tetragon: Add policy library section

Add a section for adding a library of policies. These are short, useful bit of policy that can be easily and quickly deployed. Signed-off-by: John Fastabend <[email protected]>
cilium · Oct 31, 2023 · f11d7a4 · f11d7a4
1 parent b737d2d
commit f11d7a4
Show file tree

Hide file tree

Showing 9 changed files with 253 additions and 0 deletions.
diff --git a/docs/content/en/docs/policy-library/_index.md b/docs/content/en/docs/policy-library/_index.md
@@ -0,0 +1,8 @@
+---
+title: "Policy Library"
+weight: 3
+description: >
+  Library of policies that implement Tetragon observability and runtime enforcement.
+  mechanisms.
+---
+
diff --git a/docs/content/en/docs/policy-library/bpf.md b/docs/content/en/docs/policy-library/bpf.md
@@ -0,0 +1,34 @@
+---
+title: "BPF monitoring"
+weight: 2
+description: "Monitor BPF program and file operations on BPFFS"
+---
+
+This policy adds monitoring of all BPF programs loaded and file operations over the
+BPFFS. The BPFFS is where map file descriptors live allowing programs access to the
+BPF user to kernel space.
+
+To apply the policy use kubect apply,
+
+```shell-session
+kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml
+```
+
+Now we can do inspect the data to learn interesting things about the system. For example
+to find all loaded programs on the system,
+
+```shell-session
+
+```
+
+Or all programs writing to a BPF map,
+
+```shell-session
+```
+
+Similarly we might be concerned about all reads,
+
+```shell-session
+```
+
+Continue to explore the data set to learn interesting things here.
diff --git a/docs/content/en/docs/policy-library/library-version.md b/docs/content/en/docs/policy-library/library-version.md
@@ -0,0 +1,23 @@
+---
+title: "Library version monitoring"
+weight: 2
+description: "Monitor library loads for out of date openssl library"
+---
+
+This policy adds library monitoring to Tetragon.
+
+To apply the policy use kubect apply,
+
+```shell-session
+kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/library.yaml
+```
+
+This will record library loads. To find all use of a specific library use
+the following, in this case checking std C library.
+
+```shell-session
+
+```
+
+We can further restrict to only find versions before some number by adding
+a versoin check.
diff --git a/docs/content/en/docs/policy-library/sshd-accepts.md b/docs/content/en/docs/policy-library/sshd-accepts.md
@@ -0,0 +1,19 @@
+---
+title: "SSHd connection monitoring"
+weight: 2
+description: "Monitor network connections over SSHd"
+---
+
+This policy adds monitoring of all network connections accepted by SSHd to Tetragon.
+
+To apply the policy use kubect apply,
+
+```shell-session
+kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/acceptsshd.yaml
+```
+
+To find all sessions over SSHd,
+
+```shell-session
+
+```
diff --git a/docs/content/en/docs/policy-library/sudo.md b/docs/content/en/docs/policy-library/sudo.md
@@ -0,0 +1,19 @@
+---
+title: "sudo monitoring"
+weight: 2
+description: "Monitor any sudo operations"
+---
+
+This policy adds sudo monitoring to Tetragon.
+
+To apply the policy use kubect apply,
+
+```shell-session
+kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/sudo.yaml
+```
+
+To find any sudo operatoins,
+
+```shell-session
+
+```
diff --git a/docs/content/en/docs/policy-library/tmp-execs.md b/docs/content/en/docs/policy-library/tmp-execs.md
@@ -0,0 +1,21 @@
+---
+title: "Tmp binary"
+weight: 2
+description: "Monitor executions from /tmp directory"
+---
+
+This policy adds monitoring of any executions in the /tmp directory.
+
+For this we can simply query the default execution data showing even
+the base feature set of exec tracing can be useful.
+
+To find all executables from /tmp
+
+```shell-session
+# kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("/tmp/")) | .process_exec.process |  "\(.binary) \(.pod.namespace) \(.pod.name)"'
+"/tmp/nc default xwing"
+"/tmp/nc default xwing"
+"/tmp/nc default xwing"
+"/tmp/nc default xwing"
+
+```
diff --git a/examples/policylibrary/acceptsshd.yaml b/examples/policylibrary/acceptsshd.yaml
@@ -0,0 +1,91 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "accept"
+spec:
+  kprobes:
+  - call: "sk_alloc"
+    syscall: false
+    return: true
+    args:
+    - index: 1
+      type: int
+      label: "Family"
+    returnArg:
+      index: 0
+      type: sock
+    returnArgAction: TrackSock
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Equal"
+        values:
+        - "2"
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/usr/bin/sshd"
+        - "/usr/sbin/tcpserver"
+  - call: "sk_free"
+    syscall: false
+    args:
+    - index: 0
+      type: sock
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "Family"
+        values:
+        - "AF_INET"
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/usr/bin/sshd"
+        - "/usr/sbin/tcpserver"
+      matchActions:
+      - action: UntrackSock
+        argSock: 0
+  - call: "tcp_set_state"
+    syscall: false
+    args:
+    - index: 0
+      type: "sock"
+    - index: 1
+      type: "int"
+      label: "state"
+    selectors:
+    - matchArgs:
+      - index: 0
+        operator: "State"
+        values:
+        - "TCP_SYN_RECV"
+      - index: 1
+        operator: "Equal"
+        values:
+        - "1"
+      matchBinaries:
+      - operator: "In"
+        values:
+        - "/usr/bin/sshd"
+        - "/usr/sbin/tcpserver"
+  - call: "tcp_close"
+    syscall: false
+    args:
+    - index: 0
+      type: "sock"
+  - call: "tcp_create_openreq_child"
+    syscall: false
+    return: true
+    args:
+    - index: 0
+      type: "sock"
+    returnArg:
+      index: 0
+      type: sock
+    returnArgAction: TrackSock
+    selectors:
+    - matchBinaries:
+      - operator: "In"
+        values:
+        - "/usr/bin/sshd"
+        - "/usr/sbin/tcpserver"
diff --git a/examples/policylibrary/bpf.yaml b/examples/policylibrary/bpf.yaml
@@ -0,0 +1,29 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "bpf"
+spec:
+ kprobes:
+ # Bpf verifier check during program loads
+ # int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr)
+ - call: "bpf_check"
+   syscall: false
+   args:
+   - index: 1
+     type: "bpf_attr"
+ # First step of kprobe attach process: open perf event
+ # int security_perf_event_alloc(struct perf_event *event)
+ - call: "security_perf_event_alloc"
+   syscall: false
+   args:
+   - index: 0
+     type: "perf_event"
+ # Second step of kprobe attach process: attach bpf program to perf event: todo
+ # Called during bpf map create
+ # int security_bpf_map_alloc(struct bpf_map *map)
+ - call: "security_bpf_map_alloc"
+   syscall: false
+   args:
+   - index: 0
+     type: "bpf_map"
+ # Bpf map lookups/updates: todo
diff --git a/examples/policylibrary/library.yaml b/examples/policylibrary/library.yaml
@@ -0,0 +1,9 @@
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "loader"
+spec:
+  options:
+  - name: "disable-kprobe-multi"
+    value: "1"
+  loader: true