Practical Guide to eBPF Security Tools: From Detection to Prevention#

While understanding eBPF’s security capabilities is crucial, implementing these tools in production requires practical knowledge. This guide walks through deploying and customizing major eBPF security tools, building custom solutions, and integrating them into your security infrastructure.

Tool Overview: Choosing the Right Solution#

Quick Comparison Matrix#

Tool	Primary Focus	Best For	Learning Curve	Performance Impact
Falco	Runtime threat detection	Cloud-native environments	Low	Low (5-10%)
Tetragon	Security observability & enforcement	Kubernetes security	Medium	Very Low (2-5%)
Tracee	Security event tracking	Forensics & investigation	Low	Low (5-10%)
KubeArmor	Container runtime protection	Kubernetes workload protection	Medium	Low (3-8%)
Custom eBPF	Specific security needs	Unique requirements	High	Variable

Falco: Cloud-Native Runtime Security#

Installation and Setup#

1
# Method 1: Using Helm (Recommended for Kubernetes)
2
helm repo add falcosecurity https://falcosecurity.github.io/charts
3
helm repo update
4

5
# Install with eBPF probe
6
helm install falco falcosecurity/falco \
7
  --set driver.kind=modern_ebpf \
8
  --set driver.modernEbpf.leastPrivileged=true \
9
  --set tty=true
10

11
# Method 2: Standalone installation
12
curl -fsSL https://falco.org/script/install | sudo bash
13
sudo systemctl start falco-modern-bpf

Custom Rules Development#

1
# Rule 1: Detect cryptocurrency mining
2
- rule: Detect Crypto Mining
3
  desc: Detect cryptocurrency mining activities
4
  condition: >
5
    spawned_process and (
6
      proc.name in (xmrig, minerd, minergate, ethminer) or
7
      (proc.cmdline contains "stratum+tcp" or
8
       proc.cmdline contains "pool.") or
9
      (proc.name in (python, python3, perl, ruby) and
10
       proc.cmdline contains "cryptonight")
11
    )
12
  output: >
13
    Crypto mining process detected (user=%user.name user_id=%user.uid
14
    command=%proc.cmdline container_id=%container.id image=%container.image.repository)
15
  priority: WARNING
16
  tags: [cryptomining, threat]
17

18
# Rule 2: Detect reverse shell
19
- rule: Reverse Shell Detection
20
  desc: Detect reverse shell connections
21
  condition: >
22
    inbound_outbound and
23
    ((proc.name in (bash, sh, zsh) and proc.args contains "-i") or
24
     (proc.name = "nc" and
25
      (proc.args contains "-e" or proc.args contains "-c")) or
26
     (proc.name in (python, python3) and
27
      proc.args contains "socket" and
28
      proc.args contains "subprocess"))
29
  output: >
30
    Reverse shell detected (user=%user.name command=%proc.cmdline
31
    connection=%fd.name container=%container.name)
32
  priority: CRITICAL
33
  tags: [reverse_shell, threat]
34

35
# Rule 3: Sensitive file access monitoring
36
- rule: Unauthorized Sensitive File Access
37
  desc: Detect access to sensitive configuration files
38
  condition: >
39
    open_read and
40
    (fd.name startswith /etc/shadow or
41
     fd.name startswith /etc/sudoers or
42
     fd.name contains ".kube/config" or
43
     fd.name contains "id_rsa" or
44
     fd.name contains ".aws/credentials") and
45
    not proc.name in (passwd, chpasswd, shadow, sudo, sshd)
46
  output: >
47
    Sensitive file accessed (user=%user.name file=%fd.name
48
    command=%proc.cmdline container=%container.name)
49
  priority: WARNING
50
  tags: [sensitive_files, configuration]
51

52
# Rule 4: Container escape detection
53
- rule: Container Escape Attempt
54
  desc: Detect potential container escape attempts
55
  condition: >
56
    container.id != host and (
57
      (evt.type = setns and evt.dir=<) or
58
      (proc.name in (nsenter) and not proc.user.name = root) or
59
      (filesystem.mount and
60
       (filesystem.mount.source contains "/proc" or
61
        filesystem.mount.source contains "/sys"))
62
    )
63
  output: >
64
    Container escape attempt (user=%user.name command=%proc.cmdline
65
    container=%container.name syscall=%evt.type)
66
  priority: CRITICAL
67
  tags: [container_escape, threat]

Advanced Falco Configuration#

1
# Performance tuning
2
syscall_event_drops:
3
  actions:
4
    - log
5
    - alert
6
  rate: 0.03 # Alert if drop rate > 3%
7
  max_burst: 10
8

9
# Custom output channels
10
outputs:
11
  rate: 1000 # Max 1000 messages/sec
12
  max_burst: 10000
13

14
# Enable gRPC output for integration
15
grpc:
16
  bind_address: "unix:///run/falco/falco.sock"
17
  threadiness: 4
18

19
# JSON output for SIEM integration
20
json_output: true
21
json_include_output_property: true
22

23
# Buffer size for event processing
24
buf_size_preset: 4 # 4 = 16MB, good for high-load systems

Integration with Alerting Systems#

1
# falco_to_slack.py - Send Falco alerts to Slack
2
import json
3
import requests
4
from flask import Flask, request
5

6
app = Flask(__name__)
7
SLACK_WEBHOOK = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
8

9
@app.route('/falco', methods=['POST'])
10
def handle_falco_alert():
11
    alert = request.json
12

13
    # Parse Falco alert
14
    priority = alert.get('priority', 'INFO')
15
    output = alert.get('output', 'Unknown alert')
16
    rule = alert.get('rule', 'Unknown rule')
17

18
    # Color based on priority
19
    color_map = {
20
        'CRITICAL': '#FF0000',
21
        'WARNING': '#FFA500',
22
        'INFO': '#0000FF'
23
    }
24

25
    # Send to Slack
26
    slack_message = {
27
        "attachments": [{
28
            "color": color_map.get(priority, '#808080'),
29
            "title": f"Falco Alert: {rule}",
30
            "text": output,
31
            "fields": [
32
                {"title": "Priority", "value": priority, "short": True},
33
                {"title": "Rule", "value": rule, "short": True}
34
            ]
35
        }]
36
    }
37

38
    requests.post(SLACK_WEBHOOK, json=slack_message)
39
    return '', 200
40

41
if __name__ == '__main__':
42
    app.run(host='0.0.0.0', port=5000)

Tetragon: Advanced Security Observability#

Installation#

1
# Kubernetes deployment
2
helm repo add cilium https://helm.cilium.io
3
helm repo update
4

5
helm install tetragon cilium/tetragon \
6
  --namespace kube-system \
7
  --set tetragon.enableProcessCred=true \
8
  --set tetragon.enableProcessNs=true
9

10
# Verify installation
11
kubectl -n kube-system get pods -l app.kubernetes.io/name=tetragon

TracingPolicy Examples#

1
# network-monitoring.yaml - Monitor suspicious network connections
2
apiVersion: cilium.io/v1alpha1
3
kind: TracingPolicy
4
metadata:
5
  name: network-security-monitoring
6
spec:
7
  kprobes:
8
    - call: "tcp_connect"
9
      syscall: false
10
      args:
11
        - index: 0
12
          type: "sock"
13
      selectors:
14
        - matchArgs:
15
            - index: 0
16
              operator: "NotDPort"
17
              values:
18
                - 80
19
                - 443
20
                - 22
21
          matchActions:
22
            - action: Sigkill
23
              argError: -1
24
        - matchArgs:
25
            - index: 0
26
              operator: "DAddr"
27
              values:
28
                - "10.0.0.0/8"
29
                - "172.16.0.0/12"
30
                - "192.168.0.0/16"
31
          matchActions:
32
            - action: NoPost # Don't kill, just log
33

34
---
35
# file-integrity.yaml - File integrity monitoring
36
apiVersion: cilium.io/v1alpha1
37
kind: TracingPolicy
38
metadata:
39
  name: file-integrity-monitoring
40
spec:
41
  kprobes:
42
    - call: "security_file_open"
43
      syscall: false
44
      args:
45
        - index: 0
46
          type: "file"
47
        - index: 1
48
          type: "int"
49
      selectors:
50
        - matchArgs:
51
            - index: 0
52
              operator: "Prefix"
53
              values:
54
                - "/etc/"
55
                - "/usr/bin/"
56
                - "/usr/sbin/"
57
            - index: 1
58
              operator: "Equal"
59
              values:
60
                - "2" # O_RDWR
61
          matchActions:
62
            - action: Post
63

64
---
65
# process-execution.yaml - Monitor process execution
66
apiVersion: cilium.io/v1alpha1
67
kind: TracingPolicy
68
metadata:
69
  name: process-execution-monitoring
70
spec:
71
  tracepoints:
72
    - subsystem: "sched"
73
      event: "sched_process_exec"
74
      args:
75
        - index: 0
76
          type: "string"
77
      selectors:
78
        - matchArgs:
79
            - index: 0
80
              operator: "In"
81
              values:
82
                - "curl"
83
                - "wget"
84
                - "nc"
85
                - "ncat"
86
                - "socat"
87
          matchBinaries:
88
            - operator: "NotIn"
89
              values:
90
                - "/usr/bin/apt"
91
                - "/usr/bin/yum"
92
          matchActions:
93
            - action: Post
94
              rateLimit: 10 # Max 10 events per second

Custom Event Processing#

1
// tetragon-processor/main.go - Process Tetragon events
2
package main
3

4
import (
5
    "encoding/json"
6
    "fmt"
7
    "log"
8
    "os"
9

10
    "github.com/cilium/tetragon/api/v1/tetragon"
11
    "google.golang.org/grpc"
12
)
13

14
type SecurityEvent struct {
15
    Type      string                 `json:"type"`
16
    Timestamp string                 `json:"timestamp"`
17
    Process   map[string]interface{} `json:"process"`
18
    Parent    map[string]interface{} `json:"parent"`
19
    Args      []string              `json:"args"`
20
    Action    string                `json:"action"`
21
}
22

23
func processEvent(event *tetragon.GetEventsResponse) {
24
    switch ev := event.Event.(type) {
25
    case *tetragon.GetEventsResponse_ProcessExec:
26
        handleProcessExec(ev.ProcessExec)
27
    case *tetragon.GetEventsResponse_ProcessExit:
28
        handleProcessExit(ev.ProcessExit)
29
    case *tetragon.GetEventsResponse_ProcessKprobe:
30
        handleKprobeEvent(ev.ProcessKprobe)
31
    }
32
}
33

34
func handleProcessExec(exec *tetragon.ProcessExec) {
35
    // Check for suspicious process execution patterns
36
    binary := exec.Process.Binary
37
    args := exec.Process.Arguments
38

39
    // Detect reverse shell patterns
40
    if isReverseShell(binary, args) {
41
        alert := SecurityEvent{
42
            Type:      "REVERSE_SHELL",
43
            Timestamp: exec.Process.ExecTime.String(),
44
            Process: map[string]interface{}{
45
                "binary": binary,
46
                "pid":    exec.Process.Pid.Value,
47
                "uid":    exec.Process.Uid.Value,
48
            },
49
            Args:   args,
50
            Action: "BLOCKED",
51
        }
52
        sendAlert(alert)
53
    }
54
}
55

56
func isReverseShell(binary string, args []string) bool {
57
    // Implement detection logic
58
    suspiciousBinaries := []string{"nc", "ncat", "socat", "bash", "sh"}
59
    suspiciousArgs := []string{"-e", "-c", "exec", "socket"}
60

61
    for _, b := range suspiciousBinaries {
62
        if binary == b {
63
            for _, arg := range args {
64
                for _, s := range suspiciousArgs {
65
                    if arg == s {
66
                        return true
67
                    }
68
                }
69
            }
70
        }
71
    }
72
    return false
73
}
74

75
func main() {
76
    // Connect to Tetragon
77
    conn, err := grpc.Dial("localhost:54321", grpc.WithInsecure())
78
    if err != nil {
79
        log.Fatal(err)
80
    }
81
    defer conn.Close()
82

83
    client := tetragon.NewFineGuidanceSensorsClient(conn)
84
    stream, err := client.GetEvents(context.Background(), &tetragon.GetEventsRequest{})
85
    if err != nil {
86
        log.Fatal(err)
87
    }
88

89
    // Process events
90
    for {
91
        event, err := stream.Recv()
92
        if err != nil {
93
            log.Printf("Error receiving event: %v", err)
94
            continue
95
        }
96
        processEvent(event)
97
    }
98
}

Tracee: Security Runtime Observability#

Advanced Deployment#

1
# Deploy with specific event filters
2
docker run --rm -it \
3
  --pid=host --cgroupns=host --privileged \
4
  -v /etc/os-release:/etc/os-release-host:ro \
5
  -v /var/run/docker.sock:/var/run/docker.sock \
6
  -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
7
  aquasec/tracee:latest \
8
  --output json \
9
  --filter event=security_file_open,security_inode_rename \
10
  --filter comm=bash,sh,python \
11
  --filter pid=new \
12
  --capture exec \
13
  --capture mem

Custom Signatures#

1
// custom-signature.go - Detect privilege escalation
2
package main
3

4
import (
5
    "fmt"
6
    "github.com/aquasecurity/tracee/signatures/helpers"
7
    "github.com/aquasecurity/tracee/types/detect"
8
    "github.com/aquasecurity/tracee/types/protocol"
9
    "github.com/aquasecurity/tracee/types/trace"
10
)
11

12
type PrivilegeEscalation struct {
13
    cb detect.SignatureHandler
14
}
15

16
func (sig *PrivilegeEscalation) Init(cb detect.SignatureHandler) error {
17
    sig.cb = cb
18
    return nil
19
}
20

21
func (sig *PrivilegeEscalation) GetMetadata() (detect.SignatureMetadata, error) {
22
    return detect.SignatureMetadata{
23
        ID:          "CUSTOM-001",
24
        Version:     "1.0.0",
25
        Name:        "Privilege Escalation Detection",
26
        Description: "Detects potential privilege escalation attempts",
27
        Properties: map[string]interface{}{
28
            "Severity": "Critical",
29
            "Category": "Threat",
30
        },
31
    }, nil
32
}
33

34
func (sig *PrivilegeEscalation) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
35
    return []detect.SignatureEventSelector{
36
        {Source: "tracee", Name: "sched_process_exec"},
37
        {Source: "tracee", Name: "setuid"},
38
        {Source: "tracee", Name: "setgid"},
39
        {Source: "tracee", Name: "capset"},
40
    }, nil
41
}
42

43
func (sig *PrivilegeEscalation) OnEvent(event protocol.Event) error {
44
    ee, ok := event.Payload.(trace.Event)
45
    if !ok {
46
        return fmt.Errorf("invalid event")
47
    }
48

49
    switch ee.EventName {
50
    case "setuid":
51
        uid, _ := helpers.GetTraceeIntArgumentByName(ee, "uid")
52
        if uid == 0 && ee.ProcessUID != 0 {
53
            // Non-root becoming root
54
            sig.cb(detect.Finding{
55
                SigMetadata: sig.GetMetadata(),
56
                Event:       event,
57
                Data: map[string]interface{}{
58
                    "process": ee.ProcessName,
59
                    "pid":     ee.ProcessID,
60
                    "oldUID":  ee.ProcessUID,
61
                    "newUID":  uid,
62
                },
63
            })
64
        }
65
    }
66

67
    return nil
68
}

Output Processing Pipeline#

1
# tracee_processor.py - Process Tracee JSON output
2
import json
3
import sys
4
from datetime import datetime
5
from elasticsearch import Elasticsearch
6

