diff --git a/docs/content/en/docs/policy-library/observability/_index.md b/docs/content/en/docs/policy-library/observability/_index.md index e2dd8138de9..0807c9c9556 100644 --- a/docs/content/en/docs/policy-library/observability/_index.md +++ b/docs/content/en/docs/policy-library/observability/_index.md @@ -119,29 +119,24 @@ the base feature set of exec tracing can be useful. To find all executables from /tmp ```shell-session -# kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("/tmp/")) | .process_exec.process | "\(.binary) \(.pod.namespace) \(.pod.name)"' -"/tmp/nc default xwing" -"/tmp/nc default xwing" -"/tmp/nc default xwing" -"/tmp/nc default xwing" - +# kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("/tmp/")) | "\(.time) \(.process_exec.process.pod.namespace) \(.process_exec.process.pod.name) \(.process_exec.process.binary) \(.process_exec.process.arguments)"' +"2023-10-31T18:44:22.777962637Z default xwing /tmp/nc ebpf.io 1234" ``` ## sudo Invocation Monitoring {#sudo} -This policy adds sudo monitoring to Tetragon. +No policy is required to monitor for execution of sudo. Execution tracing is +consider core functionality. -To apply the policy use kubect apply, +To find any sudo operatoins, ```shell-session -kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/sudo.yaml +$ kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("sudo")) | "\(.time) \(.process_exec.process.pod.namespace) \(.process_exec.process.binary) \(.process_exec.process.arguments)"' +"2023-10-31T19:03:35.273111185Z null /usr/bin/sudo -i" ``` -To find any sudo operatoins, +Here we caught a user running sudo in the host platform indicated by the empty pod info. -```shell-session - -``` ## SSHd connection monitoring {#ssh-network}