Tetragon is able to observe various security events and even enforce security
policies.
The Record Linux Capabilities Usage guide
shows how to monitor and record Capabilities checks
conducted by the kernel on behalf of applications during privileged operations. This can be used to inspect
and produce security profiles for pods and containers.
1 - Record Linux Capabilities Usage
Record a capability profile of pods and containers
When the kernel needs to perform a privileged operation on behalf of a process, it checks
the Capabilities of the process
and issues a verdict to allow or deny the operation.
Tetragon is able to record these checks performed by the kernel. This can be used to answer
the following questions:
What is the capabilities profile of pods or containters running in the cluster?
In addition to the Kubernetes Identity and process metadata from exec events, ProcessKprobe events contain the arguments of the observed system call. In the above case they are:
function_name: that is the cap_capable kernel function.
user_ns_arg: is the user namespace where the capability is required.
level: is the nested level of the user namespace. Here it is zero which indicates the initial user namespace.
uid: is the user ID of the owner of the user namespace.
gid: is the group ID of the owner of the user namespace.
ns: details the information about the namespace. is_host indicates that the target user namespace where the capability is required is the host namespace.
capability_arg: is the capability required to perform the operation. In this example reading the kernel ring buffer.
value: is the integer number of the required capability.
name: is the name of the required capability. Here it is the CAP_SYSLOG.
return: indicates via the int_arg if the capability check succeeded or failed. 0 means it succeeded and the access was granted while -1 means it failed and the operation was denied.