cilium
Exclude events where auid=X
Is there an existing issue for this?
- [x] I have searched the existing issues
Is your feature request related to a problem?
When reviewing privilege escalation events in a service like auditd, the detection rules can be tuned to filter out certain auids. Ex -F auid=-1 -F auid=0. This can reduce the noise from PrivEsc events related to normal system processes. Tetragon lacks the ability to exclude by auid.
Describe the feature you would like
Within tracing policies which monitor the setuid, setgid, setreuid, setregid, setresuid setresgid, setfsuid syscalls, such as the default monitor-uid-gid-changes, we would like the ability to exclude events where the auid equals a specific number. Such as 0 (root) or 4294967295 (unset).
Example policy config:
spec:
kprobes:
- call: "__sys_setuid"
syscall: false
args:
- index: 0
type: "int"
selectors:
- matchActions:
- action: Post
- matchAuid:
operator: "NotEqual"
values:
- 0
- 4294967295
Describe your proposed solution
No response
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Thanks for the issue.
There is a related PR in the works for this: https://github.com/cilium/tetragon/pull/3845.
(note: AFAICS, auid is task->loginuid)
With https://github.com/cilium/tetragon/pull/4064 merged, it is now possible to write a policy that filters on auid.
Here's a simple example for illustration purposes:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "example"
spec:
kprobes:
- call: "sys_setuid"
syscall: true
args:
- index: 0
type: int
data:
- type: uint32
index: 0 ## NB: this is to satisfy a validation bug (we can remove when the bug is fixed)
source: current_task
resolve: "loginuid.val"
selectors:
- matchData:
- args: [0]
operator: "NotEqual"
values: ["1000"]