CME-601

Kernel-Level Syscall Filtering (seccomp)

Harden OS/Kernel High Confidence

Description

Restricts the set of system calls a process can make to the kernel. Reduces kernel attack surface by blocking syscalls the application doesn't need, preventing exploitation of kernel vulnerabilities through unused syscall handlers.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Process cannot invoke blocked syscalls to escape to host kernel
Integrity (I) H L Blocked syscalls like execve/ptrace prevent shell breakout

CWE Relationships

CWE-119 CWE-78

Verification

Check process seccomp status

$ grep Seccomp /proc/<pid>/status
# Expected: Seccomp: 2
Platform: linux
← CME-507: Secure Dynamic Linker Configuration (LD_PRELOAD/PATH Hardening) CME-602: seccomp-bpf Profile (Container Default) →