In this scenario, we are going to install a demo application, Network connections or writing to sensitive files. Network sockets, and file access to see what binaries are executing and making These events include monitoring process execution, Provide a simple way to get a hands on experience with Tetragon and This Quickstart guide uses a Kind cluster and a helm-based installation to Docker Deploymentįor getting started without having to deploy on a Kubernetes cluster, please refer to the Docker deployment guide Package deploymentįor deploying Tetragon as a systemd service, please refer to the Package deployment guide Kubernetes Quickstart Guide Use case 1: Monitoring Process Executionįor getting started with local development, you can refer to the Contribution Guide.For example, when an application changes its privileges weĬan create a policy to trigger an alert or even kill the process before it hasĪ chance to complete the syscall and potentially run additional syscalls. Namespace and capabilities, sockets to processes, process file descriptor toįilenames and so on. This allows annotating and enforcing process Join this kernel state with Kubernetes awareness or user policy to create rulesĮnforced by the kernel in real time. Tetragon, through eBPF, has access to the Linux kernel state. Tetragon has created a set of tracing policies that can solve many common observabilityĪnd security use cases. Many of the Tetragon developers are also kernel developers. None of the specifics about which functions are tracedĪnd what filters are applied are hard-coded in the engine itself.Ĭritically, Tetragon allows hooking deep in the kernel where data structures can not be manipulatedīy user space applications avoiding common issues with syscall tracing whereĭata is incorrectly read, maliciously altered by attackers, or missing due to pageįaults and other user/kernel boundary errors. Then use to create new and specific policy deployments even potentially tracing kernelįunctions we did not consider. The examples are just that, jumping off points that users can Highlight some below in the 'Getting Started Guide', but users are encouraged to create new policies that We provide a number of examples for these in the repository and By writing tracing policies users can solve various Return value, associated metadata that Tetragon collects about processes (e.g., executable Tetragon can hook into any function in the Linux kernel and filter on its arguments, Specific context, and pass only those to the user-space agent. Instead, Tetragon provides rich filters (file, socket, binary names, namespace/capabilities,Įtc.) in eBPF, which allows users to specify the important and relevant events in their By avoiding expensive context switching and wake-ups, especiallyįor high frequency events, such as send, read, or write operations, eBPF reduces required It performs the filtering,īlocking, and reacting to events directly in the kernel instead of sendingįor an observability use case, applying filters directly in the kernel drastically reduces Policy and filtering directly in eBPF in the kernel. Tetragon is a runtime security enforcement and observability tool. Kubernetes identities such as namespaces, pods and so-on - so that security event detectionĬan be configured in relation to individual workloads. When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, it understands I/O activity including network & file access.Tetragon detects and is able to react to security-significant events, such as Cilium’s new Tetragon component enables powerful realtime, eBPF-based Security Observability and
0 Comments
Leave a Reply. |