Back to catalog

Docker CIS 5.21: Ensure the default seccomp profile is not disabled

No violationsstackroxmediumdeploy

Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.

Rationale
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.
Remediation
By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.
CategoriesDocker CIS
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.115.7.2
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2CM-6
PCI DSS 4.0
2.2.1

Generated artifacts

3 of 5 targets supported
docker-cis-5-21-ensure-the-default-seccomp-profile-is-not-disab.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: docker-cis-5-21-ensure-the-default-seccomp-profile-is-not-disab
  annotations:
    policies.kyverno.io/title: "Docker CIS 5.21: Ensure the default seccomp profile is not disabled"
    policies.kyverno.io/category: Docker CIS
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.
    policies.kyverno.io/remediation: By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.
    policies.kyverno.io/rationale: A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.
    policies.io/source: stackrox
    policies.io/source-id: 41e5153f-98d1-4830-9f80-983afcbe73c1
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: docker-cis-5-21-ensure-the-default-seccomp-profile
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Docker CIS 5.21: Ensure the default seccomp profile is not disabled" violated: Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.securityContext.seccompProfile.type || '' }}"
                operator: AnyIn
                value:
                  - UNCONFINED
IR (canonical)
{
  "id": "41e5153f-98d1-4830-9f80-983afcbe73c1",
  "name": "Docker CIS 5.21: Ensure the default seccomp profile is not disabled",
  "description": "Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.",
  "rationale": "A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.",
  "remediation": "By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.",
  "severity": "medium",
  "categories": [
    "Docker CIS"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "seccomp-profile-type",
    "values": [
      "UNCONFINED"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "41e5153f-98d1-4830-9f80-983afcbe73c1",
  "name": "Docker CIS 5.21: Ensure the default seccomp profile is not disabled",
  "description": "Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.",
  "rationale": "A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.",
  "remediation": "By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.",
  "disabled": true,
  "categories": [
    "Docker CIS"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "Section 1",
      "policyGroups": [
        {
          "fieldName": "Seccomp Profile Type",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "UNCONFINED"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}