tetragon v1.0 releases: eBPF-based Security Observability and Runtime Enforcement

tetragon

Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security Observability and Runtime Enforcement.

Tetragon detects and is able to respond in real-time to security-significant events, such as

• Process execution events
• Changes to privileges and capabilities
• I/O activity including network & file access

When used in a Kubernetes environment, Tetragon is Kubernetes-aware – that is, it understands Kubernetes identities such as namespaces, pods, and so-on – so that security event detection can be configured in relation to individual workloads.

Functionality Overview

eBPF Real-Time

Tetragon is a real-time security and observability tool. What this means is Tetragon applies policy and filtering directly in eBPF. In the security context, this enables stopping an operation from occurring, instead of observing an operation and reacting to it (e.g., detected malicious behavior) after the fact. In the react case, an attacker may have already manipulated the critical data, stolen secrets, or otherwise compromised the machine. By applying policy inline in eBPF, malicious operations are stopped before they occur.

For an observability use case, applying filters directly in the kernel drastically reduces observation overhead. By avoiding expensive context switching and wakeups, especially for high frequency events, such as send, read, or write operations, eBPF reduces required resources. Instead, Tetragon provides rich filters (file, socket, binary names, namespace/capabilities, etc.) in eBPF, which allows users to specify the important and relevant events in their specific context, and pass only those to the user-space agent.

eBPF Flexibility

Tetragon can hook into any function in the Linux kernel and filter on its arguments, return value, associated metadata that Tetragon collects about processes (e.g., executable names), files, and other properties. By writing tracing policies users can solve various security and observability use cases. We provide a number of examples for these in the repository and highlight some below in the ‘Getting Started Guide’, but users are encouraged to create new policies that match their use cases. The examples are just that, jumping off points that users can then use to create new and specific policy deployments even potentially tracing kernel functions we did not consider. None of the specifics about which functions are traced and what filters are applied are hard-coded in the engine itself.

Critically, Tetragon allows hooking deep in the kernel where data structures can not be manipulated by user space applications avoiding common issues with syscall tracing where data is incorrectly read, maliciously altered by attackers, or missing due to page faults and other user/kernel boundary errors.

Many of the Tetragon developers are also kernel developers. By leveraging this knowledge base Tetragon has created a set of tracing policies that can solve many common observability and security use cases.

eBPF Kernel Aware

Tetragon, through eBPF, has access to the Linux kernel state. Tetragon can then join this kernel state with Kubernetes awareness or user policy to create rules enforced by the kernel in real time. This allows annotating and enforcing process namespace and capabilities, sockets to processes, process file descriptor to filenames and so on. For example, when an application changes its privileges we can create a policy to trigger an alert or even kill the process before it has a chance to complete the syscall and potentially run additional syscalls.

Changelog v1.0

Breaking Changes:

• export: switch to default permissions on exported JSON to 0600. (#1575) by @tixxdz

Major Changes:

• tetragon: build arm64 tarball (#1484) by @tixxdz
• tetragon:process_exec: display uids/gids credentials and detect privileged execution (#1296) by @tixxdz
• Add a new kernel stack traces alpha feature to kprobes events. (#1429) by @mtardy
• api: add a policy_name field to kprobe, tracepoint and uprobe events (#1574) by @mtardy
• tetragon: Add killer sensor (#1205) by @olsajiri
• helm: Set the feature that implements Namespaced policies and Pod label filters on by default (#1647) by @kkourt

Bugfixes:

• Use a message copy to apply fieldFilters in exec events (#1432) by @tpapagian
• bpf: fix verification error in bpf_execve_event (#1454) by @kkourt
• Add complete k8s object validation and defaults on standalone (#1521) by @mtardy
• tetragon: fix crash in kprobe validation (#1551) by @olsajiri
• bugfix: Use shared string maps in kprobe-multi (#1582) by @tpapagian
• bpf: fix policyfilter issue for existing processes (#1590) by @kkourt
• Fixes a regression on enable/disable sensors that would prevent a sensor from being enabled. (#1562) by @mtardy
• helm: Fix selector labels for the operator deployment (#1644) by @michi-covalent

Install & Use

Copyright (C) 2022 cilium