000600 |  Severity: medium |  CCI: CCI-001090 |  Vulnerability Id: V-257551 | 

Vulnerability Discussion

Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delete files within the directory, which can introduce security risks. By removing these permissions or setting the sticky bit, OpenShift restricts modifications to the directory's owner and prevents unauthorized or unintended changes by other users.

Check

Verify that all world-writable directories have the sticky bit set. List any world-writeable directories that do not have the sticky bit set by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find / -type d \( -perm -0002 -a ! -perm -1000 ! -path "/var/lib/containers/*" ! -path "/var/lib/kubelet/pods/*" ! -path "/sysroot/ostree/deploy/*" \) -print 2>/dev/null' 2>/dev/null; done

If there are any directories listed in the results, this is a finding.

Fix

Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit by executing the following:

oc debug node/ -- chroot /host /bin/bash -c 'chmod XXXX '

where
node_name: The name of the node to connect to (oc get node)
XXXX: Either 1777 (sticky bit) or 0755 (remove group and world write permission)
: The directory on which to correct the permissions