![]() ![]() They are sometimes used in combination with asynchronous enforcement where an agent relies on visibility data collected as described and then reacts to it. These above solutions operate on the application and system call level and describe methods that are primarily used to provide observability. Pros: – Efficient – More transparent than app instrumentationĬons: – Not transparent, requires application changes – Can be bypassed – Not usable for enforcement – No visibility into the systemĬons: – Can be bypassed (static linking) – Weaker visibility – Not ideal for enforcement as application can bypass with static linkingĬons: – High overhead – No synchronous enforcement – Application can detect it is being monitored – Visibility limited to syscalls Pros: – Efficient – Good application visibility Ptrace(2) is a debugging interface provided by the kernel to trace processes and syscalls. LD_PRELOAD loads a library without awareness of the app to intercept syscalls. Security policies can be injected via Kubernetes (CRDs), a JSON API, or systems such as Open Policy Agent (OPA).Īpp instrumentation uses code dependency to gain visibility into the application. Tetragon has the ability to specify allow lists for access control at several layers. Unlike other systems which have a limited set of enforcement points such as only at the system call level, Tetragon is able to enforce security policies across the operating system in a preventive manner instead of reacting to events asynchronously. Tetragon uses efficient data structures such as per-CPU hash tables, ring buffers, and LRU maps to provide efficient and fast means of data collection and avoids sending vast amounts of low-signal events to the user space agent.īuilding on the rich observability, Tetragon provides real-time runtime enforcement. Performing filtering, aggregation, metric accounting, and histogram collection directly in the kernel with eBPF helps to reduce the overhead. ![]() Low-Overhead: Minimal overhead is imposed on the system.Applications cannot detect when they are being monitored which is ideal for security use cases. All observability data is collected transparently from within the kernel. Transparent: No application code changes are needed.The possibilities of eBPF are massive and Tetragon provides an easy to use framework to cover additional visibility use cases. Deep observability: Extensive visibility into all parts of the system and applications ranging from detecting low-level microbursts in TCP connections, providing HTTP visibility for golden signal dashboards, or the ability to detect the use of particular vulnerable shared libraries.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |