tetragon: library policy module load audit

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
cilium · Nov 1, 2023 · 0c6f456 · 0c6f456
1 parent 6c20b57
commit 0c6f456
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/docs/content/en/docs/policy-library/observability/_index.md b/docs/content/en/docs/policy-library/observability/_index.md
@@ -72,12 +72,13 @@ Understanding exactly what kernel modules are running in the cluster is crucial
 ### Example jq Filter
 
 ```shell-session
-
+ jq 'select(.process_kprobe != null) | select(.process_kprobe.function_name | test("security_kernel_module_request"))  | "\(.time) \(.process_kprobe.process.binary) \(.process_kprobe.process.arguments) module:\(.process_kprobe.args[0].string_arg)"'
 ```
 
 ### Example Output
 
 ```shell-session
+"2023-11-01T04:11:38.390880528Z /sbin/iptables -A OUTPUT -m cgroup --cgroup 1 -j LOG module:ipt_LOG"
 ```
 
 ## Shared Library Loading {#library}

diff --git a/examples/policylibrary/modules.yaml b/examples/policylibrary/modules.yaml
@@ -0,0 +1,37 @@
+# This tracing policy monitors kernel modules operations.
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "monitor-kernel-modules"
+  #annotations:
+    #description: "Monitor kernel modules operations"
+spec:
+  kprobes:
+  - call: "security_kernel_module_request"
+    # Automatic module loading detection
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "string"
+    returnArg:
+      index: 0
+      type: "int"
+  - call: "security_kernel_read_file"
+    # Explicit module loading using file descriptor finit_module() to print module full path
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "2"  # READING_MODULE