Command line tool to generate secure computing mode

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ground-sector from gravatar.com ground-sector

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: gr0und-s3ct0r

Classifiers

Project description

https://travis-ci.org/gr0und-s3ct0r/cerber.svg?branch=devel https://badge.fury.io/py/cerber.svg

A straightforward command line tool for generate seccomp json profile

Overview

Seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. Seccomp allows a process to make a one-way transition into a “secure” state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system’s resources but isolates the process from them entirely.

Generated seccomp profile can be use with a lot of applications like:

  • docker

  • firefox

  • systemd

  • openssh

  • chrome

  • and more…

Install

$ pip install cerber

Usage

$ cerber docker run hello-world # a seccomp_profil.json was created in the current directory
$ ls
seccomp_profil.json
$ cat seccomp_profil.json
{
    "defaultAction": "SCMP_ACT_ERRNO",
    "architecture": [
        "SCMP_ARCH_X86_64",
        "SCMP_ARCH_X86",
        "SCMP_ARCH_X32"
    ],
    "syscalls": [
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "read"
        },
        ...
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "execve"
        },
        {
            "action": "SCMP_ACT_ALLOW",
            "args": [],
            "name": "arch_prctl"
        }
    ]
}

and now you can assign this security profil to your container at run:

$ docker run \
--rm \
--security-opt="no-new-privileges" \
--security-opt seccomp=seccomp_profile.json \
hello-world # you can get the following output for docker hello world

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
...
For more examples and ideas, visit:
 https://docs.docker.com/engine/userguide/

Contribute

$ git clone https://github.com/gr0und-s3ct0r/cerber
$ cd cerber
$ pipenv install pbr
$ pipenv shell # generate a virtual environment
$ python setup.py develop # install cerber in development mode
$ pip install -e .[test] # install testing dependencies
$ # make your changes
$ tox

Further readings

Authors

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for ground-sector from gravatar.com ground-sector

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: MIT License

Author: gr0und-s3ct0r

Classifiers

Release history Release notifications | RSS feed

0.3.0

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cerber-0.2.0.tar.gz (5.9 kB view hashes)

Uploaded Source

Built Distribution

cerber-0.2.0-py2.py3-none-any.whl (7.2 kB view hashes)

Uploaded Python 2 Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page