SlideShare a Scribd company logo

A Kernel of Truth: Intrusion Detection and Attestation with eBPF

Download as PPTX, PDF
O
oholiab

The document discusses a security project by Yelp utilizing eBPF for intrusion detection and attestation purposes. It outlines the challenges and methodologies behind creating a system to reduce false positives from security alerts while integrating various technologies. The author shares insights on performance improvements, future enhancements, and the overall impact of the implemented solutions on their infrastructure security.

Software
1 of 57
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
London | 14-15 November 2019 A Kernel of Truth Matt Carroll
Matt Carroll @grimmware A Kernel of Truth Intrusion Detection and Attestation with eBPF
● Matt Carroll ○ @grimmware ○ github.com/oholiab ● Infrastructure Security Engineer at Yelp ● Ex-SRE (like a sysadmin but with more yaml) ● Hand-wringing Linux botherer Who am I?
● We built a supplementary* IDS and it’s pretty cool! ● Utilizing OS features as security features ● Told in (roughly) the order it happened. What is this about?
● How to get a greenfield security project off the ground ○ Treating defensive security like economics ○ Gluing together extant technologies to bootstrap custom security tools ○ Using your business logic to maximize signal vs noise What is this about?
Yelp’s Mission Connecting people with great local businesses.
● Built on Mesos + Marathon + Docker ● More recently migration towards k8s ● Majority of our workloads run here ● What are they all doing??? PaaSTA
Network IDS: Amazon GuardDuty
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
Kind of unsurprising, also pretty unhelpful...
Welp...
Uuuhhh… 🤔
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
WHAAAAAAA 😱
● What host class connected? ● What IP/ASN did it connect to? ● What’s on the other end? ● How long was the connection? ● What direction? ● How many bytes were transferred? ● What did the pslogs say? Attestation From Inference
● What host class connected? ● What IP/ASN did it connect to? ● What’s on the other end? ● How long was the connection? ● What direction? ● How many bytes were transferred? ● What did the pslogs say? Attestation From Inference lol jk
Context is lost as soon as the instantiating process ends
What if we could reduce MTTR for false positives?
● When a GuardDuty alert fires I want to be able to determine if it’s a false-positive quickly ● Only for GuardDuty traffic (not internal to our VPCs) ● Only for outbound TCP (i.e. non-RFC1918) ● I want the entire calling process tree so I can see full local causality ● Include process ownership information ● Must not require workload tooling The problem space
eBPF!
eBPF!
● “Berkeley Packet Filter” from BSD ● An in-kernel VM accessed as a device (/dev/bpf) ● Limited number of registers ● No loops (to prevent kernel deadlocking) ● Used for packet filtering BPF
● An in-kernel VM in Linux (and now FreeBSD!) ● It’s “extended”! ● Moar registers than BPF ● Used for hooking syscalls, tracing, proxying sockets, and (you guessed) in-kernel packet filtering ○ Can actually offload to some NICs! ● In our case, dispatching kprobes for the tcp_v4_connect syscall eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
Enjoy writing your filters as an array of BPF VM instructions...
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
bcc + psutil = PROFIT???
bcc + psutil = PROFIT??? ✅
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
How it works sd 54321 for each syscall...
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
● Filters in-kernel from Jinja2 templates which iterate over subnets in YAML configuration ● Events that don’t get filtered out are passed to userland Python daemon ● psutil used to crawl process tree to init and log alongside other metadata
The End.
Except it was a hackathon project so all it did was print events to stdout and could only match classful networks and I developed it on my personal laptop.
The Road To Production
Don’t try to be clever with bitwise network matching
● I realised only the classful networks worked because of the byte boundaries ● Don’t try to do clever bitwise shifting with the mask length ● Endianness and byte ordering between network and host don’t work how you think they do ● No srs Matching all CIDRs
● A coworker was trying to figure out which batch jobs were accessing a service for a data auth project ● He asked me if we could match ports ● I said I’d have it: ○ Matching ports ○ Dockerized for adhoc usage ○ By the next day ● The next day he found all unauthenticated clients. Dockerizing for debugging
● Contains python2.7 and dependencies (sorry) ● Needs some setup at runtime ● Volume mount /etc/passwd for uid mapping ● Not your typical flags: ○ --privileged ○ --cap-add sys_admin ○ --pid host ● Don’t worry I am a professional probably. pidtree-bcc in Docker
● We run our own PaaS called PaaSTA which uses Docker as containerizer ● Runs the vast majority of our workloads ● Can pull-from-registry and run in a systemd unit file without further setup ● Don’t have to install dependencies (inc. LLVM, python2) ● Get coverage quickly Opportunistic deploy with Docker
● Previous projects with goaudit meant we already had a secure logging pipeline for reading a FIFO and outputting to Amazon Kinesis ○ syslog2kinesis adds other Yelpy metadata (e.g. hostname, environment, Puppet role...) ● Originally fed to our Logstash => Elasticsearch SIEM ● Migrated to Kinesis Firehose => Splunk this quarter <3 Log aggregation
● Better to ask forgiveness than permission... ● Rolled out to two security devboxes and watched the logs roll in! ● Negligible performance impact!!! ○ As postulated, cost of subnet filtering << cost of instantiating a TCP connection ● Lots of connections out to public Amazon IPs creating a lot of noise Dip Test
If only Amazon maintained some kind of list of their public prefixes...
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
Surely you can’t load ~200 netblocks into the kernel and compare all non- RFC1918 tcp_v4_connect syscalls to them in a performant manner...
Surely you can’t load ~200 netblocks into the kernel and compare all non- RFC1918 tcp_v4_connect syscalls to them in a performant manner...
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
● ~25,000 - ~50,000 messages per hour across dev and stage ● Once accidentally load-tested at ~80,000 messages in 5m from one host for several hours ● Nobody on the host noticed ● TCP connections are way more expensive than the filters! Load
● bpf_trace_printk() -> BPF_PERF_OUTPUT() ○ Global (e.g. per-kernel) debug output with hand- hacked json and string manipulation ○ To structured data in a ring buffer ○ Multi-tenancy makes it a better utility and more testable! ● Added unit tests ● Adding integration tests ● Adding infrastructure for deploy in production environment Undoing my nasty hacks
● De-containerize (e.g. debian package) ● Python3 ● Plugin for container awareness ○ Easy mapping to service and therefore owner! ● Enable immutable loginuid and add that to metadata ○ --loginuid-immutable under `man auditctl` ○ Cryptically says “but can cause some problems in certain kinds of containers” ● Threat modelling/hardening! Future work
● Performance improvements ○ BPF longest-match maps ○ Pre-processing masks ○ Probably totally unnecessary ● Moar syscalls! ○ TCP listens, ipv6, UDP, SUID, forwarded SSH socket reads… ● SIEM tooling ○ ASN matching, bad IP matching, GuardDuty auto- enrichment... Future work
www.yelp.com/careers/ We're Hiring!
@YelpEngineering fb.com/YelpEngineers engineeringblog.yelp.com github.com/yelp
London | 14-15 November 2019 https://github.com/Yelp/pidtree-bcc @grimmware Thanks for listening!

