Docker CIS 5.21: Ensure the default seccomp profile is not disabled
No violationsstackroxmediumdeploySeccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.
- Rationale
- A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.
- Remediation
- By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.
CategoriesDocker CIS
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.115.7.2
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2CM-6
- PCI DSS 4.0
- 2.2.1
Generated artifacts
3 of 5 targets supporteddocker-cis-5-21-ensure-the-default-seccomp-profile-is-not-disab.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: docker-cis-5-21-ensure-the-default-seccomp-profile-is-not-disab
annotations:
policies.kyverno.io/title: "Docker CIS 5.21: Ensure the default seccomp profile is not disabled"
policies.kyverno.io/category: Docker CIS
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.
policies.kyverno.io/remediation: By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.
policies.kyverno.io/rationale: A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.
policies.io/source: stackrox
policies.io/source-id: 41e5153f-98d1-4830-9f80-983afcbe73c1
spec:
validationFailureAction: Audit
background: true
rules:
- name: docker-cis-5-21-ensure-the-default-seccomp-profile
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Docker CIS 5.21: Ensure the default seccomp profile is not disabled" violated: Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.'
deny:
conditions:
all:
- key: "{{ request.object.spec.securityContext.seccompProfile.type || '' }}"
operator: AnyIn
value:
- UNCONFINED
IR (canonical)
{
"id": "41e5153f-98d1-4830-9f80-983afcbe73c1",
"name": "Docker CIS 5.21: Ensure the default seccomp profile is not disabled",
"description": "Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.",
"rationale": "A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.",
"remediation": "By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.",
"severity": "medium",
"categories": [
"Docker CIS"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "seccomp-profile-type",
"values": [
"UNCONFINED"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "41e5153f-98d1-4830-9f80-983afcbe73c1",
"name": "Docker CIS 5.21: Ensure the default seccomp profile is not disabled",
"description": "Seccomp filtering provides a means to filter incoming system calls. The default seccomp profile uses an allow list to permit a large number of common system calls, and block all others.",
"rationale": "A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.",
"remediation": "By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.",
"disabled": true,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Section 1",
"policyGroups": [
{
"fieldName": "Seccomp Profile Type",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "UNCONFINED"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}