tetragon
51 строка · 1.6 Кб
1# This tracing policy 'dns-only-specified-servers' will report attempts
2# to make outbound TCP and UDP connections on port 53 to any IP address
3# other than those within the specified list (127.0.0.53), and will kill
4# the offending process.
5#
6# Description:
7# Report and block outbound TCP and UDP connections to any DNS servers
8# not in the approved list.
9#
10# In production, this could be used to force processes to only connect
11# to approved DNS servers and to treat transgressions as evidence of
12# malicious activity, resulting in the process being killed.
13#
14# The removal of the matchActions section would cause the policy to only
15# report transgressions and not kill the offending processes, which
16# might be useful in tracking poorly configured services without killing
17# processes.
18#
19# Note: This policy uses the ip_output hook (which is hit for every
20# outbound datagram) as this is required to identify matching UDP
21# datagrams. This hook handles both TCP and UDP protocols so no TCP-
22# specific (eg tcp_connect) hook is required in addition.
23
24apiVersion: cilium.io/v1alpha1
25kind: TracingPolicy
26metadata:
27name: "dns-only-specified-servers"
28spec:
29kprobes:
30- call: "ip_output"
31syscall: false
32args:
33- index: 2
34type: "skb"
35selectors:
36- matchArgs:
37- index: 2
38operator: "Protocol"
39values:
40- "IPPROTO_TCP"
41- "IPPROTO_UDP"
42- index: 2
43operator: "DPort"
44values:
45- "53"
46- index: 2
47operator: "NotDAddr"
48values:
49- "127.0.0.53"
50matchActions:
51- action: "Sigkill"
52
53