From ca9fcf1ff9056044dae1842e31a5ae3715d94de8 Mon Sep 17 00:00:00 2001
From: John Fastabend <john.fastabend@gmail.com>
Date: Tue, 31 Oct 2023 20:33:15 -0700
Subject: [PATCH] tetragon: library policy module load audit

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
 .../policy-library/observability/_index.md    | 13 ++++++-
 examples/policylibrary/modules.yaml           | 37 +++++++++++++++++++
 .../{acceptsshd.yaml => sshd.yaml}            | 17 +++++----
 3 files changed, 58 insertions(+), 9 deletions(-)
 create mode 100644 examples/policylibrary/modules.yaml
 rename examples/policylibrary/{acceptsshd.yaml => sshd.yaml} (90%)

diff --git a/docs/content/en/docs/policy-library/observability/_index.md b/docs/content/en/docs/policy-library/observability/_index.md
index ed3a5bfd946..a55bbec4809 100644
--- a/docs/content/en/docs/policy-library/observability/_index.md
+++ b/docs/content/en/docs/policy-library/observability/_index.md
@@ -72,12 +72,13 @@ Understanding exactly what kernel modules are running in the cluster is crucial
 ### Example jq Filter
 
 ```shell-session
-
+ jq 'select(.process_kprobe != null) | select(.process_kprobe.function_name | test("security_kernel_module_request"))  | "\(.time) \(.process_kprobe.process.binary) \(.process_kprobe.process.arguments) module:\(.process_kprobe.args[0].string_arg)"'
 ```
 
 ### Example Output
 
 ```shell-session
+"2023-11-01T04:11:38.390880528Z /sbin/iptables -A OUTPUT -m cgroup --cgroup 1 -j LOG module:ipt_LOG"
 ```
 
 ## Shared Library Loading {#library}
@@ -159,7 +160,6 @@ jq 'select(.process_exec != null) | select(.process_exec.process.binary | contai
 "2023-10-31T19:03:35.273111185Z null /usr/bin/sudo -i"
 ```
 
-
 ## SSHd connection monitoring {#ssh-network}
 
 ### Description
@@ -176,7 +176,14 @@ It is best practice to audit remote connections into a shell server.
 
 ### Example jq Filter
 
+```shell-session
+ jq 'select(.process_kprobe != null) | select(.process_kprobe.function_name | test("tcp_close")) |  "\(.time) \(.process_kprobe.process.binary) \(.process_kprobe.process.arguments) \(.process_kprobe.args[0].sock_arg.family) \(.process_kprobe.args[0].sock_arg.type)  \(.process_kprobe.args[0].sock_arg.protocol) \(.process_kprobe.args[0].sock_arg.saddr):\(.process_kprobe.args[0].sock_arg.sport)"'
+```
+
 ### Example Output
+```shell-session
+"2023-11-01T04:51:20.109146920Z /usr/sbin/sshd default/xwing AF_INET SOCK_STREAM IPPROTO_TCP 127.0.0.1:22"
+```
 
 ## Outbound connections {#egress-connections}
 
@@ -191,6 +198,8 @@ into any unexpected or malicious reverse shells.
 
 ### Policy
 
+[egress.yaml](https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/egress.yaml)
+
 ### Example jq Filter
 
 ### Example Output
diff --git a/examples/policylibrary/modules.yaml b/examples/policylibrary/modules.yaml
new file mode 100644
index 00000000000..9e1c5fa2eed
--- /dev/null
+++ b/examples/policylibrary/modules.yaml
@@ -0,0 +1,37 @@
+# This tracing policy monitors kernel modules operations.
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "monitor-kernel-modules"
+  #annotations:
+    #description: "Monitor kernel modules operations"
+spec:
+  kprobes:
+  - call: "security_kernel_module_request"
+    # Automatic module loading detection
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "string"
+    returnArg:
+      index: 0
+      type: "int"
+  - call: "security_kernel_read_file"
+    # Explicit module loading using file descriptor finit_module() to print module full path
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "file"
+    - index: 1
+      type: "int"
+    returnArg:
+      index: 0
+      type: "int"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "2"  # READING_MODULE
diff --git a/examples/policylibrary/acceptsshd.yaml b/examples/policylibrary/sshd.yaml
similarity index 90%
rename from examples/policylibrary/acceptsshd.yaml
rename to examples/policylibrary/sshd.yaml
index 1c9cde005de..049ea29ca4e 100644
--- a/examples/policylibrary/acceptsshd.yaml
+++ b/examples/policylibrary/sshd.yaml
@@ -3,6 +3,9 @@ kind: TracingPolicy
 metadata:
   name: "accept"
 spec:
+  options:
+  - name: "disable-kprobe-multi"
+    value: "1"
   kprobes:
   - call: "sk_alloc"
     syscall: false
@@ -24,7 +27,7 @@ spec:
       matchBinaries:
       - operator: "In"
         values:
-        - "/usr/bin/sshd"
+        - "/usr/sbin/sshd"
         - "/usr/sbin/tcpserver"
   - call: "sk_free"
     syscall: false
@@ -37,14 +40,14 @@ spec:
         operator: "Family"
         values:
         - "AF_INET"
+      matchActions:
+      - action: UntrackSock
+        argSock: 0
       matchBinaries:
       - operator: "In"
         values:
-        - "/usr/bin/sshd"
+        - "/usr/sbin/sshd"
         - "/usr/sbin/tcpserver"
-      matchActions:
-      - action: UntrackSock
-        argSock: 0
   - call: "tcp_set_state"
     syscall: false
     args:
@@ -66,7 +69,7 @@ spec:
       matchBinaries:
       - operator: "In"
         values:
-        - "/usr/bin/sshd"
+        - "/usr/sbin/sshd"
         - "/usr/sbin/tcpserver"
   - call: "tcp_close"
     syscall: false
@@ -87,5 +90,5 @@ spec:
     - matchBinaries:
       - operator: "In"
         values:
-        - "/usr/bin/sshd"
+        - "/usr/sbin/sshd"
         - "/usr/sbin/tcpserver"