Light

pjbgf / zaz Goto Github PK

View Code? Open in Web Editor NEW

24.0 2.0 4.0 2.21 MB

A command line tool to automatically generate seccomp profiles.

License: MIT License

Makefile 2.04% Go 97.96%

seccomp security security-tools seccomp-tools container-security seccomp-json

zaz's Introduction

zaz

A command-line tool to assist on assessing container security requirements and generating seccomp profiles.

zaz seccomp

This module focuses on the generation and validation of seccomp profiles.

zaz seccomp docker

Generate seccomp profiles based on executing a command on a docker image. This command "brute forces" the profile generation by trying to remove all possible syscalls, then consolidating all syscalls the command cannot be executed without.

zaz seccomp docker IMAGE COMMAND 

# Calculates seccomp profile for a ping command inside an alpine image:
zaz seccomp docker alpine "ping -c5 8.8.8.8"

zaz seccomp application-binary

Generates seccomp profiles from the executable of an application. Note that on top of the application needs, some container images may add additional syscalls.

zaz seccomp BINARY_PATH

# Calculates seccomp profile from an application binary
zaz seccomp bin/webapi

Currently only golang binaries are supported.

zaz seccomp zaz seccomp --log-file=/var/log/syslog 423

Generates seccomp profiles by assessing the kernels logs for a given process ID

# Setting the syslog path (default is "/var/log/kern.log"):
To get a profile based on process id 4325:

zaz seccomp --log-file=/var/log/syslog 4325

zaz seccomp verify path/profile.json

Validates a seccomp profile, returning a list of high-risk system calls being allowed.

zaz seccomp verify no-highrisk-profile.json

zaz seccomp template web

Returns a pre-defined seccomp profile for web applications.

zaz seccomp template web

License

Licensed under the MIT License. You may obtain a copy of the License here.

zaz's People

Contributors

Stargazers

Watchers

Forkers

akchamps konstantin-921 zxynull0 shuixi2013

zaz's Issues

Add template for "complain-mode-with-block"

A new template that allows for complain mode, whilst still blocking high-risk calls.

Streamline command line options

The command line options could be improved to reduce the amount of keywords that are needed. Example:

$ zaz seccomp docker alpine "echo hi"
$ zaz seccomp kube -f pod.yaml
$ zaz seccomp goapp/myexe
$ zaz seccomp --log-file=/var/log/syslog 423

For seccomp generation from executables, try to infer type (i.e. golang, dotnet, elf, etc.) so no new keywords are needed.

Add option to append syscalls to existing profile

zaz always returns a fresh new profile. It would be handy for automatic profile generation to return the existing profile merged with the new syscalls found.

This behaviour could be enabled by using a new flag.

Allow users to configure high-risk calls

The current implementation has a hard-coded list of high-risk calls.
Users using the feature to validate profiles on automated processes, may benefit from being able to define what calls are defined as high-risk for their workloads.

Test SCMP_ACT_KILL_PROCESS for brute-force

Using SCMP_ACT_KILL_PROCESS for brute-force may generate better results, as it would make it harder for the application to "fail silently".

This depends on: opencontainers/runtime-spec#1044

Run brute-force attempts in parallel

An option to execute brute-force attempts in parallel could be added to decrease execution time.

Add progress bar to brute-force command

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.