seccompProfile required
Description
Restricted level requires seccompProfile of RuntimeDefault or Localhost on every container.
⚠️ Risk Impact
Without seccomp, container syscalls are unrestricted. RuntimeDefault blocks ~70 dangerous syscalls.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Add seccompProfile.type:RuntimeDefault to every container.
💀 Real-World Attack Scenario
Compromised container called ptrace + mount syscalls for container-escape attempt. RuntimeDefault seccomp would have blocked.
💰 Cost of Non-Compliance
Container-escape: $4M+ avg.
📋 Audit Questions
- 1.seccompProfile on all containers?
- 2.RuntimeDefault or Localhost?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔No seccomp configured (Unconfined default)
- ⛔Localhost profiles not deployed to nodes
📈 Business Value
seccomp restricts container syscall attack surface.
⏱️ Effort Estimate
Per-pod update
EchelonGraph enforces via PSS
🔗 Cross-Framework References
Automate Pod Security Standards PSS-SeccompProfile compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →