Skip to content

Commit

Permalink
tetragon: docs jq commands
Browse files Browse the repository at this point in the history 
Update command

Signed-off-by: John Fastabend <[email protected]>
  • Loading branch information
@jrfastab
jrfastab committed Oct 31, 2023
1 parent 1a9f426 commit ca97307
Showing 1 changed file with 8 additions and 13 deletions.
21 changes: 8 additions & 13 deletions docs/content/en/docs/policy-library/observability/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,29 +119,24 @@ the base feature set of exec tracing can be useful.
To find all executables from /tmp

```shell-session
# kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("/tmp/")) | .process_exec.process | "\(.binary) \(.pod.namespace) \(.pod.name)"'
"/tmp/nc default xwing"
"/tmp/nc default xwing"
"/tmp/nc default xwing"
"/tmp/nc default xwing"
# kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("/tmp/")) | "\(.time) \(.process_exec.process.pod.namespace) \(.process_exec.process.pod.name) \(.process_exec.process.binary) \(.process_exec.process.arguments)"'
"2023-10-31T18:44:22.777962637Z default xwing /tmp/nc ebpf.io 1234"
```

## sudo Invocation Monitoring {#sudo}

This policy adds sudo monitoring to Tetragon.
No policy is required to monitor for execution of sudo. Execution tracing is
consider core functionality.

To apply the policy use kubect apply,
To find any sudo operatoins,

```shell-session
kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/sudo.yaml
$ kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("sudo")) | "\(.time) \(.process_exec.process.pod.namespace) \(.process_exec.process.binary) \(.process_exec.process.arguments)"'
"2023-10-31T19:03:35.273111185Z null /usr/bin/sudo -i"
```

To find any sudo operatoins,
Here we caught a user running sudo in the host platform indicated by the empty pod info.

```shell-session
```

## SSHd connection monitoring {#ssh-network}

Expand Down

0 comments on commit ca97307

Please sign in to comment.