New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECCOMP events are not logged by auditd? #1400
Comments
Hello, I think it's more a configuration issue. The default containerd seccomp profile do not log by default (https://github.com/containerd/containerd/blob/3b0b3e533ce1f60a60ab83905374d1ce43330063/contrib/seccomp/seccomp_default.go#L485). You can quickly test with:
|
@tormath1 Thanks for the suggestion! I was under impression that https://elixir.bootlin.com/linux/v6.1.18/source/kernel/seccomp.c#L1221 it goes to My goal here is enable seccomp default runtime profile and collect evidence with auditd that certain workloads break because of seccomp and not something else. My guess is if I make default action SCMP_ACT_LOG, it'll allow everything, but log it. Not exactly what we need here. |
I think it's a bit like SELinux: you first need to run SELinux in a permissive mode to ensure that you don't have any denials in your logs then you can enforce SELinux. |
I get it, it makes sense when you introduce it for the first time to the cluster or a set of servers and you want to make sure nothing breaks. However, in the long run, it doesn't make sense not to be able to log it, as it is essential to understand what is preventing workloads from doing what they need/want to do. I believe the following sysctl parameters were designed for exactly that:
However, neither auditd nor dmesg have zero seccomp log entries printed :( However, these don't have any effect in terms of logging with auditd in Flatcar Linux. This is why I decided to seek help from the community here. Hopefully, someone who has experience reading Linux kernel source code and setting up seccomp logging (be it auditd or something else) will chime in and explain how this all works. @tormath1 I appreciate your help, truly. Thank you. |
@igcherkaev I just came across this blogpost: https://kubernetes.io/blog/2022/12/02/seccomp-notifier/
Maybe you should give a try to SecComp notifier? |
Thanks @tormath1 once again. So after reading that blog post, it feels like I am going to need https://kinvolk.io/blog/2022/03/bringing-seccomp-notify-to-runc-and-kubernetes ( https://github.com/kinvolk/seccompagent/blob/main/deploy/seccompagent.yaml ), which will produce the necessary logs. I'll give it a try! |
@igcherkaev you might be interested with https://github.com/inspektor-gadget/inspektor-gadget/blob/main/docs/builtin-gadgets/audit/seccomp.md too. |
Description
Unable to get auditd log SECCOMP violations with Flarcar Linux's auditd.
Impact
We're enabling default runtime seccomp profile by default on our kubernetes workers running on Flatcar Linux. It looks like it's working, but to collect potential impact from it we're trying to audit kernel events and capture SECCOMP messages, but no dice.
Environment and steps to reproduce
3.1. Enable auditd service as described at https://www.flatcar.org/docs/latest/setup/security/audit/
3.2. Remove 99-default.rules from /etc/audit/rules.d
3.3. Add a custom rule:
3.4. Reload auditd/reboot
3.5. Start a container with security context defined as:
3.6. Exec to the container and run:
Expected behavior
Expected to see
type=SECCOMP
lines in the audit log, but none are seen.Additional information
I tried all kind of rules, but never seen any events logged with type=SECCOMP or 1326.
Is it me doing something wrong or containerd enforces seccomp policies somehow differently?
Thank you, and sorry if this is not Flatcar Linux's problem.
The text was updated successfully, but these errors were encountered: