Gadget audit-seccomp

    The Audit Seccomp gadget provides a stream of events with syscalls that had their seccomp filters generating an audit log. An audit log can be generated in one of those two conditions:

    • The Seccomp profile has the flag SECCOMP_FILTER_FLAG_LOG (currently unsupported by runc ) and returns any action other than SECCOMP_RET_ALLOW.
    • The Seccomp profile does not have the flag SECCOMP_FILTER_FLAG_LOG but returns SCMP_ACT_LOG or SCMP_ACT_KILL*.

    Example CR

    apiVersion: gadget.kinvolk.io/v1alpha1
kind: Trace
metadata:
  name: audit-seccomp
  namespace: gadget
spec:
  node: minikube
  gadget: audit-seccomp
  runMode: Manual
  outputMode: Stream

    Operations

    start

    Start audit seccomp

    $ kubectl annotate -n gadget trace/audit-seccomp \
    gadget.kinvolk.io/operation=start

    stop

    Stop audit seccomp

    $ kubectl annotate -n gadget trace/audit-seccomp \
    gadget.kinvolk.io/operation=stop

    Output Modes

    • Stream
    Edit this page File documentation issue