Seeing Policy Violations #2060
Comments
meghna-pancholi
added
the
kind/feature
|
Thank you for the feature request @meghna-pancholi! 🙏
Can you share an example of that so that I can understand the feature better? |
|
Yes! This is an example of an audit log entry of a Seccomp violation: type=ANOM_ABEND msg=audit(1706114183.948:8264563): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=docker-default pid=2040848 comm="mkdir" exe="/bin/busybox" sig=31 res=1 Here, the offending system call is "mkdir". This is an audit log entry I saw by checking the audit log when I had a Seccomp filter with ACT_TRAP, but it was not reported by the log enricher. |
|
Ah so we basically need to support the |
|
cc @pjbgf ☝️ |
|
From the RH's documentation, this event type seems orthogonal to seccomp/selinux/apparmor:
Although there may be value on extending the log enricher to surface all log entries (from the worker nodes) and correlate them to running pods, we would need to consider the impact on resource utilisation and ensure that the new lines won't impact on profiles that are automatically generated in combination with the log enricher. Neither are hard problems, just things that would need to be ironed out. That being said, I suspect you would be able to get a seccomp log entry for that violation if you set your profile to complain mode (e.g. Please make sure you take note of the previous values (e.g. A trick may be to configure the seccomp in your dev/test worker nodes to be more verbose, so you can capture such information way before you hit production. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
What would you like to be added:
When a SeccompProfile's policy is violated, it would be helpful to easily see what violation occurred in the logs somewhere. For example if the "exec" system call caused a policy violation, then a log entry can report this violation. I apologize if this feature already exists. I was not able to figure out how to find this information easily and in a consistent format.
From what I see, the logenricher only includes lines of the audit log where a syscall is reported, but not any where the violations are reported.
Why is this needed:
It would be helpful to quickly collect policy violation information from a program at runtime while enforcing a policy.
User story covered
I am not sure if this is covered in a user story.
The text was updated successfully, but these errors were encountered: