GithubHelp home page GithubHelp logo

dj4ngo / cerber Goto Github PK

View Code? Open in Web Editor NEW

This project forked from openuado/cerber

0.0 1.0 0.0 17 KB

A straightforward command line tool for generate seccomp json file

Home Page: https://pypi.python.org/pypi/cerber

Python 100.00%

cerber's Introduction

Cerber

https://travis-ci.org/gr0und-s3ct0r/cerber.svg?branch=devel

A straightforward command line tool for generate seccomp json profile

Overview

Seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. Seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

Seccomp profile is used with by a lot of applications like:

  • docker
  • firefox
  • systemd
  • openssh
  • chrome
  • and more...

Cerber help you to generate seccomp profile that you can use with docker per example.

Prerequisites

  • Linux
  • Python3.5+
  • Strace

Install

$ pip install cerber

Usage

Generate a seccomp_profile.json in your current directory:

$ cerber docker run hello-world
$ ls
seccomp_profile.json
$ cat seccomp_profile.json
{
    "defaultAction": "SCMP_ACT_ERRNO",
    "architecture": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
    ],
    "syscalls": [
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "read"
        },
        ...
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "execve"
        },
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "arch_prctl"
        }
    ]
}

Now you can assign this seccomp profile to your container at run:

$ docker run \
--rm \
--security-opt="no-new-privileges" \
--security-opt seccomp=seccomp_profile.json \
hello-world # you can get the following output for docker hello world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
...
For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Becareful to generate seccomp profile with cerber on the same cpu architecture that your production environment (where you want run your container).

Features

  • detect syscalls
  • generate seccomp profile from detected syscalls

Contribute

$ git clone https://github.com/gr0und-s3ct0r/cerber
$ cd cerber
$ pipenv install pbr
$ pipenv shell # generate a virtual environment
$ python setup.py develop # install cerber in development mode
$ pip install -e .[test] # install testing dependencies
$ # make your changes
$ tox

Further readings

Original Authors

cerber's People

Contributors

4383 avatar dj4ngo avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.