Check: CNTR-MK-001170
Mirantis Kubernetes Engine STIG:
CNTR-MK-001170
(in version v1 r1)
Title
The default seccomp profile must not be disabled. (Cat II impact)
Discussion
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default seccomp profile works on a whitelist basis and allows 311 system calls, blocking all others. It must not be disabled unless it hinders the container application usage. The default seccomp profile blocks syscalls, regardless of --cap-add passed to the container. A large number of system calls are exposed to every user and process, with many of them going unused for the entire lifetime of the process. Most of the applications do not need all the system calls and thus benefit by having a reduced set of available system calls. The reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security. When running a container, it uses the default profile unless it is overridden with the --security-opt option.
Check Content
When using Kubernetes orchestration, this check is Not Applicable. For Swarm orchestration, to ensure the default seccomp profile is not disabled, log in to the CLI: Linux: As an MKE Admin, execute the following command using a Universal Control Plane (MKE) client bundle: docker ps --quiet --filter "label=com.docker.ucp.version" | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' If seccomp:=unconfined, then the container is running without any seccomp profiles and this is a finding.
Fix Text
When using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration, do not pass unconfined flags to run a container without the default seccomp profile. Refer to seccomp documentation for details: https://docs.docker.com/engine/security/seccomp/.
Additional Identifiers
Rule ID: SV-260937r966168_rule
Vulnerability ID: V-260937
Group Title: SRG-APP-000342-CTR-000775
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |
Controls
Number | Title |
---|---|
AC-6 (8) |
Privilege Levels For Code Execution |