More Related Content

PDF
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 
PDF
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
PDF
eBPF/XDP
Netronome
 
PDF
Introduction to eBPF
RogerColl2
 
PDF
Building Network Functions with eBPF & BCC
Kernel TLV
 
PDF
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
ODP
eBPF maps 101
SUSE Labs Taipei
 
PDF
Meetup 2009
HuaiEnTseng
 
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
eBPF/XDP
Netronome
 
Introduction to eBPF
RogerColl2
 
Building Network Functions with eBPF & BCC
Kernel TLV
 
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
eBPF maps 101
SUSE Labs Taipei
 
Meetup 2009
HuaiEnTseng
 

What's hot (20)

PDF
EBPF and Linux Networking
PLUMgrid
 
PDF
BPF: Tracing and more
Brendan Gregg
 
PDF
LSFMM 2019 BPF Observability
Brendan Gregg
 
PDF
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
PDF
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
PDF
malloc & vmalloc in Linux
Adrian Huang
 
PPTX
eBPF Basics
Michael Kehoe
 
PDF
eBPF in the view of a storage developer
Richárd Kovács
 
PPTX
Understanding eBPF in a Hurry!
Ray Jenkins
 
PDF
ARM Trusted FirmwareのBL31を単体で使う!
Mr. Vengineer
 
PPTX
Staring into the eBPF Abyss
Sasha Goldshtein
 
PDF
OSC2011 Tokyo/Fall 濃いバナ(virtio)
Takeshi HASEGAWA
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
PDF
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
PDF
Using eBPF to Measure the k8s Cluster Health
ScyllaDB
 
PDF
Introduction to eBPF and XDP
lcplcp1
 
PDF
マルチコアとネットワークスタックの高速化技法
Takuya ASADA
 
PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
PDF
Linux Networking Explained
Thomas Graf
 
EBPF and Linux Networking
PLUMgrid
 
BPF: Tracing and more
Brendan Gregg
 
LSFMM 2019 BPF Observability
Brendan Gregg
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
Enhancing Network and Runtime Security with Cilium and Tetragon by Raymond De...
ContainerDay Security 2023
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
malloc & vmalloc in Linux
Adrian Huang
 
eBPF Basics
Michael Kehoe
 
eBPF in the view of a storage developer
Richárd Kovács
 
Understanding eBPF in a Hurry!
Ray Jenkins
 
ARM Trusted FirmwareのBL31を単体で使う!
Mr. Vengineer
 
Staring into the eBPF Abyss
Sasha Goldshtein
 
OSC2011 Tokyo/Fall 濃いバナ(virtio)
Takeshi HASEGAWA
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Using eBPF to Measure the k8s Cluster Health
ScyllaDB
 
