Kriks_87 Kriks_87
Reputation: 1
Linux tetragon writing block execution rule
I try to understand how write linux ebpf tetragon block execution rule.
Example 1. I want block execution of command "curl google.com"
Next rule block curl with any domain, why?
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "block-curl-google"
spec:
kprobes:
- call: "sys_execve"
args:
- index: 0
type: "file"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/curl"
matchArgs:
- index: 0
operator: "Equal"
values:
- "ya.ru"
matchActions:
- action: Sigkill
Example 2. I want to block execution of command "ping 8.8.8.8"
Next rule doesn't block ping, why?
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "block-ping"
spec:
kprobes:
- call: "sys_execve"
args:
- index: 0
type: "file"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/usr/bin/ping"
matchArgs:
- index: 0
operator: "Equal"
values:
- "8.8.8.8"
matchActions:
- action: Sigkill
I want to understand Linux tetragon writing block execution rule
Upvotes: 0
Views: 19