book

Security Observability with eBPF

by Jed Salazar, Natalia Reka Ivanko

April 2022

Intermediate to advanced

65 pages

1h 28m

English

O'Reilly Media, Inc.

Read now

Unlock full access

What Should We Monitor?High-Fidelity ObservabilityA Kubernetes AttackWhat Is eBPF?Brief Guide to Container SecurityKernel NamespacesCgroupsAttack Points for Container EscapesLinux Capabilities
Precloud SecurityMonitoring from Legacy Kernel, Disk, and Network ToolsA Cloud Native ApproachDeep Dive into the Security of eBPFVirtual Machine in the KerneleBPF ProgramseBPF Hook PointsWhy eBPF?System Call VisibilityNetwork VisibilityFilesystem VisibilityThe Underlying HostReal-World Detection
The Four Golden Signals of Security ObservabilityProcess ExecutionNetwork SocketsFile AccessLayer 7 Network IdentityReal-World AttackStealthy Container EscapeInstall Cilium TetragonReaching The Host NamespacePersistencePost Exploitation Techniques
Prevention by Way of Least-PrivilegeAllowlistDenylistTesting Your PolicyTracing PolicyStage 1: ExploitationStage 2: Persistence and Defense EvasionStage 3: Post-ExploitationData-Driven SecurityCTFs, Red Teams, Pentesting, Oh My!

Content preview from Security Observability with eBPF

Chapter 2. Why Is eBPF the Optimal Tool for Security?

In this chapter, we will take you on a journey through pre–cloud native network security and threat detection, how they have changed with the introduction of Kubernetes, and finally, how they can be solved with eBPF.

Precloud Security

Before cloud native became the dominant production environment, network monitoring and threat detection tools were based on auditd, syslog, dead-disk forensics, whatever your network infrastructure happened to log, and optionally, copying the full contents of network packets to disk (known as packet captures).

Monitoring from Legacy Kernel, Disk, and Network Tools

Traditional logging systems such as auditd, are not namespaced in the kernel, so they lack details about which container invoked a system call, started a process, or opened a network socket. Network logs are also not container-aware since pod IPs are ephemeral and can be reused by entirely different apps in different pods—maybe even on different nodes—by the time the investigation starts.

Capturing packets stores every packet in a network to disk and runs custom pattern matching on each packet to identify an attack. Most modern application traffic is encrypted, largely thanks to Let’s Encrypt and service mesh; high-scale environments are now the norm, so packet captures are too costly and ineffective for cloud native environments. Another tool used to monitor for security incidents is disk forensics.

Disk forensics collects a bit-for-bit ...