Examples about Tetragon rules here
kubectl run demo-memfd --image=krol/demo-memfd:v1.1
kubectl logs -n kube-system ds/tetragon -c export-stdout -f | tetragon observe
PR: https://github.com/cilium/tetragon/pull/484
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "demo-memfd"
spec:
kprobes:
# int close(int fd);
- call: "__x64_sys_close"
syscall: true
args:
- index: 0
type: "int"
selectors:
- matchPIDs:
- operator: NotIn
followForks: true
isNamespacePID: true
values:
- 0
- 1
matchActions:
- action: UnfollowFD
argFd: 0
argName: 0
# int memfd_create(const char *name, unsigned int flags);
- call: "__x64_sys_memfd_create"
syscall: true
args:
- index: 0
type: "string"
- index: 1
type: "int"
selectors:
- matchPIDs:
- operator: NotIn
followForks: true
isNamespacePID: true
values:
- 0
- 1
# int execve(const char *pathname, char *const argv[],char *const envp[]);
- call: "__x64_sys_execve"
syscall: true
args:
- index: 0
type: "string"
selectors:
- matchPIDs:
- operator: NotIn
followForks: false
isNamespacePID: true
values:
- 0
- 1
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/proc/self/fd/"
matchActions:
- action: Sigkill
🚀 process default/demo-memfd /demo-memfd nginx /bin/date
⁉️ syscall default/demo-memfd /demo-memfd __x64_sys_execve
💥 exit default/demo-memfd /demo-memfd nginx /bin/date SIGKILL
Automatic detection by Tetragon: https://github.com/cilium/tetragon/pull/499
make build
Jun 7, 2024Goals:
Jan 30, 2024to give the status
Dec 12, 2023This outline can be used as reference for writing up the release blog. The following sections should give you an idea what can be consider for the blog, but for sure you don’t/can’t include all sections:
Nov 29, 2023or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up