- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
",t};e.buildCustomizationMenuUi=t;function n(e){let t='
",t}function s(e){let n=e.filter.currentValue||e.filter.defaultValue,t='${e.filter.label}
`,e.filter.options.forEach(s=>{let o=s.id===n;t+=``}),t+="${e.filter.label}
`,t+=`Classification:
compliance
Framework:
cis-docker
Control:
5.21
Set up the docker integration.
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on an allowlist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'
This returns either <no value>
or your modified seccomp profile. If it returns [seccomp:unconfined]
, the container is running without any seccomp profiles and is therefore not configured in line with good security practices.
By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.
With Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of --cap-add passed
to the container. You should create your own custom seccomp profile in such cases. You can also disable the default seccomp profile by passing --security-opt=seccomp:unconfined
on docker run.
When you run a container, it uses the default profile unless you override it with the --security-opt
option.
Version 6
18 Application Software Security Application Software Security