HackMD
Tetragon Demo Fileless
Examples about Tetragon rules here
kubectl run demo-memfd --image=krol/demo-memfd:v1.1
kubectl logs -n kube-system ds/tetragon -c export-stdout -f | tetragon observe
Image Not Showing
Possible Reasons
- The image file may be corrupted
- The server hosting the image is unavailable
- The image path is incorrect
- The image format is not supported
Tetragon policy
PR: https://github.com/cilium/tetragon/pull/484
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "demo-memfd"
spec:
kprobes:
# int close(int fd);
- call: "__x64_sys_close"
syscall: true
args:
- index: 0
type: "int"
selectors:
- matchPIDs:
- operator: NotIn
followForks: true
isNamespacePID: true
values:
- 0
- 1
matchActions:
- action: UnfollowFD
argFd: 0
argName: 0
# int memfd_create(const char *name, unsigned int flags);
- call: "__x64_sys_memfd_create"
syscall: true
args:
- index: 0
type: "string"
- index: 1
type: "int"
selectors:
- matchPIDs:
- operator: NotIn
followForks: true
isNamespacePID: true
values:
- 0
- 1
# int execve(const char *pathname, char *const argv[],char *const envp[]);
- call: "__x64_sys_execve"
syscall: true
args:
- index: 0
type: "string"
selectors:
- matchPIDs:
- operator: NotIn
followForks: false
isNamespacePID: true
values:
- 0
- 1
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/proc/self/fd/"
matchActions:
- action: Sigkill
With kill enabled
🚀 process default/demo-memfd /demo-memfd nginx /bin/date
⁉️ syscall default/demo-memfd /demo-memfd __x64_sys_execve
💥 exit default/demo-memfd /demo-memfd nginx /bin/date SIGKILL
Automatic detection by Tetragon: https://github.com/cilium/tetragon/pull/499