7
es = Elasticsearch(['localhost:9200'])
8

9
def process_tracee_event(event):
10
    """Process and enrich Tracee events for Elasticsearch"""
11

12
    # Parse event
13
    parsed = {
14
        'timestamp': datetime.utcnow(),
15
        'event_name': event.get('eventName'),
16
        'process': {
17
            'name': event.get('processName'),
18
            'pid': event.get('processId'),
19
            'uid': event.get('uid'),
20
            'binary': event.get('executable', {}).get('path')
21
        },
22
        'container': {
23
            'id': event.get('containerId'),
24
            'name': event.get('containerName')
25
        },
26
        'severity': classify_severity(event),
27
        'raw_event': event
28
    }
29

30
    # Add detection tags
31
    if is_suspicious_event(event):
32
        parsed['tags'] = ['suspicious', 'security']
33
        parsed['severity'] = 'high'
34

35
    return parsed
36

37
def classify_severity(event):
38
    """Classify event severity based on type and context"""
39
    high_severity_events = [
40
        'security_file_open', 'security_task_setuid',
41
        'process_vm_write', 'ptrace'
42
    ]
43

44
    if event.get('eventName') in high_severity_events:
45
        return 'high'
46

47
    if event.get('uid') == 0:  # Root activity
48
        return 'medium'
49

50
    return 'low'
51

52
def is_suspicious_event(event):
53
    """Detect suspicious patterns"""
54
    suspicious_patterns = [
55
        lambda e: e.get('eventName') == 'execve' and '/tmp' in e.get('pathname', ''),
56
        lambda e: e.get('eventName') == 'open' and '/etc/shadow' in e.get('pathname', ''),
57
        lambda e: e.get('processName') in ['nc', 'ncat', 'socat'],
58
    ]
59

60
    return any(pattern(event) for pattern in suspicious_patterns)
61

62
def main():
63
    for line in sys.stdin:
64
        try:
65
            event = json.loads(line)
66
            processed = process_tracee_event(event)
67

68
            # Index to Elasticsearch
69
            es.index(
70
                index=f"tracee-{datetime.utcnow().strftime('%Y.%m.%d')}",
71
                body=processed
72
            )
73

74
            # Alert on high severity
75
            if processed['severity'] == 'high':
76
                send_alert(processed)
77

78
        except json.JSONDecodeError:
79
            continue
80
        except Exception as e:
81
            print(f"Error processing event: {e}", file=sys.stderr)
82

83
if __name__ == '__main__':
84
    main()

Building Custom eBPF Security Tools#

Project Structure#

1
custom-security-tool/
2
├── src/
3
│   ├── bpf/
4
│   │   ├── security_monitor.bpf.c
5
│   │   └── maps.h
6
│   ├── user/
7
│   │   ├── main.c
8
│   │   ├── event_processor.c
9
│   │   └── alerts.c
10
├── include/
11
│   └── security_events.h
12
├── Makefile
13
└── README.md

Core eBPF Program#

1
#include "vmlinux.h"
2
#include <bpf/bpf_helpers.h>
3
#include <bpf/bpf_tracing.h>
4
#include <bpf/bpf_core_read.h>
5
#include "maps.h"
6

7
// Define security event types
8
enum security_event_type {
9
    SEC_EVENT_PROCESS_EXEC = 1,
10
    SEC_EVENT_FILE_ACCESS,
11
    SEC_EVENT_NETWORK_CONNECT,
12
    SEC_EVENT_PRIVILEGE_CHANGE,
13
};
14

15
struct security_event {
16
    u64 timestamp;
17
    u32 pid;
18
    u32 uid;
19
    u32 gid;
20
    enum security_event_type type;
21
    char comm[16];
22
    union {
23
        struct {
24
            char filename[256];
25
            u32 flags;
26
        } file;
27
        struct {
28
            u32 addr;
29
            u16 port;
30
        } network;
31
        struct {
32
            u32 old_uid;
33
            u32 new_uid;
34
        } privilege;
35
    } data;
36
};
37

