Skip to main content
Version: latest

audit_seccomp

The audit seccomp gadget provides a stream of events with syscalls that had their seccomp filters generating an audit log. An audit log can be generated in one of these two conditions:

  • The Seccomp profile has the flag SECCOMP_FILTER_FLAG_LOG (currently unsupported by runc) and returns any action other than SECCOMP_RET_ALLOW.
  • The Seccomp profile does not have the flag SECCOMP_FILTER_FLAG_LOG but returns SCMP_ACT_LOG or SCMP_ACT_KILL*.

Getting started

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/audit_seccomp:latest [flags]

Flags

No flags.

Guide

First, we need to create a pod / container with a seccomp profile that executes some fordibben syscalls.

We'll use the Security Profiles Operator to handle seccomp profiles, however them can be handled manually as explained in Restrict a Container's Syscalls with seccomp

  1. Install the Security Profiles Operator
  2. Install a SeccompProfile that logs the mkdir and blocks the unshare syscalls.
# seccompprofile.yaml
apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
name: log
annotations:
description: "Log some syscalls"
spec:
defaultAction: SCMP_ACT_ALLOW
syscalls:
- action: SCMP_ACT_KILL
names:
- unshare
- action: SCMP_ACT_LOG
names:
- mkdir
$ kubectl apply -f seccompprofile.yaml
  1. Start a pod with that SeccompProfile.
# mypod.yaml
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/log.json
restartPolicy: Never
containers:
- name: container1
image: busybox
command: ["sh"]
args: ["-c", "while true ; do mkdir /tmp/dir42 ; unshare -i; sleep 1; done"]
$ kubectl apply -f mypod.yaml

Then, start the audit_seccomp gadget and observe how it logs the unshare syscall being denied.

$ kubectl gadget run audit_seccomp:latest
K8S.NODE K8S.NAMESPACE K8S.PODNAME K8S.CONTAINERN… COMM PID TID UID GID CODE SYSCALL
minikube-docker default mypod container1 mkdir 60482 60482 0 0 …_RET_LOG SYS_MKDIR
minikube-docker default mypod container1 unshare 60483 60483 0 0 …L_THREAD SYS_UNSH…
minikube-docker default mypod container1 mkdir 60553 60553 0 0 …_RET_LOG SYS_MKDIR
minikube-docker default mypod container1 unshare 60554 60554 0 0 …L_THREAD SYS_UNSH…
^C

Finally, clean the system:

$ kubectl delete -f mypod.yaml
$ kubectl delete -f seccompprofile.yaml