tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

tetragon: base execve sensor improvements

Open tixxdz opened this issue 3 years ago • 1 comments

Improve our base execve sensor with default detection:

  • [x] detect execve unlinked programs (cover all different cases): https://github.com/cilium/tetragon/pull/499
  • [x] detect setuid/setgid and fscaps https://github.com/cilium/tetragon/pull/1296

tixxdz avatar Nov 30 '22 11:11 tixxdz

Maybe:

  • [ ] detect that an exec is being ptraced
  • [x] detect user mod helper execution (Not worth it for now)

tixxdz avatar Aug 26 '24 23:08 tixxdz

Closing this since most of the work is done! :tada:

kkourt avatar Sep 04 '24 13:09 kkourt