Version: latest

Gadget audit-seccomp

The Audit Seccomp gadget provides a stream of events with syscalls that had their seccomp filters generating an audit log. An audit log can be generated in one of those two conditions:

The Seccomp profile has the flag SECCOMP_FILTER_FLAG_LOG (supported from runc v1.2.0, see runc#3390) and returns any action other than SECCOMP_RET_ALLOW.
The Seccomp profile does not have the flag SECCOMP_FILTER_FLAG_LOG but returns SCMP_ACT_LOG or SCMP_ACT_KILL*.

Example CR

apiVersion: gadget.kinvolk.io/v1alpha1
kind: Trace
metadata:
  name: audit-seccomp
  namespace: gadget
spec:
  node: minikube
  gadget: audit-seccomp
  runMode: Manual
  outputMode: Stream

Operations

start

Start audit seccomp

$ kubectl annotate -n gadget trace/audit-seccomp \
    gadget.kinvolk.io/operation=start

stop

Stop audit seccomp

$ kubectl annotate -n gadget trace/audit-seccomp \
    gadget.kinvolk.io/operation=stop

Output Modes

Stream

Example CR​

Operations​

start​

stop​

Output Modes​

Example CR

Operations

start

stop

Output Modes