Write a TracingPolicy using the 'tracepoints' array instead of 'kprobes', specifying the tracepoint subsystem and event such as 'syscalls/sys_enter_openat'
Define argument capture for the relevant tracepoint fields including the filename argument using the correct index for the openat syscall tracepoint
Add a 'selectors' block with 'matchArgs' to filter events where the filename argument starts with or equals a sensitive directory path
Apply the policy and confirm it is accepted; check Tetragon pod logs for any policy loading errors
Use 'tetra getevents --namespace your-namespace' to stream events and verify file open events from the target path are captured
Optionally add a matchNamespaces or matchCapabilities selector to scope monitoring to privileged workloads only
Known gotchas
Tracepoint argument layouts differ from kprobe arguments; consult the kernel tracepoint format file under /sys/kernel/debug/tracing/events for the correct field names and offsets
matchArgs string comparison in selectors is exact by default; prefix-based filtering on file paths may require using 'operator: Prefix' if supported by your Tetragon version, otherwise enumerate paths explicitly
Tracepoints capture the path string as provided by the caller; symlinks and relative paths will appear as-is and may not match absolute sensitive path selectors
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp