Daemon-wide custom seccomp profile is applied if appropriate

docker

Classification:

compliance

Framework:

cis-docker

Control:

2.15

Set up the docker integration.

Description

You can choose to apply a custom seccomp profile at a daemon-wide level if needed with this overriding Docker’s default seccomp profile.

Rationale

A large number of system calls are exposed to every userland process with many of them not utilized during the entire lifetime of the process. Many applications do not need all these system calls and therefore benefit by having each system call currently in use reviewed in line with organizational security policy. A reduced set of system calls reduces the total kernel surface exposed to the application and therefore improves application security. A custom seccomp profile can be applied instead of Docker’s default seccomp profile. Alternatively, if Docker’s default profile is adequate for your environment, you can choose to ignore this recommendation.

Audit

Review the seccomp profile being applied by running:

docker info --format '{{ .SecurityOptions }}'

A setting value of default indicates that Docker’s default seccomp profile is applied.

Remediation

By default, Docker’s default seccomp profile is applied. If this is adequate for your environment, no action is necessary.

Alternatively, if you choose to apply your own seccomp profile, use the --seccomp-profile flag at daemon start or put it in the daemon runtime parameters file. For example, dockerd --seccomp-profile </path/to/seccomp/profile>

Impact

A misconfigured seccomp profile could possibly interrupt your container environment. Docker-default blocked calls have been carefully scrutinized and address some critical vulnerabilities/issues within container environments. For example, kernel key ring calls. You should therefore exercise extreme care if you choose to override the default settings.

Default value

By default, Docker applies a default seccomp profile.

References

  1. https://docs.docker.com/engine/security/seccomp/
  2. https://github.com/docker/docker/pull/26276

CIS controls

Version 6 18 Application Software Security Application Software Security