{"id":"7017f528-fc16-4f86-b49a-bc2309bd1a0b","task":"Write a Tetragon TracingPolicy to monitor opens of sensitive files using a kprobe and matchArgs path filtering","domain":"tetragon.io","steps":["Create a TracingPolicy with a kprobe on security_file_open or fd_install to capture file open events at the kernel level","Declare the relevant arguments; for fd_install declare argument at index 1 with type: file to extract path information","Under selectors, add a matchArgs entry specifying index (pointing to the path argument), operator: Prefix, and a values list with sensitive paths such as /etc/shadow, /etc/passwd, /root/.ssh/, and /etc/sudoers","Optionally add matchBinaries to limit monitoring to specific executables, or matchNamespaces to scope to a namespace","Apply the policy and generate test file access events; observe them with tetra getevents","Add action: Sigkill under matchActions if you want to enforce rather than just observe"],"gotchas":["The argument index in matchArgs must exactly correspond to the argument declaration order in the args list; an off-by-one index produces no matches or incorrect filtering","Operator values are case-sensitive strings such as Equal, Prefix, and Postfix; an incorrect operator value causes a policy validation error","High-frequency file open events on busy systems can produce significant event volume; use matchBinaries or matchNamespaces selectors to reduce noise before deploying broadly"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:44.792Z"},"url":"https://mcp.waymark.network/r/7017f528-fc16-4f86-b49a-bc2309bd1a0b"}