Comments (9)
saschagrunert
commented on July 22, 2024
Thank you for the feature request @meghna-pancholi! 🙏
if the "exec" system call caused a policy violation, then a log entry can report this violation
Can you share an example of that so that I can understand the feature better?
from security-profiles-operator.
meghna-pancholi
commented on July 22, 2024
Yes! This is an example of an audit log entry of a Seccomp violation:
type=ANOM_ABEND msg=audit(1706114183.948:8264563): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=docker-default pid=2040848 comm="mkdir" exe="/bin/busybox" sig=31 res=1
Here, the offending system call is "mkdir". This is an audit log entry I saw by checking the audit log when I had a Seccomp filter with ACT_TRAP, but it was not reported by the log enricher.
from security-profiles-operator.
saschagrunert
commented on July 22, 2024
Ah so we basically need to support the ANOM_ABEND type? We can extend the enricher to allow that. But ANOM_ABEND can be caused by any signal, right? Not only seccomp violations.
from security-profiles-operator.
saschagrunert
commented on July 22, 2024
cc @pjbgf ☝️
from security-profiles-operator.
pjbgf
commented on July 22, 2024
From the RH's documentation, this event type seems orthogonal to seccomp/selinux/apparmor:
ANOM_ABEND: Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled)... All Audit event types prepended withANOMare intended to be processed by an intrusion detection program.
Although there may be value on extending the log enricher to surface all log entries (from the worker nodes) and correlate them to running pods, we would need to consider the impact on resource utilisation and ensure that the new lines won't impact on profiles that are automatically generated in combination with the log enricher. Neither are hard problems, just things that would need to be ironed out.
That being said, I suspect you would be able to get a seccomp log entry for that violation if you set your profile to complain mode (e.g. SCMP_ACT_LOG) and decrease the log throttle settings:
sudo sysctl -w net.core.message_burst=0
sudo sysctl -w net.core.message_cost=0
Please make sure you take note of the previous values (e.g. sudo sysctl -a | grep net.core.message) in case you need to revert to them.
A trick may be to configure the seccomp in your dev/test worker nodes to be more verbose, so you can capture such information way before you hit production.
from security-profiles-operator.
Related Issues (20)
- Create an "Enforce on all Pods" option for Seccomp Profile Bindings
- File Descriptor memory leak on selinux socket comms
- How to log only unique syscalls in audit log file - Security-Profiles-Operator HOT 8
- Vagrant based tests are failing HOT 12
- Autogenerated clientset to access SPO seccompprofile CRs HOT 4
- Support for --http2-disable flag in metrics pod HOT 6
- Running e2e tests on OpenShift hang HOT 1
- AKS spod STATE : UPDATING HOT 12
- Release v0.8.1
- getting owner profile: the node status owner is of an unknown kind HOT 3
- Manage SELinux booleans HOT 10
- tolerations not honoured HOT 4
- AKS eBPF recording HOT 15
- Can not re-install SPO HOT 1
- ignore istio init container while eBPF profiling HOT 8
- AppArmor does not work HOT 15
- Release v0.8.2 HOT 1
- [Question] Disable webhook deployment HOT 4
- Security Profiles Operator should support dynamic infrastructures HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-profiles-operator.