/docs/use-cases/process-lifecycle/ Recent content in Process lifecycle on Tetragon - eBPF-based Security Observability and Runtime Enforcement Hugo en /docs/use-cases/process-lifecycle/process-execution/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/use-cases/process-lifecycle/process-execution/ This first use case is monitoring process execution, which can be observed with the Tetragon process_exec and process_exit JSON events. These events contain the full lifecycle of processes, from fork/exec to exit, including metadata such as: Binary name: Defines the name of an executable file Parent process: Helps to identify process execution anomalies (e.g., if a nodejs app forks a shell, this is suspicious) Command-line argument: Defines the program runtime behavior Current working directory: Helps to identify hidden malware execution from a temporary folder, which is a common pattern used in malwares Kubernetes metadata: Contains pods, labels, and Kubernetes namespaces, which are critical to identify service owners, particularly in a multitenant environments exec_id: A unique process identifier that correlates all recorded activity of a process As a first step, let’s start monitoring the events from the xwing pod: /docs/use-cases/process-lifecycle/advanced-process-execution/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/use-cases/process-lifecycle/advanced-process-execution/ Monitor ELF or Flat binaries execution Advanced process execution can be performed by using Tracing Policies to monitor the execve system call path. If we want to monitor execution of Executable and Linkable Format (ELF) or flat binaries before they are actually executed. Then the process-exec-elf-begin tracing policy is a good first choice. Note The process-exec-elf-begin tracing policy, will not report the different binary format handlers or scripts being executed, but will report the final ELF or flat binary, like the shebang handler. /docs/use-cases/process-lifecycle/privileged-execution/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/use-cases/process-lifecycle/privileged-execution/ Tetragon also provides the ability to check process capabilities and kernel namespaces access. This information would help us determine which process or Kubernetes pod has started or gained access to privileges or host namespaces that it should not have. This would help us answer questions like: Which Kubernetes pods are running with CAP_SYS_ADMIN in my cluster? Which Kubernetes pods have host network or pid namespace access in my cluster? Step 1: Enabling Process Credential and Namespace Monitoring Edit the Tetragon configmap: /docs/use-cases/process-lifecycle/namespace-access/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/use-cases/process-lifecycle/namespace-access/ Tetragon can monitor Linux namespace operations to detect when processes change their namespaces. This is particularly useful for detecting container escapes where a process attempts to access host namespaces using tools like nsenter. Use Case: Detecting Container Escapes via Namespace Changes A common container escape technique involves using nsenter to switch into the host’s namespaces. Even if a container is running with restricted privileges, monitoring setns syscalls helps detect attempts to break out of the container’s isolation.