By leveraging this knowledge base Tetragon has created a set of tracing policies that can solve many common observability and security use cases. Many of the Tetragon developers are also kernel developers. None of the specifics about which functions are traced and what filters are applied are hard-coded in the engine itself.Ĭritically, Tetragon allows hooking deep in the kernel where data structures can not be manipulated by user space applications avoiding common issues with syscall tracing where data is incorrectly read, maliciously altered by attackers, or missing due to page faults and other user/kernel boundary errors. The examples are just that, jumping off points that users can then use to create new and specific policy deployments even potentially tracing kernel functions we did not consider. We provide a number of examples for these in the repository and highlight some below in the ‘Getting Started Guide’, but users are encouraged to create new policies that match their use cases. By writing tracing policies users can solve various security and observability use cases. Tetragon can hook into any function in the Linux kernel and filter on its arguments, return value, associated metadata that Tetragon collects about processes (e.g., executable names), files, and other properties. Instead, Tetragon provides rich filters (file, socket, binary names, namespace/capabilities, etc.) in eBPF, which allows users to specify the important and relevant events in their specific context, and pass only those to the user-space agent.
By avoiding expensive context switching and wakeups, especially for high frequency events, such as send, read, or write operations, eBPF reduces required resources.
By applying policy inline in eBPF, malicious operations are stopped before they occur.įor an observability use case, applying filters directly in the kernel drastically reduces observation overhead. In the react case, an attacker may have already manipulated the critical data, stolen secrets, or otherwise compromised the machine. In the security context, this enables stopping an operation from occurring, instead of observing an operation and reacting to it (e.g., detected malicious behavior) after the fact. What this means is Tetragon applies policy and filtering directly in eBPF. Tetragon is a real-time security and observability tool. When used in a Kubernetes environment, Tetragon is Kubernetes-aware – that is, it understands Kubernetes identities such as namespaces, pods, and so-on – so that security event detection can be configured in relation to individual workloads.
0 kommentar(er)
