Skip to content

Commit

Permalink
policylibrary: annotate setuid root events with tags
Browse files Browse the repository at this point in the history 
Signed-off-by: Djalal Harouni <tixxdz@gmail.com>
  • Loading branch information
@tixxdz
tixxdz committed Jan 23, 2024
1 parent 9c2e50b commit 5ead851
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions examples/policylibrary/privileges/privileges-setuid-root.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ metadata:
spec:
kprobes:
- call: "__sys_setuid"
message: "Privileged operation setuid to root"
syscall: false
return: true
args:
Expand All @@ -74,7 +75,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setgid"
message: "Privileged operation setgid to root"
syscall: false
return: true
args:
Expand All @@ -92,7 +95,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setreuid"
message: "Privileged operation setuid to root"
syscall: false
return: true
args:
Expand Down Expand Up @@ -120,7 +125,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setregid"
message: "Privileged operation setgid to root"
syscall: false
return: true
args:
Expand Down Expand Up @@ -148,7 +155,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setresuid"
message: "Privileged operation setuid to root"
syscall: false
return: true
args:
Expand Down Expand Up @@ -178,7 +187,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setresgid"
message: "Privileged operation setgid to root"
syscall: false
return: true
args:
Expand Down Expand Up @@ -208,7 +219,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setfsuid"
message: "Privileged operation setuid to root"
syscall: false
return: true
args:
Expand All @@ -226,7 +239,9 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]
- call: "__sys_setfsgid"
message: "Privileged operation setgid to root"
syscall: false
return: true
args:
Expand All @@ -244,3 +259,4 @@ spec:
matchActions:
- action: Post
rateLimit: "1m" # Rate limit messages to 1min
tags: [ "observability.privilege", "observability.process" ]

0 comments on commit 5ead851

Please sign in to comment.