38
// Maps
39
struct {
40
    __uint(type, BPF_MAP_TYPE_RINGBUF);
41
    __uint(max_entries, 1 << 24); // 16MB
42
} events SEC(".maps");
43

44
struct {
45
    __uint(type, BPF_MAP_TYPE_HASH);
46
    __uint(max_entries, 10000);
47
    __type(key, u32);
48
    __type(value, struct process_info);
49
} processes SEC(".maps");
50

51
// Monitor process execution
52
SEC("tracepoint/sched/sched_process_exec")
53
int monitor_exec(struct trace_event_raw_sched_process_exec *ctx) {
54
    struct security_event *event;
55
    struct task_struct *task;
56

57
    event = bpf_ringbuf_reserve(&events, sizeof(*event), 0);
58
    if (!event)
59
        return 0;
60

61
    // Fill event data
62
    event->timestamp = bpf_ktime_get_ns();
63
    event->pid = bpf_get_current_pid_tgid() >> 32;
64
    event->uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
65
    event->gid = bpf_get_current_uid_gid() >> 32;
66
    event->type = SEC_EVENT_PROCESS_EXEC;
67

68
    bpf_get_current_comm(&event->comm, sizeof(event->comm));
69

70
    // Get executable path
71
    task = (struct task_struct *)bpf_get_current_task();
72
    struct mm_struct *mm = BPF_CORE_READ(task, mm);
73
    struct file *exe_file = BPF_CORE_READ(mm, exe_file);
74

75
    if (exe_file) {
76
        struct path f_path = BPF_CORE_READ(exe_file, f_path);
77
        bpf_d_path(&f_path, event->data.file.filename,
78
                   sizeof(event->data.file.filename));
79
    }
80

81
    bpf_ringbuf_submit(event, 0);
82
    return 0;
83
}
84

85
// Monitor sensitive file access
86
SEC("lsm/file_open")
87
int monitor_file_open(struct file *file) {
88
    struct security_event *event;
89
    char filename[256];
90

91
    // Get filename
92
    bpf_d_path(&file->f_path, filename, sizeof(filename));
93

94
    // Check if it's a sensitive file
95
    if (!is_sensitive_file(filename))
96
        return 0;
97

98
    event = bpf_ringbuf_reserve(&events, sizeof(*event), 0);
99
    if (!event)
100
        return 0;
101

102
    event->timestamp = bpf_ktime_get_ns();
103
    event->pid = bpf_get_current_pid_tgid() >> 32;
104
    event->uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
105
    event->type = SEC_EVENT_FILE_ACCESS;
106

107
    bpf_probe_read_str(event->data.file.filename,
108
                       sizeof(event->data.file.filename),
109
                       filename);
110

111
    bpf_ringbuf_submit(event, 0);
112
    return 0;
113
}
114

115
// Helper to check sensitive files
116
static __always_inline bool is_sensitive_file(const char *filename) {
117
    const char sensitive_paths[][32] = {
118
        "/etc/shadow",
119
        "/etc/passwd",
120
        "/etc/sudoers",
121
        ".ssh/id_rsa",
122
        ".kube/config",
123
    };
124

125
    #pragma unroll
126
    for (int i = 0; i < 5; i++) {
127
        if (str_contains(filename, sensitive_paths[i]))
128
            return true;
129
    }
130

131
    return false;
132
}

User-Space Component#

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <signal.h>
4
#include <bpf/libbpf.h>
5
#include <bpf/bpf.h>
6
#include "security_monitor.skel.h"
7
#include "security_events.h"
8

9
static volatile bool running = true;
10

11
static void sig_handler(int sig) {
12
    running = false;
13
}
14

15
static int handle_event(void *ctx, void *data, size_t data_sz) {
16
    struct security_event *event = data;
17

