Profile Applicability:

  • Level 1

Description:

Seccomp is a Linux kernel feature that filters system calls for processes. Docker supports seccomp profiles to restrict the system calls that containers can make, enhancing security. By default, Docker uses a seccomp profile that restricts a number of potentially dangerous system calls. This check ensures that the default seccomp profile is not disabled in Docker containers.

Rationale:

Disabling seccomp exposes containers to risks by allowing access to potentially harmful system calls. Seccomp helps reduce the attack surface of containers, preventing malicious or compromised containers from making dangerous system calls that could affect the host system or other containers.

Impact:

  • Reduces the attack surface of containers by restricting access to unsafe system calls.

  • Enhances container security by enforcing a more controlled execution environment.

  • Some applications may require additional system calls to function correctly, which might require modifying or customizing the seccomp profile.

Default Value:

By default, Docker applies a default seccomp profile to containers, which restricts the execution of risky system calls.

Pre-requisites:

  • Docker must be installed and running.

  • Access to the Docker daemon or container configurations to verify or modify the seccomp settings.

Remediation:

Test Plan:

Using AWS Console:

  1. Navigate to the EC2 instance where Docker is running.
  2. Inspect the running container’s configuration by checking if the seccomp profile is applied via the docker inspect command:   
      docker inspect <container_name> | grep Seccomp

  3. Ensure the Seccomp configuration is not set to null (which would disable the profile).

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to check the seccomp profile of a running container:
    docker inspect --format '{{.HostConfig.SecurityOpt}}' <container_name>

  • Ensure the output does not show seccomp:unconfined (which would disable the seccomp profile).

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Modify the container run configuration to ensure that the default seccomp profile is used:

  3. When running a container, use the --security-opt seccomp=default flag:

    docker run --security-opt seccomp=default <image_name>

Using AWS CLI:

  1. Use SSM to ensure that the default seccomp profile is applied to all containers launched via AWS CLI.
  2. Run the following command to ensure the default seccomp profile is applied:
    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --security-opt seccomp=default <image_name>"]'

Backout Plan:

Using AWS Console:

  1. Connect to the EC2 instance.
  2. Remove the --security-opt seccomp=default flag from the Docker run command and restart the container without the seccomp profile.
    docker run --security-opt seccomp=unconfined <image_name>

Using AWS CLI:

  1. Use SSM to revert to a non-seccomp profile:
    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker run --security-opt seccomp=unconfined <image_name>"]'

References: