2.20 Apply a daemon-wide custom seccomp profile, if needed

Information

You can choose to apply your custom seccomp profile at the daemon-wide levelif needed and override Docker's default seccomp profile.

Rationale:

A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of the applications do not need all the system calls and thus benefit by having a reduced set of available system calls. The reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.

You could apply your own custom seccomp profile instead of Docker's default seccomp profile. Alternatively, if Docker's default profile is good for your environment, you can choose to ignore this recommendation.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

By default, Docker's default seccomp profile is applied. If this is good for your environment, no action is necessary. Alternatively, if you choose to apply your own seccomp profile, use the--seccomp-profile flag at daemon start or put it in the daemon runtime parameters file.

dockerd--seccomp-profile </path/to/seccomp/profile>

Impact:

A misconfigured seccomp profile could possibly interrupt your container environment. Docker-default blocked calls have been carefully scrutinized. These address some critical vulnerabilities/issues within container environments (for example, kernel key ring calls). So, you should be very careful while overriding the defaults.

Default Value:

By default, Docker applies a seccomp profile.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39

Plugin: Unix

Control ID: ee06427e1db4d022fbeecf2dc93f11596310007b9336c35b58e15330cf52bd79