tetragon
37 строк · 900.0 Байт
1# This 'creds-capability-usage' Tracing Policy monitors
2# capability checks performed by the kernel when a process
3# tries a privileged operation.
4#
5# This Tracing Policy works inside a pid namespace, if you
6# want to monitor all processes including host ones, remove
7# the matchNamespaces selector.
8#
9
10apiVersion: cilium.io/v1alpha111kind: TracingPolicy12metadata:13name: "creds-capability-checks"14#annotations:15#author: "Djalal Harouni"16spec:17kprobes:18- call: "cap_capable"19syscall: false20return: true21args:22- index: 123type: "user_namespace"24- index: 225type: "capability"26returnArg:27index: 028type: "int"29selectors:30- matchNamespaces:31- namespace: Pid32operator: NotIn33values:34- "host_ns"35matchActions:36- action: Post37rateLimit: "1m" # Rate limit messages to 1min38