diff --git a/docs/content/en/docs/policy-library/_index.md b/docs/content/en/docs/policy-library/_index.md new file mode 100644 index 00000000000..ca269dec1d2 --- /dev/null +++ b/docs/content/en/docs/policy-library/_index.md @@ -0,0 +1,8 @@ +--- +title: "Policy Library" +weight: 3 +description: > + Library of policies that implement Tetragon observability and runtime enforcement. + mechanisms. +--- + diff --git a/docs/content/en/docs/policy-library/bpf.md b/docs/content/en/docs/policy-library/bpf.md new file mode 100644 index 00000000000..1e1ef8e6ab2 --- /dev/null +++ b/docs/content/en/docs/policy-library/bpf.md @@ -0,0 +1,34 @@ +--- +title: "BPF monitoring" +weight: 2 +description: "Monitor BPF program and file operations on BPFFS" +--- + +This policy adds monitoring of all BPF programs loaded and file operations over the +BPFFS. The BPFFS is where map file descriptors live allowing programs access to the +BPF user to kernel space. + +To apply the policy use kubect apply, + +```shell-session +kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/bpf.yaml +``` + +Now we can do inspect the data to learn interesting things about the system. For example +to find all loaded programs on the system, + +```shell-session + +``` + +Or all programs writing to a BPF map, + +```shell-session +``` + +Similarly we might be concerned about all reads, + +```shell-session +``` + +Continue to explore the data set to learn interesting things here. diff --git a/docs/content/en/docs/policy-library/library-version.md b/docs/content/en/docs/policy-library/library-version.md new file mode 100644 index 00000000000..755101bde38 --- /dev/null +++ b/docs/content/en/docs/policy-library/library-version.md @@ -0,0 +1,23 @@ +--- +title: "Library version monitoring" +weight: 2 +description: "Monitor library loads for out of date openssl library" +--- + +This policy adds library monitoring to Tetragon. + +To apply the policy use kubect apply, + +```shell-session +kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/library.yaml +``` + +This will record library loads. To find all use of a specific library use +the following, in this case checking std C library. + +```shell-session + +``` + +We can further restrict to only find versions before some number by adding +a versoin check. diff --git a/docs/content/en/docs/policy-library/sshd-accepts.md b/docs/content/en/docs/policy-library/sshd-accepts.md new file mode 100644 index 00000000000..d03542f4739 --- /dev/null +++ b/docs/content/en/docs/policy-library/sshd-accepts.md @@ -0,0 +1,19 @@ +--- +title: "SSHd connection monitoring" +weight: 2 +description: "Monitor network connections over SSHd" +--- + +This policy adds monitoring of all network connections accepted by SSHd to Tetragon. + +To apply the policy use kubect apply, + +```shell-session +kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/acceptsshd.yaml +``` + +To find all sessions over SSHd, + +```shell-session + +``` diff --git a/docs/content/en/docs/policy-library/sudo.md b/docs/content/en/docs/policy-library/sudo.md new file mode 100644 index 00000000000..0708a1dd890 --- /dev/null +++ b/docs/content/en/docs/policy-library/sudo.md @@ -0,0 +1,19 @@ +--- +title: "sudo monitoring" +weight: 2 +description: "Monitor any sudo operations" +--- + +This policy adds sudo monitoring to Tetragon. + +To apply the policy use kubect apply, + +```shell-session +kubectl apply -f https://raw.githubusercontent.com/cilium/tetragon/main/examples/policylibrary/sudo.yaml +``` + +To find any sudo operatoins, + +```shell-session + +``` diff --git a/docs/content/en/docs/policy-library/tmp-execs.md b/docs/content/en/docs/policy-library/tmp-execs.md new file mode 100644 index 00000000000..de87f66a502 --- /dev/null +++ b/docs/content/en/docs/policy-library/tmp-execs.md @@ -0,0 +1,21 @@ +--- +title: "Tmp binary" +weight: 2 +description: "Monitor executions from /tmp directory" +--- + +This policy adds monitoring of any executions in the /tmp directory. + +For this we can simply query the default execution data showing even +the base feature set of exec tracing can be useful. + +To find all executables from /tmp + +```shell-session +# kubectl logs -n kube-system ds/tetragon -c export-stdout | jq 'select(.process_exec != null) | select(.process_exec.process.binary | contains("/tmp/")) | .process_exec.process | "\(.binary) \(.pod.namespace) \(.pod.name)"' +"/tmp/nc default xwing" +"/tmp/nc default xwing" +"/tmp/nc default xwing" +"/tmp/nc default xwing" + +``` diff --git a/examples/policylibrary/acceptsshd.yaml b/examples/policylibrary/acceptsshd.yaml new file mode 100644 index 00000000000..1c9cde005de --- /dev/null +++ b/examples/policylibrary/acceptsshd.yaml @@ -0,0 +1,91 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "accept" +spec: + kprobes: + - call: "sk_alloc" + syscall: false + return: true + args: + - index: 1 + type: int + label: "Family" + returnArg: + index: 0 + type: sock + returnArgAction: TrackSock + selectors: + - matchArgs: + - index: 1 + operator: "Equal" + values: + - "2" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/sshd" + - "/usr/sbin/tcpserver" + - call: "sk_free" + syscall: false + args: + - index: 0 + type: sock + selectors: + - matchArgs: + - index: 0 + operator: "Family" + values: + - "AF_INET" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/sshd" + - "/usr/sbin/tcpserver" + matchActions: + - action: UntrackSock + argSock: 0 + - call: "tcp_set_state" + syscall: false + args: + - index: 0 + type: "sock" + - index: 1 + type: "int" + label: "state" + selectors: + - matchArgs: + - index: 0 + operator: "State" + values: + - "TCP_SYN_RECV" + - index: 1 + operator: "Equal" + values: + - "1" + matchBinaries: + - operator: "In" + values: + - "/usr/bin/sshd" + - "/usr/sbin/tcpserver" + - call: "tcp_close" + syscall: false + args: + - index: 0 + type: "sock" + - call: "tcp_create_openreq_child" + syscall: false + return: true + args: + - index: 0 + type: "sock" + returnArg: + index: 0 + type: sock + returnArgAction: TrackSock + selectors: + - matchBinaries: + - operator: "In" + values: + - "/usr/bin/sshd" + - "/usr/sbin/tcpserver" diff --git a/examples/policylibrary/bpf.yaml b/examples/policylibrary/bpf.yaml new file mode 100644 index 00000000000..55b8d96b054 --- /dev/null +++ b/examples/policylibrary/bpf.yaml @@ -0,0 +1,29 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "bpf" +spec: + kprobes: + # Bpf verifier check during program loads + # int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr) + - call: "bpf_check" + syscall: false + args: + - index: 1 + type: "bpf_attr" + # First step of kprobe attach process: open perf event + # int security_perf_event_alloc(struct perf_event *event) + - call: "security_perf_event_alloc" + syscall: false + args: + - index: 0 + type: "perf_event" + # Second step of kprobe attach process: attach bpf program to perf event: todo + # Called during bpf map create + # int security_bpf_map_alloc(struct bpf_map *map) + - call: "security_bpf_map_alloc" + syscall: false + args: + - index: 0 + type: "bpf_map" + # Bpf map lookups/updates: todo diff --git a/examples/policylibrary/library.yaml b/examples/policylibrary/library.yaml new file mode 100644 index 00000000000..29851168d8e --- /dev/null +++ b/examples/policylibrary/library.yaml @@ -0,0 +1,9 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: "loader" +spec: + options: + - name: "disable-kprobe-multi" + value: "1" + loader: true