Command line tool to generate secure computing mode
Project description
A straightforward command line tool for generate seccomp json profile
Overview
Seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. Seccomp allows a process to make a one-way transition into a “secure” state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system’s resources but isolates the process from them entirely.
Seccomp profile is used with by a lot of applications like:
docker
firefox
systemd
openssh
chrome
and more…
Cerber help you to generate seccomp profile that you can use with docker per example.
Prerequisites
Linux
Python3.5+
Strace
Install
$ pip install cerberUsage
Generate a seccomp_profile.json in your current directory:
$ cerber docker run hello-world
$ ls
seccomp_profile.json
$ cat seccomp_profile.json
{
"defaultAction": "SCMP_ACT_ERRNO",
"architecture": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"action": "SCMP_ACT_ALLOW",
"args": [],
"name": "read"
},
...
{
"action": "SCMP_ACT_ALLOW",
"args": [],
"name": "execve"
},
{
"action": "SCMP_ACT_ALLOW",
"args": [],
"name": "arch_prctl"
}
]
}Now you can assign this seccomp profile to your container at run:
$ docker run \
--rm \
--security-opt="no-new-privileges" \
--security-opt seccomp=seccomp_profile.json \
hello-world # you can get the following output for docker hello world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
...
For more examples and ideas, visit:
https://docs.docker.com/engine/userguide/Becareful to generate seccomp profile with cerber on the same cpu architecture that your production environment (where you want run your container).
Features
detect syscalls
generate seccomp profile from detected syscalls
Contribute
$ git clone https://github.com/gr0und-s3ct0r/cerber
$ cd cerber
$ pipenv install pbr
$ pipenv shell # generate a virtual environment
$ python setup.py develop # install cerber in development mode
$ pip install -e .[test] # install testing dependencies
$ # make your changes
$ toxFurther readings
CHANGES
0.2.0
install from pypi
fix license classifier
update changelog
0.1.0
adding build badge
fix pep8 errors
ignore pyc
fix pep8 errors
adding overview about seccomp
adding further readings
example on how to use security profil
fix filename output on documentation
fix install
fix contribute guide
update usage with seccomp.json file generated
use restructuredText for readme instead of markdown
packaging + TU + CI
introduce CI
keep strace statistics
add gitignore
rename tmpfile and create seccomp profile in a file
do not touch stdout and stderr to be transparent on execution
further reading and contributors
update doc with command
pass command to execute to bouncer
improve usage
rename tool
initialize repository
Hervé Beraud <herveberaud.pro@gmail.com> Sebastien Boyron <sebastien@boyron.eu>
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cerber-0.3.0-py2.py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 33e8648fd82254b98a01ac3fe47894318d078cee4a7d7dd2c164e9c4ec4ac9a9 |
|
| MD5 | e3076b539df4d100d0cf8f7046b1048d |
|
| BLAKE2b-256 | a59739225ba8bee90b190e4ba92bf8a5fada7d7e87c986466a4cd9e28a1a79e8 |
