Skip to content

Instantly share code, notes, and snippets.

@nvibert

nvibert/gist:091315913d1b8e82fc7a1fded56d1332

Created February 13, 2023 16:26
Show Gist options
  • Save nvibert/091315913d1b8e82fc7a1fded56d1332 to your computer and use it in GitHub Desktop.
Save nvibert/091315913d1b8e82fc7a1fded56d1332 to your computer and use it in GitHub Desktop.
Download ZIP
File Integrity Monitoring with Tetragon - reading file
Raw
gistfile1.txt
{
"process_file": {
"process": {
"exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcyMDUxMjQ3NTE3NzY6NDI1Mzg=",
"pid": 42538,
"uid": 0,
"cwd": "/etc",
"binary": "/usr/bin/cat",
"arguments": "passwd",
"flags": "execve clone",
"start_time": "2023-01-23T12:09:13.779762961Z",
"auid": 4294967295,
"pod": {
"namespace": "default",
"name": "ubuntu1",
"labels": [
"k8s:app=ubuntu",
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default",
"k8s:io.cilium.k8s.policy.cluster=fgs-cli-ci",
"k8s:io.cilium.k8s.policy.serviceaccount=default",
"k8s:io.kubernetes.pod.namespace=default"
],
"container": {
"id": "containerd://8df0768d9173afd4556669fed89730a5ea0d167fe6fbf1c748820fcdf9906c37",
"name": "ubuntu",
"image": {
"id": "docker.io/library/ubuntu@sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb",
"name": "docker.io/library/ubuntu:20.04"
},
"start_time": "2023-01-23T12:08:20Z",
"pid": 23
},
"pod_labels": {
"app": "ubuntu"
}
},
"docker": "8df0768d9173afd4556669fed89730a",
"parent_exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcxOTUwMDIwMDYwODc6NDI0OTY=",
"refcnt": 1
},
"parent": {
"exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcxOTUwMDIwMDYwODc6NDI0OTY=",
"pid": 42496,
"uid": 0,
"cwd": "/",
"binary": "/bin/bash",
"flags": "execve rootcwd clone",
"start_time": "2023-01-23T12:09:03.657017618Z",
"auid": 4294967295,
"pod": {
"namespace": "default",
"name": "ubuntu1",
"labels": [
"k8s:app=ubuntu",
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default",
"k8s:io.cilium.k8s.policy.cluster=fgs-cli-ci",
"k8s:io.cilium.k8s.policy.serviceaccount=default",
"k8s:io.kubernetes.pod.namespace=default"
],
"container": {
"id": "containerd://8df0768d9173afd4556669fed89730a5ea0d167fe6fbf1c748820fcdf9906c37",
"name": "ubuntu",
"image": {
"id": "docker.io/library/ubuntu@sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb",
"name": "docker.io/library/ubuntu:20.04"
},
"start_time": "2023-01-23T12:08:20Z",
"pid": 14
},
"pod_labels": {
"app": "ubuntu"
}
},
"docker": "8df0768d9173afd4556669fed89730a",
"parent_exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcxOTQ5NjU0MzczNTY6NDI0ODY=",
"refcnt": 2
},
"action": "FILE_READ",
"args": {
"generic_arg": {
"file": {
"filename": "/etc/passwd",
"inode": {
"number": "4148739",
"fs": {
"name": "overlay",
"dev": "0:52",
"id": "overlay",
"uuid": "00000000-0000-0000-0000-000000000000"
}
},
"parent_inode": {
"number": "4131858",
"fs": {
"name": "overlay",
"dev": "0:52",
"id": "overlay",
"uuid": "00000000-0000-0000-0000-000000000000"
}
}
},
"io": {
"offset": "1342",
"size": "131072"
},
"mnt_ns": {
"inum": 4026532493
}
}
},
"time": "2023-01-23T12:09:13.780376705Z",
"hook": "rw_verify_area"
},
"node_name": "fgs-cli-ci-control-plane",
"time": "2023-01-23T12:09:13.780375852Z"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment