implementing-ebpf-security-monitoring

Featured

Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters.

DevOps & Infrastructure 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing eBPF Security Monitoring ## When to Use - When deploying kernel-level runtime security monitoring on Linux hosts or Kubernetes clusters - When you need sub-millisecond visibility into process execution, network connections, and file access - When traditional userspace monitoring tools introduce unacceptable performance overhead - When building detection pipelines that require in-kernel filtering before events reach userspace - When enforcing runtime security policies (kill process, send signal) at the kernel level ## Prerequisites - Linux kernel 5.3+ with BTF (BPF Type Format) support enabled - Kubernetes 1.24+ cluster (for Kubernetes deployment) or standalone Linux host - Helm 3.x installed (for Kubernetes deployment) - `kubectl` configured with cluster access - `tetra` CLI installed for local event streaming - Python 3.8+ with `requests`, `kubernetes`, `pyyaml` dependencies - Root or CAP_BPF/CAP_SYS_ADMIN capabilities for eBPF program loading ## Instructions ### 1. Install Tetragon on Kubernetes Deploy Tetragon via Helm to get default process lifecycle observability: ```bash helm repo add cilium https://helm.cilium.io helm repo update helm install tetragon cilium/tetragon -n kube-system \ --set tetragon.enableProcessCred=true \ --set tetragon.enableProcessNs=true ``` Verify the installation: ```bash kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragon kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-runtime-security-with-tetragon

Implement eBPF-based runtime security observability and enforcement in Kubernetes clusters using Cilium Tetragon for kernel-level threat detection and policy enforcement.

13,115 Updated today
mukul975
DevOps & Infrastructure Featured

performing-kubernetes-cis-benchmark-with-kube-bench

Audit Kubernetes cluster security posture against CIS benchmarks using kube-bench with automated checks for control plane, worker nodes, and RBAC.

13,115 Updated today
mukul975
DevOps & Infrastructure Featured

performing-kubernetes-penetration-testing

Kubernetes penetration testing systematically evaluates cluster security by simulating attacker techniques against the API server, kubelet, etcd, pods, RBAC, network policies, and secrets. Using tools

13,115 Updated today
mukul975
AI & Automation Featured

detecting-container-escape-with-falco-rules

Detect container escape attempts in real-time using Falco runtime security rules that monitor syscalls, file access, and privilege escalation.

13,115 Updated today
mukul975
AI & Automation Featured

implementing-kubernetes-network-policy-with-calico

Implement Kubernetes network segmentation using Calico NetworkPolicy and GlobalNetworkPolicy for zero-trust pod-to-pod communication.

13,115 Updated today
mukul975