platform/k8s/bases/infrastructure/tracing-policies/enforce-protect-system-files.yaml at main · devantler-tech/platform · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
---
# ENFORCING TracingPolicy: SIGKILLs any process that attempts to WRITE to
# system / binary directories (a classic tampering / persistence pattern).
#
# This is Tetragon's role on the platform: ENFORCEMENT -- the capability
# Kubescape's node-agent lacks. Runtime *detection* (anomaly profiling,
# sensitive-file/exec/network visibility, posture correlation) is owned by
# Kubescape; Tetragon is not used to duplicate it. See docs/runtime-security.md.
#
# OPT-IN, ZERO DEFAULT BLAST RADIUS:
#   spec.podSelector matches only pods carrying the label
#   `tetragon.devantler.tech/enforce-file-integrity: "true"`. With no pod
#   labelled, this policy enforces on nothing. Requires the policy filter,
#   which is enabled on the agent (tetragon.enablePolicyFilter: true).
#
# Scope: writes only (system daemons legitimately *read* /etc/shadow etc.), and
# /var/log + /dev/log are intentionally excluded (legitimate log writes).
#
# Rollout: add the label to one workload's pods, watch Kubescape runtime
# detection (and Tetragon's own events in Loki) to confirm no legitimate writes
# would be killed, then widen.
#
# Action choice: `Sigkill` is a post-hook signal and needs no special kernel
# config. The stronger `Override` action (fail the syscall before it executes)
# requires CONFIG_BPF_KPROBE_OVERRIDE -- verify on the pinned Talos kernel
# before switching to Override.
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: enforce-protect-system-files
spec:
  podSelector:
    matchLabels:
      tetragon.devantler.tech/enforce-file-integrity: "true"
  kprobes:
    - call: "security_file_permission"
      syscall: false
      return: true
      args:
        - index: 0
          type: "file" # (struct file *) used for getting the path
        - index: 1
          type: "int" # 0x04 is MAY_READ, 0x02 is MAY_WRITE
      returnArg:
        index: 0
        type: "int"
      selectors:
        - matchArgs:
            - index: 0
              operator: "Prefix"
              values:
                - "/etc"
                - "/boot"
                - "/lib"
                - "/lib64"
                - "/bin"
                - "/usr/lib"
                - "/usr/local/lib"
                - "/usr/local/sbin"
                - "/usr/local/bin"
                - "/usr/bin"
                - "/usr/sbin"
                - "/root/.ssh"
            - index: 1
              # Bitmask, not exact match: fires when the MAY_WRITE (0x2) bit is
              # set, including combined read+write opens (0x6). Equal "2" would
              # miss O_RDWR opens -- a real enforcement-evasion gap.
              operator: "Mask"
              values:
                - "2" # MAY_WRITE bit
          matchActions:
            - action: Sigkill