Skip to content

Latest commit

 

History

History
executable file
·
183 lines (118 loc) · 4.48 KB

21-Lab-Seccomp.md

File metadata and controls

executable file
·
183 lines (118 loc) · 4.48 KB
Raw

Lab - Seccomp

  • Take me to the Lab

Solutions to Lab - Seccomp:

  1. Which of the following commands/tools can be used to trace syscalls ?
    • getcap
    • tcpdump
    • strace
    • getpcap
    Reveal
    • strace - which stands for "syscall trace"
  2. Which syscall is NOT made by the command ls /root?

    Try it out for yourself using strace.

    strace -c ls /root
    • execve
    • connect
    • read
    • access
    Reveal
    • connect - This call is used for connecting network sockets - not required to list a local directory.

  3. For answering the next question, open a new terminal on the controlplane node by clicking on the + button next to Terminal 1. Next, on this new terminal, run the Tracee tool as a container, with the appropriate flags to detect syscalls from new containers.

    On the controlplane node, run:

    kubectl apply -f /root/tracee-deployment.yaml

    After the pod becomes ready , stream the logs using below command:

    kubectl logs -f `kubectl get pods -l=io.kompose.service=tracee -o custom-columns=":metadata.name" --no-headers`

    Tracee is now running as a pod in the cluster and is listening for events. Switch to the second terminal to run commands in following questions and switch back to see the tracee output when needed.

  4. We have just scheduled a new pod. What is the command run by the container inside this pod?

    Inspect the pod called hello

    Reveal
    • echo hello
  5. What is the current status of the pod called hello? 
    kubectl get pod hello
    Reveal
    • Completed
  6. Observe the output captured by the tracee container.

    Which was the last syscall that was generated by the container that ran the message echo hello?

    Switch back to the terminal where you l;eft the tracee log output running. Examine the EVENT column

    Reveal
    • sched_process_exit
  7. A seccomp profile file called custom-profile.json has been placed under /root directory.

    What type of a profile is this?

    Reveal
    • whitelist type profile - to ensure that exactly and only the specified syscalls could ever be used.
  8. Another seccomp profile file called relaxed-profile.json has been placed under /rootdirectory.

    What is the default action set in this profile?

    Reveal

    Check the value of the defaultAction set inside the file

    • SCMP_ACT_ALLOW
  9. What is the default Seccomp profile location in this cluster?

    The default location for seccomp profiles is the seccomp dubdirectory of the kubelet installation on each node, normally

    /var/lib/kubelet/seccomp
  10. Create a new pod called audit-nginx using the nginx image and make use of the audit.json seccomp profile in the pod's security context

    The audit.json file is already present in the default seccomp profile path in the controlplane node.

    Reveal

    Note the profile JSON file

    ls -l /var/lib/kubelet/seccomp/profiles/

    Profile paths in manifests are specified relative to the default profile directory.

    apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: audit-nginx
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: profiles/audit.json
  containers:
  - image: nginx
    name: nginx