Appendix: Tracing Policies
This appendix provides you,
You can copy the given policies to integrate it with CRS and FIM.
CRS Tracing Policies
File name: file-events.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "file-operations-monitoring"
spec:
kprobes:
- call: "fd_install"
syscall: false
return: false
args:
- index: 0
type: int
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/passwd"
- "/etc/shadow"
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/sudoers"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- "/etc/hosts"
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: FollowFD
argFd: 0
argName: 1
- action: NoPost
- call: "sys_renameat2"
syscall: true
return: true
args:
- index: 1
type: "string"
- index: 3
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_rename"
syscall: true
return: true
args:
- index: 0
type: "string"
- index: 1
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_renameat"
syscall: true
return: true
args:
- index: 1
type: "string"
- index: 3
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_openat"
syscall: true
return: true
args:
- index: 1
type: "string"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_open"
syscall: true
return: true
args:
- index: 0
type: "string"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_read"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_readv"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_sendfile64"
syscall: true
return: true
args:
- index: 1
type: "fd"
label: "read"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_unlinkat"
syscall: true
return: true
args:
- index: 1
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_unlink"
syscall: true
return: true
args:
- index: 0
type: "string"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_write"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_writev"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_close"
syscall: true
args:
- index: 0
type: "fd"
label: ""
selectors:
- matchActions:
- action: UnfollowFD
argFd: 0
argName: 1
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
File name: file-events-catch-rename.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "file-operations-monitoring-catch-dest"
spec:
kprobes:
- call: "fd_install"
syscall: false
return: false
args:
- index: 0
type: int
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/passwd"
- "/etc/shadow"
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/sudoers"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- "/etc/hosts"
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: FollowFD
argFd: 0
argName: 1
- action: NoPost
- call: "sys_renameat2"
syscall: true
return: true
args:
- index: 1
type: "string"
- index: 3
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 3
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_renameat"
syscall: true
return: true
args:
- index: 1
type: "string"
- index: 3
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 3
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_rename"
syscall: true
return: true
args:
- index: 0
type: "string"
- index: 1
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/bashrc"
- "/etc/sshd/sshd_config"
- "/etc/iptables"
- "/etc/passwd"
- "/etc/shadow"
- "/etc/sudoers"
- "/etc/hosts"
- "/etc/hosts.allow"
- "/etc/hosts.deny"
- call: "sys_sendfile64"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: "write"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_close"
syscall: true
args:
- index: 0
type: "fd"
label: ""
selectors:
- matchActions:
- action: UnfollowFD
argFd: 0
argName: 1
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
PCI FIM Tracing Policies
File name: pci-fim.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "pci-fim"
spec:
kprobes:
- call: "fd_install"
syscall: false
return: false
args:
- index: 0
type: int
- index: 1
type: "file"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: FollowFD
argFd: 0
argName: 1
- action: NoPost
- call: "sys_openat"
syscall: true
return: true
args:
- index: 1
type: "string"
label: ""
- index: 2
type: "int"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/hosts"
- "/etc/audit/audit.rules"
- "/usr/bin/"
- "/bin/"
- "/etc/hosts.deny"
- "/etc/passwd"
- "/etc/audit/rules.d/audit.rules"
- "/sbin/iptables"
- "/etc/pam.d/system-auth"
- "/etc/ssh/sshd_config"
- "/var/log/auth.log"
- "/sbin/"
- "/etc/audit/auditd.conf"
- "/usr/sbin/"
- "/usr/local/sbin/"
- "/etc/hosts.allow"
- "/etc/group"
- "/etc/sudoers"
- "/var/log/audit/audit.log"
- "/usr/local/bin/"
- call: "sys_open"
syscall: true
return: true
args:
- index: 0
type: "string"
label: ""
- index: 1
type: "int"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/hosts"
- "/etc/audit/audit.rules"
- "/usr/bin/"
- "/bin/"
- "/etc/hosts.deny"
- "/etc/passwd"
- "/etc/audit/rules.d/audit.rules"
- "/sbin/iptables"
- "/etc/pam.d/system-auth"
- "/etc/ssh/sshd_config"
- "/var/log/auth.log"
- "/sbin/"
- "/etc/audit/auditd.conf"
- "/usr/sbin/"
- "/usr/local/sbin/"
- "/etc/hosts.allow"
- "/etc/group"
- "/etc/sudoers"
- "/var/log/audit/audit.log"
- "/usr/local/bin/"
- call: "sys_unlinkat"
syscall: true
return: true
args:
- index: 1
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/hosts"
- "/etc/audit/audit.rules"
- "/usr/bin/"
- "/bin/"
- "/etc/hosts.deny"
- "/etc/passwd"
- "/etc/audit/rules.d/audit.rules"
- "/sbin/iptables"
- "/etc/pam.d/system-auth"
- "/etc/ssh/sshd_config"
- "/var/log/auth.log"
- "/sbin/"
- "/etc/audit/auditd.conf"
- "/usr/sbin/"
- "/usr/local/sbin/"
- "/etc/hosts.allow"
- "/etc/group"
- "/etc/sudoers"
