{"id":"8dd774ac-e61a-4bd3-a35b-96c3f5a6a657","task":"Define a Cilium Tetragon TracingPolicy with a kprobe to monitor exec of specific binaries","domain":"tetragon.io","steps":["Write a TracingPolicy manifest with apiVersion 'cilium.io/v1alpha1' and kind 'TracingPolicy' targeting a kernel function used in process execution such as 'security_bprm_check'","Set the 'kprobes' array entry with the function name and define which arguments to capture using the 'args' list with index, type, and label fields","Add a 'selectors' block to filter events by binary path using a 'matchBinaries' selector with the 'values' list of full binary paths to monitor","Apply the TracingPolicy to the cluster with kubectl apply and confirm the CRD is accepted without validation errors","Run 'tetra getevents' to stream process events and filter for exec events matching your target binary","Verify captured events include the expected process metadata such as binary path, arguments, and pod context"],"gotchas":["Tetragon TracingPolicy kprobe argument indices are 0-based and map to kernel function parameter positions; using the wrong index captures the wrong data or causes a Tetragon error","Some kernel functions are inlined or renamed across kernel versions; a kprobe on a function that does not exist on the host kernel will fail to load — check the function name against the running kernel's /proc/kallsyms","The matchBinaries selector requires full absolute paths and does not support glob patterns; list each binary path explicitly"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/8dd774ac-e61a-4bd3-a35b-96c3f5a6a657"}