18
    switch (event->type) {
19
    case SEC_EVENT_PROCESS_EXEC:
20
        printf("[EXEC] PID=%d UID=%d CMD=%s PATH=%s\n",
21
               event->pid, event->uid, event->comm,
22
               event->data.file.filename);
23
        break;
24

25
    case SEC_EVENT_FILE_ACCESS:
26
        printf("[FILE] PID=%d UID=%d FILE=%s\n",
27
               event->pid, event->uid,
28
               event->data.file.filename);
29

30
        // Send alert for critical files
31
        if (strstr(event->data.file.filename, "/etc/shadow")) {
32
            send_critical_alert(event);
33
        }
34
        break;
35
    }
36

37
    return 0;
38
}
39

40
int main(int argc, char **argv) {
41
    struct security_monitor_bpf *skel;
42
    struct ring_buffer *rb = NULL;
43
    int err;
44

45
    // Set up signal handler
46
    signal(SIGINT, sig_handler);
47
    signal(SIGTERM, sig_handler);
48

49
    // Load and verify BPF program
50
    skel = security_monitor_bpf__open();
51
    if (!skel) {
52
        fprintf(stderr, "Failed to open BPF skeleton\n");
53
        return 1;
54
    }
55

56
    // Load & verify BPF programs
57
    err = security_monitor_bpf__load(skel);
58
    if (err) {
59
        fprintf(stderr, "Failed to load BPF skeleton\n");
60
        goto cleanup;
61
    }
62

63
    // Attach programs
64
    err = security_monitor_bpf__attach(skel);
65
    if (err) {
66
        fprintf(stderr, "Failed to attach BPF programs\n");
67
        goto cleanup;
68
    }
69

70
    // Set up ring buffer
71
    rb = ring_buffer__new(bpf_map__fd(skel->maps.events),
72
                          handle_event, NULL, NULL);
73
    if (!rb) {
74
        fprintf(stderr, "Failed to create ring buffer\n");
75
        goto cleanup;
76
    }
77

78
    printf("Security monitor running... Press Ctrl-C to stop.\n");
79

80
    // Poll for events
81
    while (running) {
82
        err = ring_buffer__poll(rb, 100 /* timeout, ms */);
83
        if (err == -EINTR) {
84
            err = 0;
85
            break;
86
        }
87
        if (err < 0) {
88
            fprintf(stderr, "Error polling ring buffer: %d\n", err);
89
            break;
90
        }
91
    }
92

93
cleanup:
94
    ring_buffer__free(rb);
95
    security_monitor_bpf__destroy(skel);
96
    return err < 0 ? -err : 0;
97
}

Production Deployment Best Practices#

1. Resource Management#

1
apiVersion: v1
2
kind: ResourceQuota
3
metadata:
4
  name: ebpf-security-quota
5
spec:
6
  hard:
7
    cpu: "4"
8
    memory: "8Gi"
9
    persistentvolumeclaims: "2"
10

11
---
12
apiVersion: v1
13
kind: LimitRange
14
metadata:
15
  name: ebpf-security-limits
16
spec:
17
  limits:
18
    - type: Container
19
      default:
20
        cpu: "500m"
21
        memory: "1Gi"
22
      defaultRequest:
23
        cpu: "100m"
24
        memory: "256Mi"

2. Monitoring eBPF Performance#

1
#!/bin/bash
2
# monitor-ebpf.sh - Monitor eBPF program performance
3

4
# Check BPF program statistics
5
bpftool prog show | grep -E "name|run_time_ns|run_cnt"
6

7
# Monitor map usage
8
for map in $(bpftool map show | grep -E "id" | awk '{print $2}'); do
9
    echo "Map $map:"
10
    bpftool map show id $map
11
    echo "Entries: $(bpftool map dump id $map | wc -l)"
12
    echo "---"
13
done
14

15
# Check for dropped events
16
cat /sys/kernel/debug/tracing/trace_pipe | grep -i "lost"
17

18
# Monitor CPU usage by eBPF programs
19
perf record -e bpf:* -a -g -- sleep 10
20
perf report

