From 9c6d74782e91106e10b792dabd77bfef78691c6e Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 27 Feb 2024 16:35:00 +0100
Subject: [PATCH] extend the explanation why ANSSI R52 requirement is manual

---
 controls/anssi.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml
index 63cd826bd8a..1c915d7f21f 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -1120,7 +1120,15 @@ controls:
     title: Securing access for named sockets and pipes
     levels:
     - intermediary
-    notes: We cannot easily automate securing of named sockets and pipes in a general way.
+    notes: |-
+      The requirement states that all sockets and named pipes within all mounted
+      file systems should be checked. The check should look at the permissions
+      of the socket / pipe and compare them with permissions of the directory
+      which contains the particular socket. In case permissions of the directory
+      are less stricter than permissions of the socket, this should be
+      considered a finding. Since different use cases can require different
+      permissions for named pipes / sockets, it is not possible to perform this
+      check automatically.
     status: manual
 
   - id: R53