# This 'process.credentials.changes.at.syscalls' Tracing Policy # monitors processes trying to change their credentials inside # a pid namespace. If you want to monitor all processes including # host ones, remove the matchNamespaces selector. # # Monitors the following system calls: # - setuid(), setgid(), setfsuid(), setfsgid() # setreuid(), setregid(), setresuid(), setresgid() # # - setgroups() TODO # apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "process.credentials.changes.at.syscalls" spec: kprobes: - call: "sys_setuid" syscall: true args: - index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setgid" syscall: true args: - index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setreuid" syscall: true args: - index: 0 type: "int" - index: 1 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setregid" syscall: true args: - index: 0 type: "int" - index: 1 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setresuid" syscall: true args: - index: 0 type: "int" - index: 1 type: "int" - index: 2 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setresgid" syscall: true args: - index: 0 type: "int" - index: 1 type: "int" - index: 2 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setfsuid" syscall: true args: - index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_setfsgid" syscall: true args: - index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns"