Control: 5.22 Ensure the default seccomp profile is not Disabled

Description

Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.

A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. Most of applications do not need all these system calls and would therefore benefit from having a reduced set of available system calls. Having a reduced set of system calls reduces the total kernel surface exposed to the application and thus improvises application security.

Remediation

By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile.

Default Value

When you run a container, it uses the default profile unless you override it with the --security-opt option.