5/31/2023 0 Comments Aluminum tetragon![]() Pros: – Efficient – Good application visibility Ptrace(2) is a debugging interface provided by the kernel to trace processes and syscalls. LD_PRELOAD loads a library without awareness of the app to intercept syscalls. Security policies can be injected via Kubernetes (CRDs), a JSON API, or systems such as Open Policy Agent (OPA).Īpp instrumentation uses code dependency to gain visibility into the application. Tetragon has the ability to specify allow lists for access control at several layers. Unlike other systems which have a limited set of enforcement points such as only at the system call level, Tetragon is able to enforce security policies across the operating system in a preventive manner instead of reacting to events asynchronously. Tetragon uses efficient data structures such as per-CPU hash tables, ring buffers, and LRU maps to provide efficient and fast means of data collection and avoids sending vast amounts of low-signal events to the user space agent.īuilding on the rich observability, Tetragon provides real-time runtime enforcement. ![]() Performing filtering, aggregation, metric accounting, and histogram collection directly in the kernel with eBPF helps to reduce the overhead. ![]() Low-Overhead: Minimal overhead is imposed on the system.Applications cannot detect when they are being monitored which is ideal for security use cases. All observability data is collected transparently from within the kernel. Transparent: No application code changes are needed.The possibilities of eBPF are massive and Tetragon provides an easy to use framework to cover additional visibility use cases. Deep observability: Extensive visibility into all parts of the system and applications ranging from detecting low-level microbursts in TCP connections, providing HTTP visibility for golden signal dashboards, or the ability to detect the use of particular vulnerable shared libraries.To list just a few of the capabilities, Tetragon can provide visibility into all kinds of kernel subsystems to cover namespace escapes, capability and privilege escalations, file system and data access, networking activity of protocols such as HTTP, DNS, TLS, and TCP, as well as the system call layer to audit system call invocation and follow process execution. The foundation of Tetragon is a powerful observability layer that can introspect the entire system ranging from low-level kernel visibility to track file accesses, network activity, or capability changes, all the way up into the application layers covering aspects such as function calls into vulnerable libraries, tracing process execution, or understanding HTTP requests made. The embedded runtime enforcement layer is capable of performing access control on the system call and other enforcement levels. The deep visibility is achieved without requiring application changes and is provided at low overhead thanks to smart in-kernel filtering and aggregation logic built directly into the eBPF-based kernel-level collector. ![]() Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement. Today, we are open sourcing major parts as project Tetragon and open it up for collaboration with the entire community. Tetragon is a powerful eBPF-based security observability and runtime enforcement platform that has been part of Isovalent Cilium Enterprise for several years. We are excited to announce the Tetragon open source project.
0 Comments
Leave a Reply. |