-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Seeing Policy Violations #2060
Comments
Thank you for the feature request @meghna-pancholi! 🙏
Can you share an example of that so that I can understand the feature better? |
Yes! This is an example of an audit log entry of a Seccomp violation: type=ANOM_ABEND msg=audit(1706114183.948:8264563): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=docker-default pid=2040848 comm="mkdir" exe="/bin/busybox" sig=31 res=1 Here, the offending system call is "mkdir". This is an audit log entry I saw by checking the audit log when I had a Seccomp filter with ACT_TRAP, but it was not reported by the log enricher. |
Ah so we basically need to support the |
cc @pjbgf ☝️ |
From the RH's documentation, this event type seems orthogonal to seccomp/selinux/apparmor:
Although there may be value on extending the log enricher to surface all log entries (from the worker nodes) and correlate them to running pods, we would need to consider the impact on resource utilisation and ensure that the new lines won't impact on profiles that are automatically generated in combination with the log enricher. Neither are hard problems, just things that would need to be ironed out. That being said, I suspect you would be able to get a seccomp log entry for that violation if you set your profile to complain mode (e.g.
Please make sure you take note of the previous values (e.g. A trick may be to configure the seccomp in your dev/test worker nodes to be more verbose, so you can capture such information way before you hit production. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What would you like to be added:
When a SeccompProfile's policy is violated, it would be helpful to easily see what violation occurred in the logs somewhere. For example if the "exec" system call caused a policy violation, then a log entry can report this violation. I apologize if this feature already exists. I was not able to figure out how to find this information easily and in a consistent format.
From what I see, the logenricher only includes lines of the audit log where a syscall is reported, but not any where the violations are reported.
Why is this needed:
It would be helpful to quickly collect policy violation information from a program at runtime while enforcing a policy.
User story covered
I am not sure if this is covered in a user story.
The text was updated successfully, but these errors were encountered: