Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 2.17 Ensure that a daemon-wide custom seccomp profile is applied if appropriate

Description

You can choose to apply a custom seccomp profile at a daemon-wide level if needed with this overriding Docker's default seccomp profile.

A large number of system calls are exposed to every userland process with many of them not utilized during the entire lifetime of the process. Many applications do not need all these system calls and therefore benefit by having each system call currently in use reviewed in line with organizational security policy. A reduced set of system calls reduces the total kernel surface exposed to the application and therefore improves application security.

A custom seccomp profile can be applied instead of Docker's default seccomp profile. Alternatively, if Docker's default profile is adequate for your environment, you can choose to ignore this recommendation.

Remediation

By default, Docker's default seccomp profile is applied. If this is adequate for your environment, no action is necessary. Alternatively, if you choose to apply your own seccomp profile, use the --seccomp-profile flag at daemon start or put it in the daemon runtime parameters file.

dockerd --seccomp-profile </path/to/seccomp/profile>

Default Value

By default, Docker applies a default seccomp profile.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_17 --share

SQL

This control uses a named query:

select
  id as resource,
  case
     when exists (
       select 1
       from jsonb_array_elements(security_options) AS elem
       where elem @> '"name=seccomp,profile=default"'
     ) then 'alarm'
     else 'ok'
  end as status,
  case
    when exists (
       select 1
       from jsonb_array_elements(security_options) AS elem
       where elem @> '"name=seccomp,profile=default"'
     ) then name || ' default seccomp profile applied.'
    else name || ' custom seccomp profile applied.'
  end as reason
  , _ctx ->> 'connection_name' as connection_name
from
  docker_info;

Tags

category = Compliance
cis = true
cis_item_id = 2.17
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker