Skip to main content
Version: latest

Using audit seccomp

The audit seccomp gadget provides a stream of events with syscalls that had their seccomp filters generating an audit log. An audit log can be generated in one of these two conditions:

  • The Seccomp profile has the flag SECCOMP_FILTER_FLAG_LOG (currently unsupported by runc) and returns any action other than SECCOMP_RET_ALLOW.
  • The Seccomp profile does not have the flag SECCOMP_FILTER_FLAG_LOG but returns SCMP_ACT_LOG or SCMP_ACT_KILL*.

On Kubernetes

  • Install the Seccomp Operator.

  • Install a SeccompProfile that log the mkdir and unshare syscalls.

apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
name: log
annotations:
description: "Log some syscalls"
spec:
defaultAction: SCMP_ACT_ALLOW
syscalls:
- action: SCMP_ACT_KILL
names:
- unshare
- action: SCMP_ACT_LOG
names:
- mkdir
  • Start a pod with that SeccompProfile.
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/default/log.json
restartPolicy: Never
containers:
- name: container1
image: busybox
command: ["sh"]
args: ["-c", "sleep infinity"]
  • Start the audit-seccomp gadget.
$ kubectl gadget audit seccomp -o columns=k8s.namespace,k8s.podname,syscall,code
K8S.NAMESPACE K8S.PODNAME SYSCALL CODE
  • In another terminal, execute the aforementioned syscalls in the pod.
$ kubectl exec -ti  mypod -- /bin/sh
/ # mkdir /tmp/dir42 ; unshare -i
Bad system call (core dumped)
  • Observe the syscalls logged by seccomp in the first terminal.
K8S.NAMESPACE    K8S.PODNAME      SYSCALL          CODE
default mypod mkdir log
default mypod unshare kill_thread

With ig

  • Prepare a Seccomp Profile.
{
"defaultAction": "SCMP_ACT_ALLOW",
"syscalls": [
{
"action": "SCMP_ACT_KILL",
"names": [
"unshare"
]
}
]
}
  • Start the audit-seccomp gadget.
$ sudo ig audit seccomp -r docker
RUNTIME.CONTAINERNAME PID COMM SYSCALL CODE
  • In another terminal, start a container and run unshare:
$ docker run -ti --rm --security-opt seccomp=profile.json ubuntu
# unshare -i
Bad system call (core dumped)
  • Observe the syscalls logged by seccomp in the first terminal.
$ sudo ig audit seccomp -r docker
RUNTIME.CONTAINERNAME PID COMM SYSCALL CODE
eager_mclean 231712 unshare unshare kill_thread