zaz

A command-line tool to assist on assessing container security requirements and generating seccomp profiles.

zaz seccomp

This module focuses on the generation and validation of seccomp profiles.

zaz seccomp docker

Generate seccomp profiles based on executing a command on a docker image. This command "brute forces" the profile generation by trying to remove all possible syscalls, then consolidating all syscalls the command cannot be executed without.

zaz seccomp docker IMAGE COMMAND 

# Calculates seccomp profile for a ping command inside an alpine image:
zaz seccomp docker alpine "ping -c5 8.8.8.8"

zaz seccomp application-binary

Generates seccomp profiles from the executable of an application. Note that on top of the application needs, some container images may add additional syscalls.

zaz seccomp BINARY_PATH

# Calculates seccomp profile from an application binary
zaz seccomp bin/webapi

Currently only golang binaries are supported.

zaz seccomp zaz seccomp --log-file=/var/log/syslog 423

Generates seccomp profiles by assessing the kernels logs for a given process ID

# Setting the syslog path (default is "/var/log/kern.log"):
To get a profile based on process id 4325:

zaz seccomp --log-file=/var/log/syslog 4325

zaz seccomp verify path/profile.json

Validates a seccomp profile, returning a list of high-risk system calls being allowed.

zaz seccomp verify no-highrisk-profile.json

zaz seccomp template web

Returns a pre-defined seccomp profile for web applications.

zaz seccomp template web

License

Licensed under the MIT License. You may obtain a copy of the License here.