/docs/use-cases/linux-process-credentials/ Recent content in Linux process credentials on Tetragon - eBPF-based Security Observability and Runtime Enforcement Hugo en /docs/use-cases/linux-process-credentials/syscalls-monitoring/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/use-cases/linux-process-credentials/syscalls-monitoring/ Tetragon can hook at the system calls that directly manipulate the credentials. This allows us to determine which process is trying to change its credentials and the new credentials that could be applied by the kernel. This answers the questions: Which process or container is trying to change its UIDs/GIDs in my cluster? Which process or container is trying to change its capabilities in my cluster? Before going forward, verify that all pods are up and running, ensure you deploy our Demo Application to explore the Security Observability Events: /docs/use-cases/linux-process-credentials/monitor-changes-at-kernel/ Mon, 01 Jan 0001 00:00:00 +0000 /docs/use-cases/linux-process-credentials/monitor-changes-at-kernel/ Monitoring Process Credentials changes at the kernel layer is also possible. This allows to capture the new process_credentials that should be applied. This process-creds-installed tracing policy can be used to answer the following questions: Which process or container is trying to change its own UIDs/GIDs in the cluster? Which process or container is trying to change its own capabilities in the cluster? In which user namespace the credentials are being changed?