seccompProfile RuntimeDefault
Description
Containers should use seccompProfile of RuntimeDefault or Localhost.
⚠️ Risk Impact
Without seccomp, container syscalls are unrestricted. RuntimeDefault blocks ~70 dangerous syscalls. Required for PSS Restricted.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Add securityContext.seccompProfile.type:RuntimeDefault to every container.
💀 Real-World Attack Scenario
A compromised container called rare syscalls (ptrace, mount, etc.) for container-escape attempt. RuntimeDefault seccomp would have blocked these syscalls.
💰 Cost of Non-Compliance
Container-escape: $4M+ avg.
📋 Audit Questions
- 1.seccompProfile on containers?
- 2.RuntimeDefault or Localhost?
- 3.PSS Restricted enforced?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔No seccomp configured (Unconfined default)
- ⛔Localhost profiles not deployed to nodes
📈 Business Value
seccomp restricts container syscall surface.
⏱️ Effort Estimate
Per-pod update
EchelonGraph enforces via PSS
🔗 Cross-Framework References
Automate CIS Kubernetes 5.7.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →