From 0c6f456757c4fc48b3b37a9725876ef1fdc1adba Mon Sep 17 00:00:00 2001
From: John Fastabend <john.fastabend@gmail.com>
Date: Tue, 31 Oct 2023 20:33:15 -0700
Subject: [PATCH] tetragon: library policy module load audit

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 .../policy-library/observability/_index.md    |  3 +-
 examples/policylibrary/modules.yaml           | 37 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 examples/policylibrary/modules.yaml

diff --git a/docs/content/en/docs/policy-library/observability/_index.md b/docs/content/en/docs/policy-library/observability/_index.md
index ed3a5bfd946..a4d9e9ad22a 100644
--- a/docs/content/en/docs/policy-library/observability/_index.md
+++ b/docs/content/en/docs/policy-library/observability/_index.md
@@ -72,12 +72,13 @@ Understanding exactly what kernel modules are running in the cluster is crucial
 ### Example jq Filter
 
 ```shell-session
-
+ jq 'select(.process_kprobe != null) | select(.process_kprobe.function_name | test("security_kernel_module_request"))  | "\(.time) \(.process_kprobe.process.binary) \(.process_kprobe.process.arguments) module:\(.process_kprobe.args[0].string_arg)"'
 ```
 
 ### Example Output
 
 ```shell-session
+"2023-11-01T04:11:38.390880528Z /sbin/iptables -A OUTPUT -m cgroup --cgroup 1 -j LOG module:ipt_LOG"
 ```
 
 ## Shared Library Loading {#library}
diff --git a/examples/policylibrary/modules.yaml b/examples/policylibrary/modules.yaml
new file mode 100644
index 00000000000..9e1c5fa2eed
--- /dev/null
+++ b/examples/policylibrary/modules.yaml
@@ -0,0 +1,37 @@
+# This tracing policy monitors kernel modules operations.
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "monitor-kernel-modules"
+  #annotations:
+    #description: "Monitor kernel modules operations"
+spec:
+  kprobes:
+  - call: "security_kernel_module_request"
+    # Automatic module loading detection
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "string"
+    returnArg:
+      index: 0
+      type: "int"
+  - call: "security_kernel_read_file"
+    # Explicit module loading using file descriptor finit_module() to print module full path
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "2"  # READING_MODULE