-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: sample memfd_create rule #484
Conversation
Hi @krol3 thank you for providing this example. Something like this may work:
Detection is not that hard, it may even give you the binary name that started this to track it. You may tune up that For killing it works but please do test it, I will try to test this on k8s deployment tomorrow. IIRC runc self exec through memfd so hope this won't kill it otherwise we can improve our matchBinaries to use the NotIn operator to exclude runc and other legitimate binaries... ah also this is just execve()... BTW as said I didn't finish but we are going to make this detected by default part of the execve() events. Output running with that CRD:
|
I like the example lets merge it. Please push any fixes if it needs some improvements. |
Thank you so much @jrfastab , It was with help of tetragon team, any update! please notify me to update my sample about this too. https://github.com/krol3/demo-fileless/blob/main/tetragon.md |
Hi! I would like to validate about how detect memfd_call and use the file descriptor to execute.
More notes about the output of this policy and the image test, here