Introduction to eBPF and XDP
lcplcp1
 
マルチコアとネットワークスタックの高速化技法
Takuya ASADA
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
Linux Networking Explained
Thomas Graf
 
Ad

Similar to A Kernel of Truth: Intrusion Detection and Attestation with eBPF (20)

PDF
Security Monitoring with eBPF
Alex Maestretti
 
PPTX
Tcpdump hunter
Andrew McNicol
 
PDF
Linux Native, HTTP Aware Network Security
Thomas Graf
 
PPTX
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 
PDF
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
PPTX
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
PDF
Cloud Monitors Cloud
Raymond Burkholder
 
PDF
Threat stack aws
Jen Andre
 
PDF
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
PDF
WTF my container just spawned a shell!
Sysdig
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
seo18
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PDF
Compliance as Code with InSpec - DevOps Melbourne 2017
Matt Ray
 
PDF
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
PDF
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
PDF
How we built Packet's bare metal cloud platform
Packet
 
PDF
NetConf 2018 BPF Observability
Brendan Gregg
 
PDF
Prometheus as exposition format for eBPF programs running on Kubernetes
Leonardo Di Donato
 
PDF
Cloud Native Networking & Security with Cilium & eBPF
Raphaël PINSON
 
Security Monitoring with eBPF
Alex Maestretti
 
Tcpdump hunter
Andrew McNicol
 
Linux Native, HTTP Aware Network Security
Thomas Graf
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 
Alexander Reelsen - Seccomp for Developers
DevDay Dresden
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Cloud Monitors Cloud
Raymond Burkholder
 
Threat stack aws
Jen Andre
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
WTF my container just spawned a shell!
Sysdig
 
eBPF — Divulging The Hidden Super Power.pdf
seo18
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Compliance as Code with InSpec - DevOps Melbourne 2017
Matt Ray
 
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
How we built Packet's bare metal cloud platform
Packet
 
NetConf 2018 BPF Observability
Brendan Gregg
 
Prometheus as exposition format for eBPF programs running on Kubernetes
Leonardo Di Donato
 
Cloud Native Networking & Security with Cilium & eBPF
Raphaël PINSON
 
Ad

Recently uploaded (20)

PPTX
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
ISO 45001 Occupational Health and Safety Management System
EHA Soft Solutions
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
AI in Product Development-omnex systems
omnex systems
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
System and Network Administration Chapter 2
jaramharo
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Transform Your Business with a Software ERP System
Canada Software Company
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 