- "/var/log/audit/audit.log"
- "/usr/local/bin/"
- call: "sys_unlink"
syscall: true
return: true
args:
- index: 0
type: "string"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/hosts"
- "/etc/audit/audit.rules"
- "/usr/bin/"
- "/bin/"
- "/etc/hosts.deny"
- "/etc/passwd"
- "/etc/audit/rules.d/audit.rules"
- "/sbin/iptables"
- "/etc/pam.d/system-auth"
- "/etc/ssh/sshd_config"
- "/var/log/auth.log"
- "/sbin/"
- "/etc/audit/auditd.conf"
- "/usr/sbin/"
- "/usr/local/sbin/"
- "/etc/hosts.allow"
- "/etc/group"
- "/etc/sudoers"
- "/var/log/audit/audit.log"
- "/usr/local/bin/"
- call: "sys_close"
syscall: true
args:
- index: 0
type: "fd"
label: ""
selectors:
- matchActions:
- action: UnfollowFD
argFd: 0
argName: 1
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
File name: pci-lightweight-fim.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "pci-lightweight-fim"
spec:
kprobes:
- call: "fd_install"
syscall: false
return: false
args:
- index: 0
type: int
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/sudoers"
- "/etc/ssh/sshd_config"
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchActions:
- action: FollowFD
argFd: 0
argName: 1
- action: NoPost
- call: "sys_renameat2"
syscall: true
return: true
args:
- index: 1
type: "string"
- index: 3
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/sudoers"
- "/etc/ssh/sshd_config"
- call: "sys_rename"
syscall: true
return: true
args:
- index: 0
type: "string"
- index: 1
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/sudoers"
- "/etc/ssh/sshd_config"
- call: "sys_renameat"
syscall: true
return: true
args:
- index: 1
type: "string"
- index: 3
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/sudoers"
- "/etc/ssh/sshd_config"
- call: "sys_openat"
syscall: true
return: true
args:
- index: 1
type: "string"
label: ""
- index: 2
type: "int"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/sudoers"
- "/usr/local/qualys/cloud-agent/fim/manifests/"
- "/bin/"
- "/usr/bin/"
- "/opt/sbin/"
- "/opt/bin/"
- "/usr/local/bin/"
- "/etc/ssh/sshd_config"
- call: "sys_open"
syscall: true
return: true
args:
- index: 0
type: "string"
label: ""
- index: 1
type: "int"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/sudoers"
- "/usr/local/qualys/cloud-agent/fim/manifests/"
- "/bin/"
- "/usr/bin/"
- "/opt/sbin/"
- "/opt/bin/"
- "/usr/local/bin/"
- "/etc/ssh/sshd_config"
- call: "sys_sendfile64"
syscall: true
return: true
args:
- index: 1
type: "fd"
label: "read"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_unlinkat"
syscall: true
return: true
args:
- index: 1
type: "string"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/sudoers"
- "/usr/local/qualys/cloud-agent/fim/manifests/"
- "/var/log/qualys/"
- "/bin/"
- "/usr/bin/"
- "/opt/sbin/"
- "/opt/bin/"
- "/usr/local/bin/"
- "/etc/ssh/sshd_config"
- call: "sys_unlink"
syscall: true
return: true
args:
- index: 0
type: "string"
label: ""
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
matchArgs:
- index: 0
operator: "Prefix"
values:
- "/etc/sudoers"
- "/usr/local/qualys/cloud-agent/fim/manifests/"
- "/var/log/qualys/"
- "/bin/"
- "/usr/bin/"
- "/opt/sbin/"
- "/opt/bin/"
- "/usr/local/bin/"
- "/etc/ssh/sshd_config"
- call: "sys_write"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: ""
- index: 1
type: "char_buf"
sizeArgIndex: 3
- index: 2
type: "size_t"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_writev"
syscall: true
return: true
args:
- index: 0
type: "fd"
label: ""
- index: 1
type: "char_buf"
sizeArgIndex: 3
- index: 2
type: "size_t"
returnArg:
index: 0
type: "int"
selectors:
- matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
- call: "sys_close"
syscall: true
args:
- index: 0
type: "fd"
label: ""
selectors:
- matchActions:
- action: UnfollowFD
argFd: 0
argName: 1
matchNamespaces:
- namespace: Pid
operator: NotIn
values:
- "host_ns"
File name: pci-lightweight-fim-catch-dest.yaml
apiVersion: cilium.io/v1alpha1 kind: TracingPolicy metadata: name: "pci-lightweight-fim-catch-dest" spec: kprobes: - call: "fd_install" syscall: false return: false args: - index: 0 type: int - index: 1 type: "file" selectors: - matchArgs: - index: 1 operator: "Prefix" values: - "/etc/sudoers" - "/etc/ssh/sshd_config" matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" matchActions: - action: FollowFD argFd: 0 argName: 1 - action: NoPost - call: "sys_renameat2" syscall: true return: true args: - index: 1 type: "string" - index: 3 type: "string" returnArg: index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" matchArgs: - index: 3 operator: "Prefix" values: - "/etc/sudoers" - "/etc/ssh/sshd_config" - call: "sys_renameat" syscall: true return: true args: - index: 1 type: "string" - index: 3 type: "string" returnArg: index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" matchArgs: - index: 3 operator: "Prefix" values: - "/etc/sudoers" - "/etc/ssh/sshd_config" - call: "sys_rename" syscall: true return: true args: - index: 0 type: "string" - index: 1 type: "string" returnArg: index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" matchArgs: - index: 1 operator: "Prefix" values: - "/etc/sudoers" - "/etc/ssh/sshd_config" - call: "sys_sendfile64" syscall: true return: true args: - index: 0 type: "fd" label: "write" returnArg: index: 0 type: "int" selectors: - matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns" - call: "sys_close" syscall: true args: - index: 0 type: "fd" label: "" selectors: - matchActions: - action: UnfollowFD argFd: 0 argName: 1 matchNamespaces: - namespace: Pid operator: NotIn values: - "host_ns"