9.4 Sandboxing

9. Operational Security — How do we run agents safely?

Description

Agent execution MUST be sandboxed to isolate it from the host system.

Sandboxing limits blast radius. Even with code execution, attackers cannot access the host.

1. Check if agent runs in container/VM
2. Verify container security settings
3. Check for seccomp/AppArmor profiles

1. Run in container with security settings
2. Use gVisor/Firecracker for code execution
3. Implement namespace isolation

CIS Control 4.1NIST PR.PT-3