Enable seccomp to safely compute untrusted bytecode

An XCCDF Rule

Description

This kernel feature is useful for number crunching applications that may need to compute untrusted bytecode during their execution. By using pipes or other transports made available to the process as file descriptors supporting the read/write syscalls, it's possible to isolate those applications in their own address space using seccomp. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECCOMP, run the following command: grep CONFIG_SECCOMP /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

seccomp enables the ability to filter system calls made by an application, effectively isolating the system's resources from it.

ID: xccdf_org.ssgproject.content_rule_kernel_config_seccomp
Severity: Medium
References: BP28(R20)
Updated: about 1 year ago