homelab-gitops/platform/tetragon/policies/10-audit-baseline/audit-process-execution.yaml
gwg313 145721146e
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started
add pac
Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-28 23:33:25 -04:00

23 lines
516 B
YAML

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: audit-process-execution
annotations:
security-tier: audit-baseline
description: "Logs all process executions (sys_execve) for cluster-wide visibility."
spec:
kprobes:
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string"
- index: 1
type: "string_array"
selectors:
- matchPIDs:
- operator: NotIn
followForks: true
isNamespacePID: true
values:
- 1