Skip to content

Commit

Permalink
tetragon: docs, add template to policy library
Browse files Browse the repository at this point in the history 
Add templat to all the entres in policy library.

Signed-off-by: John Fastabend <[email protected]>
  • Loading branch information
@jrfastab
jrfastab committed Oct 31, 2023
1 parent 9df6972 commit 4bc03d2
Showing 1 changed file with 36 additions and 58 deletions.
94 changes: 36 additions & 58 deletions docs/content/en/docs/policy-library/observability/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,65 +30,55 @@ description: >

## eBPF Subsystem Interactions {#ebpf}

This policy adds monitoring of all BPF programs loaded and file operations over the
BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
BPF user to kernel space.
### Description

To apply the policy use kubect apply,
Audit BPF program loads and BPFFS interactions

```shell-session
kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
```
### Use Case

Now we can do inspect the data to learn interesting things about the system. For example
to find all loaded programs on the system,
Understanding BPF programs loaded in a cluster and interactions between applications
and programs can identify bugs and malicious or unexpected BPF activity.

```shell-session
### Policy

```
[bpf.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml)

Or all programs writing to a BPF map,
### Example jq Filter

```shell-session
```

Similarly we might be concerned about all reads,
### Example Output

```shell-session
```

Continue to explore the data set to learn interesting things here.

## Kernel Module Audit Trail {#kernel-module}

This policy adds monitoring of all BPF programs loaded and file operations over the
BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
BPF user to kernel space.
### Description

To apply the policy use kubect apply,
Audit loading of kernel modules

```shell-session
kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
```
### Use Case

Now we can do inspect the data to learn interesting things about the system. For example
to find all loaded programs on the system,
Understanding exactly what kernel modules are running in the cluster is crucial to understand attack surface and any malicious actors loading unexpected modules.

```shell-session
### Policy

```
[module.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/module.yaml)

Or all programs writing to a BPF map,
### Example jq Filter

```shell-session
```

Similarly we might be concerned about all reads,
### Example Output

```shell-session
```


## Shared Library Loading {#library}

### Description
Expand Down Expand Up @@ -171,47 +161,35 @@ jq 'select(.process_exec != null) | select(.process_exec.process.binary | contai

## SSHd connection monitoring {#ssh-network}

This policy adds monitoring of all network connections accepted by SSHd to Tetragon.

To apply the policy use kubect apply,

```shell-session
kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/acceptsshd.yaml
```
### Description

To find all sessions over SSHd,
Monitor sessions to SSHd

```shell-session
### Use Case

```
It is best practice to audit remote connections into a shell server.

## Outbound connections {#egress-connections}
### Policy

This policy adds monitoring of all BPF programs loaded and file operations over the
BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
BPF user to kernel space.
[sshd.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/sshd.yaml)

To apply the policy use kubect apply,
### Example jq Filter

```shell-session
kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
```
### Example Output

Now we can do inspect the data to learn interesting things about the system. For example
to find all loaded programs on the system,
## Outbound connections {#egress-connections}

```shell-session
### Description

```
Monitor all cluster egress connections

Or all programs writing to a BPF map,
### Use Case

```shell-session
```
Connections made outside a Kubernetes cluster can be audited to provide insights
into any unexpected or malicious reverse shells.

Similarly we might be concerned about all reads,
### Policy

```shell-session
```
### Example jq Filter

Continue to explore the data set to learn interesting things here.
### Example Output

0 comments on commit 4bc03d2

Please sign in to comment.