A Kernel of Truth: Intrusion Detection and Attestation with eBPF

  • 1. London | 14-15 November 2019 A Kernel of Truth Matt Carroll
  • 2. Matt Carroll @grimmware A Kernel of Truth Intrusion Detection and Attestation with eBPF
  • 3. ● Matt Carroll ○ @grimmware ○ github.com/oholiab ● Infrastructure Security Engineer at Yelp ● Ex-SRE (like a sysadmin but with more yaml) ● Hand-wringing Linux botherer Who am I?
  • 4. ● We built a supplementary* IDS and it’s pretty cool! ● Utilizing OS features as security features ● Told in (roughly) the order it happened. What is this about?
  • 5. ● How to get a greenfield security project off the ground ○ Treating defensive security like economics ○ Gluing together extant technologies to bootstrap custom security tools ○ Using your business logic to maximize signal vs noise What is this about?
  • 6. Yelp’s Mission Connecting people with great local businesses.
  • 7. ● Built on Mesos + Marathon + Docker ● More recently migration towards k8s ● Majority of our workloads run here ● What are they all doing??? PaaSTA
  • 10. Kind of unsurprising, also pretty unhelpful...
  • 15. ● What host class connected? ● What IP/ASN did it connect to? ● What’s on the other end? ● How long was the connection? ● What direction? ● How many bytes were transferred? ● What did the pslogs say? Attestation From Inference
  • 16. ● What host class connected? ● What IP/ASN did it connect to? ● What’s on the other end? ● How long was the connection? ● What direction? ● How many bytes were transferred? ● What did the pslogs say? Attestation From Inference lol jk
  • 17. Context is lost as soon as the instantiating process ends
  • 18. What if we could reduce MTTR for false positives?
  • 19. ● When a GuardDuty alert fires I want to be able to determine if it’s a false-positive quickly ● Only for GuardDuty traffic (not internal to our VPCs) ● Only for outbound TCP (i.e. non-RFC1918) ● I want the entire calling process tree so I can see full local causality ● Include process ownership information ● Must not require workload tooling The problem space
  • 20. eBPF!
  • 21. eBPF!
  • 22. ● “Berkeley Packet Filter” from BSD ● An in-kernel VM accessed as a device (/dev/bpf) ● Limited number of registers ● No loops (to prevent kernel deadlocking) ● Used for packet filtering BPF
  • 23. ● An in-kernel VM in Linux (and now FreeBSD!) ● It’s “extended”! ● Moar registers than BPF ● Used for hooking syscalls, tracing, proxying sockets, and (you guessed) in-kernel packet filtering ○ Can actually offload to some NICs! ● In our case, dispatching kprobes for the tcp_v4_connect syscall eBPF
  • 25. Enjoy writing your filters as an array of BPF VM instructions...
  • 28. bcc + psutil = PROFIT???
  • 29. bcc + psutil = PROFIT??? ✅
  • 31. How it works sd 54321 for each syscall...
  • 34. ● Filters in-kernel from Jinja2 templates which iterate over subnets in YAML configuration ● Events that don’t get filtered out are passed to userland Python daemon ● psutil used to crawl process tree to init and log alongside other metadata
  • 36. Except it was a hackathon project so all it did was print events to stdout and could only match classful networks and I developed it on my personal laptop.
  • 37. The Road To Production
  • 39. ● I realised only the classful networks worked because of the byte boundaries ● Don’t try to do clever bitwise shifting with the mask length ● Endianness and byte ordering between network and host don’t work how you think they do ● No srs Matching all CIDRs
  • 40. ● A coworker was trying to figure out which batch jobs were accessing a service for a data auth project ● He asked me if we could match ports ● I said I’d have it: ○ Matching ports ○ Dockerized for adhoc usage ○ By the next day ● The next day he found all unauthenticated clients. Dockerizing for debugging
  • 41. ● Contains python2.7 and dependencies (sorry) ● Needs some setup at runtime ● Volume mount /etc/passwd for uid mapping ● Not your typical flags: ○ --privileged ○ --cap-add sys_admin ○ --pid host ● Don’t worry I am a professional probably. pidtree-bcc in Docker
  • 42. ● We run our own PaaS called PaaSTA which uses Docker as containerizer ● Runs the vast majority of our workloads ● Can pull-from-registry and run in a systemd unit file without further setup ● Don’t have to install dependencies (inc. LLVM, python2) ● Get coverage quickly Opportunistic deploy with Docker
  • 43. ● Previous projects with goaudit meant we already had a secure logging pipeline for reading a FIFO and outputting to Amazon Kinesis ○ syslog2kinesis adds other Yelpy metadata (e.g. hostname, environment, Puppet role...) ● Originally fed to our Logstash => Elasticsearch SIEM ● Migrated to Kinesis Firehose => Splunk this quarter <3 Log aggregation
  • 44. ● Better to ask forgiveness than permission... ● Rolled out to two security devboxes and watched the logs roll in! ● Negligible performance impact!!! ○ As postulated, cost of subnet filtering << cost of instantiating a TCP connection ● Lots of connections out to public Amazon IPs creating a lot of noise Dip Test
  • 45. If only Amazon maintained some kind of list of their public prefixes...
  • 48. Surely you can’t load ~200 netblocks into the kernel and compare all non- RFC1918 tcp_v4_connect syscalls to them in a performant manner...
  • 49. Surely you can’t load ~200 netblocks into the kernel and compare all non- RFC1918 tcp_v4_connect syscalls to them in a performant manner...
  • 51. ● ~25,000 - ~50,000 messages per hour across dev and stage ● Once accidentally load-tested at ~80,000 messages in 5m from one host for several hours ● Nobody on the host noticed ● TCP connections are way more expensive than the filters! Load
  • 52. ● bpf_trace_printk() -> BPF_PERF_OUTPUT() ○ Global (e.g. per-kernel) debug output with hand- hacked json and string manipulation ○ To structured data in a ring buffer ○ Multi-tenancy makes it a better utility and more testable! ● Added unit tests ● Adding integration tests ● Adding infrastructure for deploy in production environment Undoing my nasty hacks
  • 53. ● De-containerize (e.g. debian package) ● Python3 ● Plugin for container awareness ○ Easy mapping to service and therefore owner! ● Enable immutable loginuid and add that to metadata ○ --loginuid-immutable under `man auditctl` ○ Cryptically says “but can cause some problems in certain kinds of containers” ● Threat modelling/hardening! Future work
  • 54. ● Performance improvements ○ BPF longest-match maps ○ Pre-processing masks ○ Probably totally unnecessary ● Moar syscalls! ○ TCP listens, ipv6, UDP, SUID, forwarded SSH socket reads… ● SIEM tooling ○ ASN matching, bad IP matching, GuardDuty auto- enrichment... Future work
  • 57. London | 14-15 November 2019 https://github.com/Yelp/pidtree-bcc @grimmware Thanks for listening!