You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We would like to add this functionality similar to oci-seccomp-bpf-hook and allow users to gather this information about capabilities as well as syscalls.
We kind of like the idea of learning mode, where the container can run in production mode for a few months gathering all of the capabilities. Once users are happy with the container, then they can switch it to enforcing mode, and only allow the previously gathered capabilities (or syscalls). Now I would want to keep the scanner going to watch for failed capabilities.
I even think this would be a good debugging code to allow users to figure out why a container is getting permission denied.
Currently seccomp and SELinux at least print messages in the audit.log when something is denied, there is no such mechanism for Capabilities.
Where is the output of this tool written, can you run it in permissive mode?
The text was updated successfully, but these errors were encountered:
We would like to add this functionality similar to oci-seccomp-bpf-hook and allow users to gather this information about capabilities as well as syscalls.
We kind of like the idea of learning mode, where the container can run in production mode for a few months gathering all of the capabilities. Once users are happy with the container, then they can switch it to enforcing mode, and only allow the previously gathered capabilities (or syscalls). Now I would want to keep the scanner going to watch for failed capabilities.
I even think this would be a good debugging code to allow users to figure out why a container is getting permission denied.
Currently seccomp and SELinux at least print messages in the audit.log when something is denied, there is no such mechanism for Capabilities.
Where is the output of this tool written, can you run it in permissive mode?
The text was updated successfully, but these errors were encountered: