From 4bc03d2b1b5ec18c735b145211524931768157b4 Mon Sep 17 00:00:00 2001
From: John Fastabend <john.fastabend@gmail.com>
Date: Tue, 31 Oct 2023 15:55:44 -0700
Subject: [PATCH] tetragon: docs, add template to policy library

Add templat to all the entres in policy library.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 .../policy-library/observability/_index.md    | 94 +++++++------------
 1 file changed, 36 insertions(+), 58 deletions(-)

diff --git a/docs/content/en/docs/policy-library/observability/_index.md b/docs/content/en/docs/policy-library/observability/_index.md
index 0b704973f56..692b0db7b1d 100644
--- a/docs/content/en/docs/policy-library/observability/_index.md
+++ b/docs/content/en/docs/policy-library/observability/_index.md
@@ -30,65 +30,55 @@ description: >
 
 ## eBPF Subsystem Interactions {#ebpf}
 
-This policy adds monitoring of all BPF programs loaded and file operations over the
-BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
-BPF user to kernel space.
+### Description
 
-To apply the policy use kubect apply,
+Audit BPF program loads and BPFFS interactions
 
-```shell-session
-kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
-```
+### Use Case
 
-Now we can do inspect the data to learn interesting things about the system. For example
-to find all loaded programs on the system,
+Understanding BPF programs loaded in a cluster and interactions between applications
+and programs can identify bugs and malicious or unexpected BPF activity.
 
-```shell-session
+### Policy
 
-```
+[bpf.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml)
 
-Or all programs writing to a BPF map,
+### Example jq Filter
 
 ```shell-session
+
 ```
 
-Similarly we might be concerned about all reads,
+### Example Output
 
 ```shell-session
 ```
 
-Continue to explore the data set to learn interesting things here.
-
 ## Kernel Module Audit Trail {#kernel-module}
 
-This policy adds monitoring of all BPF programs loaded and file operations over the
-BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
-BPF user to kernel space.
+### Description
 
-To apply the policy use kubect apply,
+Audit loading of kernel modules
 
-```shell-session
-kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
-```
+### Use Case
 
-Now we can do inspect the data to learn interesting things about the system. For example
-to find all loaded programs on the system,
+Understanding exactly what kernel modules are running in the cluster is crucial to understand attack surface and any malicious actors loading unexpected modules.
 
-```shell-session
+### Policy
 
-```
+[module.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/module.yaml)
 
-Or all programs writing to a BPF map,
+### Example jq Filter
 
 ```shell-session
+
 ```
 
-Similarly we might be concerned about all reads,
+### Example Output
 
 ```shell-session
 ```
 
-
 ## Shared Library Loading {#library}
 
 ### Description
@@ -171,47 +161,35 @@ jq 'select(.process_exec != null) | select(.process_exec.process.binary | contai
 
 ## SSHd connection monitoring {#ssh-network}
 
-This policy adds monitoring of all network connections accepted by SSHd to Tetragon.
-
-To apply the policy use kubect apply,
-
-```shell-session
-kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/acceptsshd.yaml
-```
+### Description
 
-To find all sessions over SSHd,
+Monitor sessions to SSHd 
 
-```shell-session
+### Use Case
 
-```
+It is best practice to audit remote connections into a shell server.
 
-## Outbound connections {#egress-connections}
+### Policy
 
-This policy adds monitoring of all BPF programs loaded and file operations over the
-BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
-BPF user to kernel space.
+[sshd.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/sshd.yaml)
 
-To apply the policy use kubect apply,
+### Example jq Filter
 
-```shell-session
-kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
-```
+### Example Output
 
-Now we can do inspect the data to learn interesting things about the system. For example
-to find all loaded programs on the system,
+## Outbound connections {#egress-connections}
 
-```shell-session
+### Description
 
-```
+Monitor all cluster egress connections
 
-Or all programs writing to a BPF map,
+### Use Case
 
-```shell-session
-```
+Connections made outside a Kubernetes cluster can be audited to provide insights
+into any unexpected or malicious reverse shells.
 
-Similarly we might be concerned about all reads,
+### Policy
 
-```shell-session
-```
+### Example jq Filter
 
-Continue to explore the data set to learn interesting things here.
+### Example Output