Skill v1.0.1
currentAutomated scan88/100+3 new
name: implementing-ebpf-security-monitoring description: 'Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters.
' domain: cybersecurity subdomain: security-operations tags:
- ebpf
- tetragon
- cilium
- runtime-security
- observability
- kernel-security
- kubernetes-security
version: '1.0' author: mukul975 license: Apache-2.0 nist_ai_rmf:
- MEASURE-2.7
- MAP-5.1
- MANAGE-2.4
atlas_techniques:
- AML.T0070
- AML.T0066
- AML.T0082
nist_csf:
- DE.CM-01
- RS.MA-01
- GV.OV-01
- DE.AE-02
mitre_attack:
- T1078
- T1190
- T1059
- T1685.002
- T1685.005
Implementing eBPF Security Monitoring
When to Use
- When deploying kernel-level runtime security monitoring on Linux hosts or Kubernetes clusters
- When you need sub-millisecond visibility into process execution, network connections, and file access
- When traditional userspace monitoring tools introduce unacceptable performance overhead
- When building detection pipelines that require in-kernel filtering before events reach userspace
- When enforcing runtime security policies (kill process, send signal) at the kernel level
Prerequisites
- Linux kernel 5.3+ with BTF (BPF Type Format) support enabled
- Kubernetes 1.24+ cluster (for Kubernetes deployment) or standalone Linux host
- Helm 3.x installed (for Kubernetes deployment)
kubectlconfigured with cluster accesstetraCLI installed for local event streaming- Python 3.8+ with
requests,kubernetes,pyyamldependencies - Root or CAP_BPF/CAP_SYS_ADMIN capabilities for eBPF program loading
Instructions
1. Install Tetragon on Kubernetes
Deploy Tetragon via Helm to get default process lifecycle observability:
helm repo add cilium https://helm.cilium.iohelm repo updatehelm install tetragon cilium/tetragon -n kube-system \--set tetragon.enableProcessCred=true \--set tetragon.enableProcessNs=true
Verify the installation:
kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragonkubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -f | head -20
2. Install Tetragon on Standalone Linux
For non-Kubernetes Linux hosts, install from the tarball release:
curl -LO https://github.com/cilium/tetragon/releases/latest/download/tetragon-linux-amd64.tar.gztar xzf tetragon-linux-amd64.tar.gzsudo cp tetragon /usr/local/bin/sudo cp tetra /usr/local/bin/# Start tetragon daemonsudo tetragon --btf /sys/kernel/btf/vmlinux &# Stream eventstetra getevents -o compact
3. Monitor Process Execution (Default)
Tetragon generates process_exec and process_exit events by default without any TracingPolicy:
# Stream process events in compact formattetra getevents -o compact# Stream in JSON for SIEM ingestiontetra getevents -o json | jq '.process_exec // .process_exit'
Example process_exec JSON event:
{"process_exec": {"process": {"binary": "/usr/bin/curl","arguments": "https://malicious.example.com/payload","cwd": "/tmp","uid": 1000,"pod": {"namespace": "default","name": "webapp-7b4d9f8c6-x2k9p"},"parent": {"binary": "/bin/bash","pid": 1234}}}}
4. Author TracingPolicy for File Access Monitoring
Create a TracingPolicy CRD to monitor access to sensitive files via the sys_openat kprobe:
# file-access-monitor.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: monitor-sensitive-file-accessspec:kprobes:- call: "fd_install"syscall: falseargs:- index: 0type: "int"- index: 1type: "file"selectors:- matchArgs:- index: 1operator: "Prefix"values:- "/etc/shadow"- "/etc/passwd"- "/etc/sudoers"- "/root/.ssh/"- "/etc/kubernetes/pki/"matchActions:- action: Post
Apply and observe:
kubectl apply -f file-access-monitor.yamltetra getevents -o compact --process-filter "event_set:PROCESS_KPROBE"
5. Author TracingPolicy for Network Connection Monitoring
Monitor outbound TCP connections using the tcp_connect kprobe:
# network-monitor.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: monitor-tcp-connectionsspec:kprobes:- call: "tcp_connect"syscall: falseargs:- index: 0type: "sock"selectors:- matchActions:- action: Post
6. Author TracingPolicy for Privilege Escalation Detection
Detect setuid/setgid calls that may indicate privilege escalation:
# privilege-escalation-detect.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: detect-privilege-escalationspec:kprobes:- call: "__sys_setuid"syscall: falseargs:- index: 0type: "int"selectors:- matchArgs:- index: 0operator: "Equal"values:- "0"matchActions:- action: Post- call: "commit_creds"syscall: falseargs:- index: 0type: "cred"selectors:- matchActions:- action: Post
7. Runtime Enforcement with Sigkill Action
Block unauthorized binary execution by killing the process in-kernel:
# enforce-binary-allowlist.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: enforce-no-crypto-minersspec:kprobes:- call: "sys_execve"syscall: trueargs:- index: 0type: "string"selectors:- matchArgs:- index: 0operator: "Postfix"values:- "xmrig"- "minerd"- "cpuminer"- "cryptonight"matchActions:- action: Sigkill
8. Export Events to SIEM
Configure Tetragon to export JSON events to a file sink for Fluentd/Filebeat/Vector ingestion:
# Helm values for file exporthelm upgrade tetragon cilium/tetragon -n kube-system \--set tetragon.exportFilename=/var/log/tetragon/tetragon.log \--set tetragon.exportFileMaxSizeMB=100 \--set tetragon.exportFileMaxBackups=5
Then configure your log shipper (e.g., Filebeat) to tail /var/log/tetragon/tetragon.log and send to your SIEM.
9. Kubernetes-Aware Namespace Filtering
Use TracingPolicyNamespaced to scope monitoring to specific namespaces:
apiVersion: cilium.io/v1alpha1kind: TracingPolicyNamespacedmetadata:name: monitor-production-file-accessnamespace: productionspec:kprobes:- call: "fd_install"syscall: falseargs:- index: 0type: "int"- index: 1type: "file"selectors:- matchArgs:- index: 1operator: "Prefix"values:- "/etc/shadow"- "/etc/passwd"
Examples
Detect Reverse Shell Connections
# reverse-shell-detect.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: detect-reverse-shellsspec:kprobes:- call: "tcp_connect"syscall: falseargs:- index: 0type: "sock"selectors:- matchBinaries:- operator: "In"values:- "/bin/bash"- "/bin/sh"- "/usr/bin/python3"- "/usr/bin/perl"- "/usr/bin/nc"- "/usr/bin/ncat"matchActions:- action: Post
Monitor Container Escape Attempts
# container-escape-detect.yamlapiVersion: cilium.io/v1alpha1kind: TracingPolicymetadata:name: detect-container-escapespec:kprobes:- call: "sys_openat"syscall: trueargs:- index: 0type: "int"- index: 1type: "string"selectors:- matchArgs:- index: 1operator: "Prefix"values:- "/proc/1/root"- "/proc/1/ns"- "/sys/kernel/security"- "/proc/sysrq-trigger"matchActions:- action: Post- call: "sys_mount"syscall: trueargs:- index: 0type: "string"- index: 1type: "string"- index: 2type: "string"selectors:- matchActions:- action: Post
Full Event Pipeline: Tetragon to Elasticsearch
# Use tetra CLI to pipe events through jq into Elasticsearchtetra getevents -o json | jq -c 'select(.process_kprobe != null)' | \while IFS= read -r line; docurl -s -X POST "http://elasticsearch:9200/tetragon-events/_doc" \-H "Content-Type: application/json" \-d "$line"done