<aside>
🎯
Goal: Prevent script injection by blocking unauthorized writes to mission-critical .sh, .py, and .js files in real time—before changes hit disk.
</aside>
Problem
- Traditional File Integrity Monitoring (FIM) is reactive—it alerts after modification.
- Script injection attacks compromise trusted environments by modifying legitimate scripts.
- Legacy hook points (e.g., kprobes) can be vulnerable to TOCTOU (Time-of-Check to Time-of-Use) race conditions.
Solution
Implemented a high-performance Cilium Tetragon TracingPolicy using the Linux Security Modules (LSM) framework to shift from detection to active enforcement.
How it works
- LSM-native enforcement: Hooks at
file_permission to inspect write attempts at an authoritative kernel stage.
- Fast scoping: Uses Prefix path matching to protect only critical directories (e.g.,
/var/www/html/scripts/, /home/user/my_scripts/) with minimal overhead.
- Non-disruptive blocking: Uses Override to inject
-13 (EACCES) into the syscall result, denying unauthorized writes without killing the process.
Technical Specs
- Framework: Cilium Tetragon (eBPF-driven)
- Security layer: LSM
- Kernel hook:
file_permission
- Matching strategy: Prefix operator
- Intercepted flag:
MAY_WRITE (mask: 2)
- Enforcement action: Synchronous error injection (
Override: -13)
Outcomes / Impact
- Active prevention: Blocks unauthorized modifications before any data is written.