Information
Enable default seccomp profile in your pod definitions.
Rationale:
Seccomp (secure computing mode) is used to restrict the set of system calls applications can make, allowing cluster administrators greater control over the security of workloads running in the cluster. Kubernetes disables seccomp profiles by default for historical reasons. You should enable it to ensure that the workloads have restricted actions available within the container.
Impact:
If the default seccomp profile is too restrictive for you, you will need to create and manage your own seccomp profiles, which can be done using OpenShift Security Context Constraints and custom seccomp profiles.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
For any non-privileged pods or containers that do not have seccomp profiles, consider using the RuntimeDefault or creating a custom seccomp profile specifically for the workload.
Please refer to the OpenShift documentation for working with custom seccomp profiles.
Default Value:
By default, OpenShift applies the restricted-v2 SCC to all pods, which uses the RuntimeDefault seccomp profile.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.2
Control ID: 14056125aa11f883584caf480de7925a393baefb0a7f992edb75497b05366189