Skip to content

Instantly share code, notes, and snippets.

@nvibert

nvibert/gist:a37862aef2d68f639c87e8a490804d8e

Created February 13, 2023 16:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nvibert/a37862aef2d68f639c87e8a490804d8e to your computer and use it in GitHub Desktop.
Save nvibert/a37862aef2d68f639c87e8a490804d8e to your computer and use it in GitHub Desktop.
Download ZIP
File Integrity Monitoring with Tetragon - renaming file
Raw
gistfile1.txt
{
"process_file": {
"process": {
"exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcyMjY0OTQ3MDkwNDg6NDI1OTM=",
"pid": 42593,
"uid": 0,
"cwd": "/usr/sbin",
"binary": "/usr/bin/mv",
"arguments": "testfile testfile.old",
"flags": "execve clone",
"start_time": "2023-01-23T12:09:35.149719927Z",
"auid": 4294967295,
"pod": {
"namespace": "default",
"name": "ubuntu1",
"labels": [
"k8s:app=ubuntu",
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default",
"k8s:io.cilium.k8s.policy.cluster=fgs-cli-ci",
"k8s:io.cilium.k8s.policy.serviceaccount=default",
"k8s:io.kubernetes.pod.namespace=default"
],
"container": {
"id": "containerd://8df0768d9173afd4556669fed89730a5ea0d167fe6fbf1c748820fcdf9906c37",
"name": "ubuntu",
"image": {
"id": "docker.io/library/ubuntu@sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb",
"name": "docker.io/library/ubuntu:20.04"
},
"start_time": "2023-01-23T12:08:20Z",
"pid": 25
},
"pod_labels": {
"app": "ubuntu"
}
},
"docker": "8df0768d9173afd4556669fed89730a",
"parent_exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcxOTUwMDIwMDYwODc6NDI0OTY=",
"refcnt": 1
},
"parent": {
"exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcxOTUwMDIwMDYwODc6NDI0OTY=",
"pid": 42496,
"uid": 0,
"cwd": "/",
"binary": "/bin/bash",
"flags": "execve rootcwd clone",
"start_time": "2023-01-23T12:09:03.657017618Z",
"auid": 4294967295,
"pod": {
"namespace": "default",
"name": "ubuntu1",
"labels": [
"k8s:app=ubuntu",
"k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default",
"k8s:io.cilium.k8s.policy.cluster=fgs-cli-ci",
"k8s:io.cilium.k8s.policy.serviceaccount=default",
"k8s:io.kubernetes.pod.namespace=default"
],
"container": {
"id": "containerd://8df0768d9173afd4556669fed89730a5ea0d167fe6fbf1c748820fcdf9906c37",
"name": "ubuntu",
"image": {
"id": "docker.io/library/ubuntu@sha256:0e0402cd13f68137edb0266e1d2c682f217814420f2d43d300ed8f65479b14fb",
"name": "docker.io/library/ubuntu:20.04"
},
"start_time": "2023-01-23T12:08:20Z",
"pid": 14
},
"pod_labels": {
"app": "ubuntu"
}
},
"docker": "8df0768d9173afd4556669fed89730a",
"parent_exec_id": "ZmdzLWNsaS1jaS1jb250cm9sLXBsYW5lOjcxOTQ5NjU0MzczNTY6NDI0ODY=",
"refcnt": 2
},
"action": "FILE_RENAME",
"args": {
"rename_arg": {
"src": {
"filename": "/etc/testfile",
"inode": {
"number": "4156612",
"fs": {
"name": "overlay",
"dev": "0:52",
"id": "overlay",
"uuid": "00000000-0000-0000-0000-000000000000"
}
},
"parent_inode": {
"number": "4131858",
"fs": {
"name": "overlay",
"dev": "0:52",
"id": "overlay",
"uuid": "00000000-0000-0000-0000-000000000000"
}
}
},
"dst": {
"filename": "/etc/testfile.old",
"inode": {},
"parent_inode": {
"number": "4131858",
"fs": {
"name": "overlay",
"dev": "0:52",
"id": "overlay",
"uuid": "00000000-0000-0000-0000-000000000000"
}
}
},
"mnt_ns": {
"inum": 4026532493
},
"flags": [
"MOVE_INTERNALLY",
"SRC_REG_FILE",
"DST_NOT_EXISTS"
]
}
},
"time": "2023-01-23T12:09:35.150904198Z",
"hook": "vfs_rename"
},
"node_name": "fgs-cli-ci-control-plane",
"time": "2023-01-23T12:09:35.150900714Z"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment