{"id":"991df926-6dc6-40c2-b9b9-bb539cfa738f","task":"Use Tetragon to detect privilege escalation by monitoring kernel credential change functions with a TracingPolicy kprobe","domain":"tetragon.io","steps":["Create a TracingPolicy with a kprobe on the commit_creds kernel function, which is called whenever a process's credentials are updated","Declare the cred struct as the first argument so Tetragon can extract UID, GID, and capability fields from the new credentials","Add a matchArgs or matchCaps selector that triggers when the new UID equals 0 or when capabilities such as CAP_SYS_ADMIN are gained","Optionally add matchBinaries to flag only unexpected binaries performing the privilege change","Apply the policy and simulate a privilege escalation (e.g., via a setuid binary in a test container); confirm Tetragon emits a process_kprobe event","Forward events to a SIEM via tetra getevents --output json for correlation and alerting"],"gotchas":["commit_creds is called frequently by legitimate processes for low-privilege credential adjustments; overly broad selectors without UID or capability filters will generate very high event volumes","Kernel struct field layouts for cred vary across kernel versions; rely on Tetragon's built-in cred argument type rather than manual byte offsets","Enforcement (Sigkill) on commit_creds fires before the credential change completes, effectively blocking the escalation at the kernel level, but must be tested carefully to avoid breaking legitimate setuid flows"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:16.527Z"},"url":"https://mcp.waymark.network/r/991df926-6dc6-40c2-b9b9-bb539cfa738f"}