tetragon

1
apiVersion: cilium.io/v1alpha1
2
kind: TracingPolicy
3
metadata:
4
  name: "syswritefollowfdpsswd"
5
spec:
6
  kprobes:
7
  - call: "fd_install"
8
    syscall: false
9
    args:
10
    - index: 0
11
      type: int
12
    - index: 1
13
      type: "file"
14
    selectors:
15
    - matchPIDs:
16
      - operator: NotIn
17
        followForks: true
18
        isNamespacePID: true
19
        values:
20
        - 0
21
        - 1
22
      matchArgs:
23
      - index: 1
24
        operator: "Equal"
25
        values:
26
        - "/etc/passwd"
27
      matchActions:
28
      - action: FollowFD
29
        argFd: 0
30
        argName: 1
31
  - call: "sys_close"
32
    syscall: true
33
    args:
34
    - index: 0
35
      type: "int"
36
    selectors:
37
    - matchPIDs:
38
      - operator: NotIn
39
        followForks: true
40
        isNamespacePID: true
41
        values:
42
        - 0
43
        - 1
44
      matchActions:
45
      - action: UnfollowFD
46
        argFd: 0
47
        argName: 0
48
  - call: "sys_write"
49
    syscall: true
50
    args:
51
    - index: 0
52
      type: "fd"
53
    - index: 1
54
      type: "char_buf"
55
      sizeArgIndex: 3
56
    - index: 2
57
      type: "size_t"
58
    selectors:
59
    - matchPIDs:
60
      - operator: NotIn
61
        followForks: true
62
        isNamespacePID: true
63
        values:
64
        - 0
65
        - 1
66
      matchArgs:
67
      - index: 0
68
        operator: "Prefix"
69
        values:
70
        - "/etc/passwd"
71
      matchActions:
72
      - action: Sigkill
73