In production environments, we recommend that you harden your Conjur configuration by using a seccomp profile. A seccomp profile helps to enforce least privilege principles within Conjur.
The profile is referenced in the docker run command when you create the Conjur container.
Conjur and Docker on Linux
A Conjur Server running on Linux uses the Linux Kernel Session Keyring to securely store the Conjur decryption key. When Conjur starts, a session keyring is created. This session keyring is only available to the Conjur process running inside the container.
Docker disables access to the kernel keyring by default. (The Linux kernel keyring subsystem is rarely used by applications and does not support namespacing, which is how Docker provides isolation between containers.)
To provide Conjur with access to the keyring subsystem, start Conjur with a custom seccomp configuration or use the seccomp=unconfined setting.
Non-production recommendation
In non-production environments, setting seccomp to use the unconfined profile is the simplest option. The following command removes seccomp confinement. Other security restrictions, such as SELinux or AppArmor, are still enforced.
$
|
Production recommendation
In production environments, we recommend running Conjur with a security profile that adds only the required permissions for the system calls to work with the kernel session keyring.
The profile file must be available to Docker on every Conjur machine before the Conjur container is started. With the file in place, use the following command to start the Conjur container:
$
|
Sample seccomp Profile
Here is a sample profile for review and usage.
seccomp.json
|
