Containerd’s System Call Filtering and Auditing: Best Practices on Linux Kernel 6.x

Question

How can I effectively implement system call filtering and auditing in Containerd, specifically on Linux Kernel 6.x, to enhance container security and meet compliance requirements? What are the recommended tools, configurations, and best practices to achieve a robust security posture?

Zoe.Perry · Accepted Answer

🛡️ Containerd Syscall Filtering and Auditing on Linux Kernel 6.x: Best Practices

System call filtering and auditing are crucial for enhancing the security of containers. By limiting the system calls a container can make, you reduce the attack surface and improve overall security. Here's a comprehensive guide for implementing these practices in Containerd on Linux Kernel 6.x.

1. Understanding the Basics

System Call Filtering: Restricts the set of system calls a container can execute.
System Call Auditing: Logs system call activity for monitoring and forensic analysis.

2. Tools and Technologies

Seccomp (Secure Computing Mode): A Linux kernel feature used for filtering system calls.
 Auditd: The Linux audit daemon for logging system calls.
 Containerd: The container runtime we're focusing on.

3. Implementing Seccomp Filtering

Seccomp allows you to define profiles that specify which system calls are allowed. Here’s how to implement it:

a. Creating a Seccomp Profile

Create a JSON file (e.g., seccomp_profile.json) defining the allowed system calls.  A basic profile might look like this:

{
  "defaultAction": "SCMP_ACT_ERRNO",
  "architectures": [
    "SCMP_ARCH_X86_64",
    "SCMP_ARCH_X86",
    "SCMP_ARCH_X32"
  ],
  "syscalls": [
    {
      "names": [
        "read",
        "write",
        "openat",
        "close",
        "fstat",
        "exit",
        "_exit",
        "mmap",
        "brk",
        "munmap",
        "arch_prctl",
        "futex",
        "set_tid_address",
        "set_robust_list",
        "rt_sigaction",
        "rt_sigprocmask",
        "ioctl",
        "fcntl",
        "getrandom"
      ],
      "action": "SCMP_ACT_ALLOW",
      "args": []
    }
  ]
}

This profile allows basic system calls like read, write, and exit.  All other syscalls will return an error.

b. Applying the Seccomp Profile to Containerd

You can configure Containerd to use this profile by modifying the container's configuration.  When using Kubernetes, this is typically done via annotations or security context.

Example using ctr (Containerd's command-line tool):

ctr run --with-ns ipc:private --with-ns pid:private --with-ns net:private \
  --seccomp-profile /path/to/seccomp_profile.json \
  docker.io/library/alpine:latest alpine sh

In Kubernetes, you would specify the Seccomp profile in the pod's security context:

apiVersion: v1
kind: Pod
metadata:
  name: seccomp-example
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: /path/to/seccomp_profile.json
  containers:
  - name: alpine
    image: docker.io/library/alpine:latest
    command: ["sh", "-c", "while true; do sleep 1; done"]

Ensure the Seccomp profile is available on the node at the specified path.

4. Implementing System Call Auditing with Auditd

Auditd is used to log system calls for auditing purposes. Here’s how to set it up:

a. Installing Auditd

sudo apt-get update
sudo apt-get install auditd -y

b. Configuring Auditd Rules

Edit /etc/audit/rules.d/audit.rules to define the rules for auditing specific system calls. For example, to audit all open system calls, add the following rule:

-a always,exit -F arch=b64 -S open -k audit_open

This rule logs all 64-bit open system calls with the key audit_open.

c. Restarting Auditd

sudo systemctl restart auditd

d. Analyzing Audit Logs

Audit logs are stored in /var/log/audit/audit.log. You can use the ausearch tool to query the logs.

sudo ausearch -k audit_open

5. Best Practices 🚀

Least Privilege: Only allow the necessary system calls.
 Regular Updates: Keep Seccomp profiles and Auditd rules up-to-date.
 Monitoring: Continuously monitor audit logs for suspicious activity.
 Testing: Regularly test your Seccomp profiles to ensure they are effective.
 Layered Security: Combine system call filtering and auditing with other security measures.

6. Example: Combining Seccomp and Auditd

Create a Seccomp profile that allows only a minimal set of system calls and configure Auditd to log any attempts to use other system calls. This provides both prevention and detection.

7. Conclusion 🎉

By implementing system call filtering with Seccomp and auditing with Auditd, you can significantly enhance the security of your Containerd containers on Linux Kernel 6.x. Regularly review and update your configurations to adapt to evolving threats.