Create a TracingPolicy with a kprobe on security_file_open or fd_install to capture file open events at the kernel level
Declare the relevant arguments; for fd_install declare argument at index 1 with type: file to extract path information
Under selectors, add a matchArgs entry specifying index (pointing to the path argument), operator: Prefix, and a values list with sensitive paths such as /etc/shadow, /etc/passwd, /root/.ssh/, and /etc/sudoers
Optionally add matchBinaries to limit monitoring to specific executables, or matchNamespaces to scope to a namespace
Apply the policy and generate test file access events; observe them with tetra getevents
Add action: Sigkill under matchActions if you want to enforce rather than just observe
Known gotchas
The argument index in matchArgs must exactly correspond to the argument declaration order in the args list; an off-by-one index produces no matches or incorrect filtering
Operator values are case-sensitive strings such as Equal, Prefix, and Postfix; an incorrect operator value causes a policy validation error
High-frequency file open events on busy systems can produce significant event volume; use matchBinaries or matchNamespaces selectors to reduce noise before deploying broadly
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp