default-policies: trace kprobes arm and disarm operations #1921
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
tixxdz
commented
Dec 28, 2023
•
tixxdz
commented
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Load default shipped tracing policies from /usr/lib/tetragon/tetragon.tp.d/ Make /etc/tetragon/tetragon.tp.d/ for administrators and users only. This way we allow both to work together without conflicting. Users can just remove /usr/lib/tetragon/tetragon.tp.d/ or tracing policies inside that directory and restart to ingore the default shipped ones. Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Add default tracing policy that observes if kprobes is being disabled. On most distros it is enabled by default, so any modification here could indicate that kprobes are being disarmed. We will add more tracing to go by kprobe arm and disarm operation. Signed-off-by: Djalal Harouni <[email protected]>
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Signed-off-by: Djalal Harouni <[email protected]>
tixxdz
force-pushed
the
pr/tixxdz/default-policy-kprobes
branch
from
50f95cf to
0227aa4
Compare
Add KernelProbe to monitor kprobes usage. Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Signed-off-by: Djalal Harouni <[email protected]>
Output:
"function_name": "disarm_kprobe_ftrace",
"args": [
{
"kprobe_arg": {
"offset": 0,
"symbol": "__pfx_security_bprm_committing_creds"
}
}
],
"action": "KPROBE_ACTION_POST",
"policy_name": "kprobes-observe",
"return_action": "KPROBE_ACTION_POST",
"message": "Disable a kprobe (kernel probe)"
"function_name": "disarm_kprobe_ftrace",
"args": [
{
"kprobe_arg": {
"offset": 0,
"symbol": "__pfx_wake_up_new_task"
}
}
],
"action": "KPROBE_ACTION_POST",
"policy_name": "kprobes-observe",
"return_action": "KPROBE_ACTION_POST",
"message": "Disable a kprobe (kernel probe)"
"function_name": "disarm_kprobe_ftrace",
"args": [
{
"kprobe_arg": {
"offset": 0,
"symbol": "__pfx_acct_process"
}
}
],
"action": "KPROBE_ACTION_POST",
"policy_name": "kprobes-observe",
"return_action": "KPROBE_ACTION_POST",
"message": "Disable a kprobe (kernel probe)"
Signed-off-by: Djalal Harouni <[email protected]>
tixxdz
changed the title
Signed-off-by: Djalal Harouni <[email protected]>
kkourt
added
the
needs-rebase
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.