{"id":"b53733da-3ca8-441a-afbe-d3febcfded3a","task":"Define a Tetragon TracingPolicy to audit file reads on sensitive paths","domain":"tetragon.io","steps":["Create a `TracingPolicy` manifest with `apiVersion: cilium.io/v1alpha1` and `kind: TracingPolicy`","Under `spec.kprobes`, specify the kernel function to hook (e.g., `security_file_open`) and set `syscall: false`","Add an `args` list identifying argument indices that carry the file path and flags fields","Add a `selectors` block with a `matchArgs` filter targeting paths under `/etc/` or `/root/` to reduce noise","Apply the policy with `kubectl apply` and verify it is loaded with `kubectl get tracingpolicy`","Observe generated events with `tetra getevents` or the Tetragon daemonset logs filtered by policy name"],"gotchas":["TracingPolicy hooks run inside the kernel; an incorrect argument index for a kprobe will silently produce garbled data rather than an error","Tetragon requires BTF (BPF Type Format) kernel support; nodes without BTF will fail to load policies","High-frequency kprobes (e.g., on `read`) can generate extreme event volume — always add tight `matchArgs` selectors before deploying to production"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/b53733da-3ca8-441a-afbe-d3febcfded3a"}