tetragon
60 строк · 1.4 Кб
1apiVersion: cilium.io/v1alpha12kind: TracingPolicy3metadata:4name: "file-monitoring"5spec:6kprobes:7- call: "security_file_permission"8syscall: false9return: true10args:11- index: 012type: "file" # (struct file *) used for getting the path13- index: 114type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE15returnArg:16index: 017type: "int"18returnArgAction: "Post"19selectors:20- matchArgs:21- index: 022operator: "Prefix"23values:24- "/etc/" # filenames to filter for25- call: "security_mmap_file"26syscall: false27return: true28args:29- index: 030type: "file" # (struct file *) used for getting the path31- index: 132type: "uint32" # the prot flags PROT_READ(0x01), PROT_WRITE(0x02), PROT_EXEC(0x04)33- index: 234type: "nop" # the mmap flags (i.e. MAP_SHARED, ...)35returnArg:36index: 037type: "int"38returnArgAction: "Post"39selectors:40- matchArgs:41- index: 042operator: "Prefix"43values:44- "/etc/" # filenames to filter for45- call: "security_path_truncate"46syscall: false47return: true48args:49- index: 050type: "path" # (struct path *) used for getting the path51returnArg:52index: 053type: "int"54returnArgAction: "Post"55selectors:56- matchArgs:57- index: 058operator: "Prefix"59values:60- "/etc/" # filenames to filter for61