github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/builtin-gadgets/audit/seccomp.md (about)

     1  ---
     2  title: 'Using audit seccomp'
     3  weight: 20
     4  description: >
     5    Trace syscalls that seccomp sent to the audit log.
     6  ---
     7  
     8  The audit seccomp gadget provides a stream of events with syscalls that had
     9  their seccomp filters generating an audit log. An audit log can be generated in
    10  one of these two conditions:
    11  
    12  * The Seccomp profile has the flag `SECCOMP_FILTER_FLAG_LOG` (currently
    13    [unsupported by runc](https://github.com/opencontainers/runc/pull/3390)) and
    14    returns any action other than `SECCOMP_RET_ALLOW`.
    15  * The Seccomp profile does not have the flag `SECCOMP_FILTER_FLAG_LOG` but
    16    returns `SCMP_ACT_LOG` or `SCMP_ACT_KILL*`.
    17  
    18  ### On Kubernetes
    19  
    20  * Install the Seccomp Operator.
    21  
    22  * Install a SeccompProfile that log the `mkdir` and `unshare` syscalls.
    23  
    24  ```yaml
    25  apiVersion: security-profiles-operator.x-k8s.io/v1beta1
    26  kind: SeccompProfile
    27  metadata:
    28    name: log
    29    annotations:
    30      description: "Log some syscalls"
    31  spec:
    32    defaultAction: SCMP_ACT_ALLOW
    33    syscalls:
    34    - action: SCMP_ACT_KILL
    35      names:
    36      - unshare
    37    - action: SCMP_ACT_LOG
    38      names:
    39      - mkdir
    40  ```
    41  
    42  * Start a pod with that SeccompProfile.
    43  
    44  ```yaml
    45  apiVersion: v1
    46  kind: Pod
    47  metadata:
    48    name: mypod
    49  spec:
    50    securityContext:
    51      seccompProfile:
    52        type: Localhost
    53        localhostProfile: operator/default/log.json
    54    restartPolicy: Never
    55    containers:
    56    - name: container1
    57      image: busybox
    58      command: ["sh"]
    59      args: ["-c", "sleep infinity"]
    60  ```
    61  
    62  * Start the audit-seccomp gadget.
    63  
    64  ```bash
    65  $ kubectl gadget audit seccomp -o columns=k8s.namespace,k8s.pod,syscall,code
    66  K8S.NAMESPACE    K8S.POD          SYSCALL          CODE
    67  ```
    68  
    69  * In another terminal, execute the aforementioned syscalls in the pod.
    70  
    71  ```bash
    72  $ kubectl exec -ti  mypod -- /bin/sh
    73  / # mkdir /tmp/dir42 ; unshare -i
    74  Bad system call (core dumped)
    75  ```
    76  
    77  * Observe the syscalls logged by seccomp in the first terminal.
    78  
    79  ```
    80  K8S.NAMESPACE    K8S.POD          SYSCALL          CODE
    81  default          mypod            mkdir            log
    82  default          mypod            unshare          kill_thread
    83  ```
    84  
    85  ### With `ig`
    86  
    87  * Prepare a Seccomp Profile.
    88  
    89  ```json
    90  {
    91    "defaultAction": "SCMP_ACT_ALLOW",
    92    "syscalls": [
    93      {
    94        "action": "SCMP_ACT_KILL",
    95        "names": [
    96          "unshare"
    97        ]
    98      }
    99    ]
   100  }
   101  ```
   102  
   103  * Start the audit-seccomp gadget.
   104  
   105  ```bash
   106  $ sudo ig audit seccomp -r docker
   107  RUNTIME.CONTAINERNAME                              PID        COMM             SYSCALL     CODE
   108  ```
   109  
   110  * In another terminal, start a container and run unshare:
   111  
   112  ```bash
   113  $ docker run -ti --rm --security-opt seccomp=profile.json ubuntu
   114  # unshare -i
   115  Bad system call (core dumped)
   116  ```
   117  
   118  * Observe the syscalls logged by seccomp in the first terminal.
   119  
   120  ```bash
   121  $ sudo ig audit seccomp -r docker
   122  RUNTIME.CONTAINERNAME                              PID        COMM             SYSCALL     CODE
   123  eager_mclean                                       231712     unshare          unshare     kill_thread
   124  ```