3. Security Hardening Checklist#

1
# eBPF Security Hardening Script
2
#!/bin/bash
3

4
echo "Applying eBPF security hardening..."
5

6
# 1. Disable unprivileged eBPF
7
sysctl -w kernel.unprivileged_bpf_disabled=1
8
echo "kernel.unprivileged_bpf_disabled=1" >> /etc/sysctl.conf
9

10
# 2. Restrict BPF JIT
11
sysctl -w net.core.bpf_jit_harden=2
12
echo "net.core.bpf_jit_harden=2" >> /etc/sysctl.conf
13

14
# 3. Set up audit rules
15
cat >> /etc/audit/rules.d/ebpf.rules <<EOF
16
-a always,exit -F arch=b64 -S bpf -F a0=5 -k ebpf_load
17
-a always,exit -F arch=b64 -S bpf -F a0=6 -k ebpf_attach
18
EOF
19

20
# 4. Configure AppArmor/SELinux
21
# Example AppArmor profile
22
cat > /etc/apparmor.d/ebpf-security <<EOF
23
#include <tunables/global>
24

25
profile ebpf-security flags=(attach_disconnected) {
26
  #include <abstractions/base>
27

28
  capability sys_admin,
29
  capability bpf,
30
  capability perfmon,
31

32
  /sys/kernel/debug/tracing/** r,
33
  /proc/kallsyms r,
34

35
  deny /etc/passwd w,
36
  deny /etc/shadow w,
37
}
38
EOF
39

40
# 5. Set up logging
41
cat >> /etc/rsyslog.d/50-ebpf.conf <<EOF
42
:programname, isequal, "bpf" /var/log/ebpf.log
43
& stop
44
EOF
45

46
systemctl restart rsyslog
47
echo "Hardening complete!"

Troubleshooting Common Issues#

Diagnostic Commands#

1
# Check if eBPF is supported
2
grep CONFIG_BPF /boot/config-$(uname -r)
3

4
# Verify required capabilities
5
capsh --print | grep -E "cap_sys_admin|cap_bpf"
6

7
# Debug program loading failures
8
strace -e bpf bpftool prog load program.o /sys/fs/bpf/program
9

10
# Check verifier logs
11
cat /sys/kernel/debug/tracing/trace_pipe | grep -i verifier
12

13
# Monitor memory usage
14
cat /proc/meminfo | grep -i bpf

Common Error Solutions#

1
# Error: Operation not permitted
2
# Solution: Check capabilities
3
sudo setcap cap_sys_admin,cap_bpf+eip ./your-program
4

5
# Error: Invalid argument (map creation)
6
# Solution: Increase map limits
7
sudo sysctl -w kernel.bpf_stats_enabled=1
8
sudo sysctl -w net.core.bpf_jit_limit=1000000000
9

10
# Error: Program too large
11
# Solution: Optimize or split program
12
# Use static functions and aggressive inlining

Conclusion#

Implementing eBPF security tools requires careful planning and understanding of both the tools and your environment. Start with established tools like Falco and Tetragon for immediate value, then gradually build custom solutions for specific needs.

Remember:

Always test in development first
Monitor performance impact
Keep security rules updated
Integrate with existing security infrastructure
Stay informed about new capabilities and threats

The eBPF security ecosystem is rapidly evolving, offering unprecedented capabilities for protecting modern infrastructure. By mastering these tools, you’re equipped to build the next generation of security solutions.

Quick Reference#

1
# Install all tools
2
curl -fsSL https://falco.org/script/install | sudo bash
3
helm install tetragon cilium/tetragon -n kube-system
4
docker pull aquasec/tracee:latest
5

6
# Run security audit
7
falco --modern-bpf --list
8
tetragon status
9
tracee --list events
10

11
# Emergency response
12
# Kill all eBPF programs
13
for prog in $(bpftool prog show | grep id | awk '{print $2}'); do
14
    bpftool prog detach id $prog
15
done

Next in the series: Advanced eBPF security patterns and building production-grade security infrastructure.