- Take me to the Lab
Solutions to Lab - Seccomp:
-
straceis a tool that can be used to trace. -
Which syscall is NOT made by the command
ls /root?Run $ strace -c ls /root Then inspect the summary The ls command should not be using the connect syscall -
For answering the next question, open a new terminal and ssh to node01 and run the Tracee tool as a container, with the appropriate flag to detect syscalls from new containers.
Run $ ssh node01 $ docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:slim-0.5.0 -
What is the command run by the container inside the pod named hello?
Open a new terminal Then run $ kubectl describe pod hello Then look at the command/args run inside the container you will find the value: echo hello -
What is the current status of the pod called hello?
The pod printed the message and exited. Hence, it should be in a completed state You can make sure by running $ kubectl get pods Then examine the status of the hello pod -
Observe the output captured by the tracee container on node01. Which was the last syscall that was generated by the container that ran the message echo hello?
sched_process_exit -
A seccomp profile file called custom-profile.json has been placed under
/rootin node01. What type of a profile is this?whitelist type profile to ensure that exactly and only the specified syscalls could ever be used. -
Another seccomp profile file called relaxed-profile.json has been placed under
/rootin node01. What is the default action set in this profile?Check the value of the defaultAction set inside the file SCMP_ACT_ALLOW -
What is the default Seccomp profile location in this cluster?
cd /var/lib/kubelet/seccomp -
Create a new pod called audit-nginx using the nginx image and make use of the audit.json seccomp profile in the pod's security context. The pod should run on node01. The audit.json file is already present in the default seccomp profile path in node01.
Answer: /var/answers/audit-nginx.yaml