zaz
A command-line tool to assist on assessing container security requirements and generating seccomp profiles.
zaz seccomp
This module focuses on the generation and validation of seccomp profiles.
zaz seccomp docker
Generate seccomp profiles based on executing a command on a docker image.
This command "brute forces" the profile generation by trying to remove all possible
syscalls, then consolidating all syscalls the command cannot be executed without.
zaz seccomp docker IMAGE COMMAND
# Calculates seccomp profile for a ping command inside an alpine image:
zaz seccomp docker alpine "ping -c5 8.8.8.8"
zaz seccomp application-binary
Generates seccomp profiles from the executable of an application.
Note that on top of the application needs, some container images may add additional syscalls.
zaz seccomp BINARY_PATH
# Calculates seccomp profile from an application binary
zaz seccomp bin/webapi
Currently only golang binaries are supported.
zaz seccomp zaz seccomp --log-file=/var/log/syslog 423
Generates seccomp profiles by assessing the kernels logs for a given process ID
# Setting the syslog path (default is "/var/log/kern.log"):
To get a profile based on process id 4325:
zaz seccomp --log-file=/var/log/syslog 4325
zaz seccomp verify path/profile.json
Validates a seccomp profile, returning a list of high-risk system calls being allowed.
zaz seccomp verify no-highrisk-profile.json
zaz seccomp template web
Returns a pre-defined seccomp profile for web applications.
zaz seccomp template web
License
Licensed under the MIT License. You may obtain a copy of the License here.