tetragon

1
apiVersion: cilium.io/v1alpha1
2
kind: TracingPolicy
3
metadata:
4
  name: "file-monitoring"
5
spec:
6
  kprobes:
7
  - call: "security_file_permission"
8
    syscall: false
9
    return: true
10
    args:
11
    - index: 0
12
      type: "file" # (struct file *) used for getting the path
13
    - index: 1
14
      type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE
15
    returnArg:
16
      index: 0
17
      type: "int"
18
    returnArgAction: "Post"
19
    selectors:
20
    - matchArgs:      
21
      - index: 0
22
        operator: "Prefix"
23
        values:
24
        - "/etc/" # filenames to filter for
25
  - call: "security_mmap_file"
26
    syscall: false
27
    return: true
28
    args:
29
    - index: 0
30
      type: "file" # (struct file *) used for getting the path
31
    - index: 1
32
      type: "uint32" # the prot flags PROT_READ(0x01), PROT_WRITE(0x02), PROT_EXEC(0x04)
33
    - index: 2
34
      type: "nop" # the mmap flags (i.e. MAP_SHARED, ...)
35
    returnArg:
36
      index: 0
37
      type: "int"
38
    returnArgAction: "Post"
39
    selectors:
40
    - matchArgs:
41
      - index: 0
42
        operator: "Prefix"
43
        values:
44
        - "/etc/" # filenames to filter for
45
  - call: "security_path_truncate"
46
    syscall: false
47
    return: true
48
    args:
49
    - index: 0
50
      type: "path" # (struct path *) used for getting the path
51
    returnArg:
52
      index: 0
53
      type: "int"
54
    returnArgAction: "Post"
55
    selectors:
56
    - matchArgs:
57
      - index: 0
58
        operator: "Prefix"
59
        values:
60
        - "/etc/" # filenames to filter for
61