tetragon

1
# This 'creds-capability-usage' Tracing Policy monitors
2
# capability checks performed by the kernel when a process
3
# tries a privileged operation.
4
#
5
# This Tracing Policy works inside a pid namespace, if you
6
# want to monitor all processes including host ones, remove
7
# the matchNamespaces selector.
8
#
9

10
apiVersion: cilium.io/v1alpha1
11
kind: TracingPolicy
12
metadata:
13
  name: "creds-capability-checks"
14
  #annotations:
15
    #author: "Djalal Harouni"
16
spec:
17
  kprobes:
18
  - call: "cap_capable"
19
    syscall: false
20
    return: true
21
    args:
22
    - index: 1
23
      type: "user_namespace"
24
    - index: 2
25
      type: "capability"
26
    returnArg:
27
      index: 0
28
      type: "int"
29
    selectors:
30
      - matchNamespaces:
31
        - namespace: Pid
32
          operator: NotIn
33
          values:
34
          - "host_ns"
35
        matchActions:
36
          - action: Post
37
            rateLimit: "1m"  # Rate limit messages to 1min
38