tetragon

1
# This 'process.credentials.changes.at.syscalls' Tracing Policy
2
# monitors processes trying to change their credentials inside
3
# a pid namespace. If you want to monitor all processes including
4
# host ones, remove the matchNamespaces selector.
5
#
6
# Monitors the following system calls:
7
#  - setuid(), setgid(), setfsuid(), setfsgid()
8
#    setreuid(), setregid(), setresuid(), setresgid()
9
#
10
#  - setgroups() TODO
11
#
12

13
apiVersion: cilium.io/v1alpha1
14
kind: TracingPolicy
15
metadata:
16
  name: "process.credentials.changes.at.syscalls"
17
spec:
18
  kprobes:
19
  - call: "sys_setuid"
20
    syscall: true
21
    args:
22
    - index: 0
23
      type: "int"
24
    selectors:
25
      - matchNamespaces:
26
        - namespace: Pid
27
          operator: NotIn
28
          values:
29
          - "host_ns"
30
  - call: "sys_setgid"
31
    syscall: true
32
    args:
33
    - index: 0
34
      type: "int"
35
    selectors:
36
      - matchNamespaces:
37
        - namespace: Pid
38
          operator: NotIn
39
          values:
40
          - "host_ns"
41
  - call: "sys_setreuid"
42
    syscall: true
43
    args:
44
    - index: 0
45
      type: "int"
46
    - index: 1
47
      type: "int"
48
    selectors:
49
      - matchNamespaces:
50
        - namespace: Pid
51
          operator: NotIn
52
          values:
53
          - "host_ns"
54
  - call: "sys_setregid"
55
    syscall: true
56
    args:
57
    - index: 0
58
      type: "int"
59
    - index: 1
60
      type: "int"
61
    selectors:
62
      - matchNamespaces:
63
        - namespace: Pid
64
          operator: NotIn
65
          values:
66
          - "host_ns"
67
  - call: "sys_setresuid"
68
    syscall: true
69
    args:
70
    - index: 0
71
      type: "int"
72
    - index: 1
73
      type: "int"
74
    - index: 2
75
      type: "int"
76
    selectors:
77
      - matchNamespaces:
78
        - namespace: Pid
79
          operator: NotIn
80
          values:
81
          - "host_ns"
82
  - call: "sys_setresgid"
83
    syscall: true
84
    args:
85
    - index: 0
86
      type: "int"
87
    - index: 1
88
      type: "int"
89
    - index: 2
90
      type: "int"
91
    selectors:
92
      - matchNamespaces:
93
        - namespace: Pid
94
          operator: NotIn
95
          values:
96
          - "host_ns"
97
  - call: "sys_setfsuid"
98
    syscall: true
99
    args:
100
    - index: 0
101
      type: "int"
102
    selectors:
103
      - matchNamespaces:
104
        - namespace: Pid
105
          operator: NotIn
106
          values:
107
          - "host_ns"
108
  - call: "sys_setfsgid"
109
    syscall: true
110
    args:
111
    - index: 0
112
      type: "int"
113
    selectors:
114
      - matchNamespaces:
115
        - namespace: Pid
116
          operator: NotIn
117
          values:
118
          - "host_ns"
119

120