Tetragon：一款基于eBPF的運行時環境安全監控工具

關于Tetragon

Tetragon是一款基于eBPF的運行時環境安全監控工具，該工具可以幫助廣大研究人員檢測并應對安全重大事件，例如流程執行事件、系統調用活動、I/O活動（包括網絡和文件訪問等）。

在 Kubernetes 環境中使用時，Tetragon 具有 Kubernetes 感知能力，也就是說，它可以了解 Kubernetes 身份，例如命名空間、pod 等，從而可以根據各個工作負載配置安全事件檢測。

工具概覽

工具特征

1、基于eBPF的實時安全監控與執行；

2、靈活性強，支持多種安全監測和安全性用例；

3、內核感知，可訪問Linux內核狀態；

工具要求

Kubernetes

Docker

工具安裝

Kubernetes快速安裝

創建集群

以下命令使用Google Kubernetes Engine創建單節點 Kubernetes 集群：

export NAME="$(whoami)-$RANDOM"export ZONE="us-west2-a"gcloud container clusters create "${NAME}" --zone ${ZONE} --num-nodes=1gcloud container clusters get-credentials "${NAME}" --zone ${ZONE}

以下命令使用Azure Kubernetes 服務創建單節點 Kubernetes 群集：

export NAME="$(whoami)-$RANDOM"export AZURE_RESOURCE_GROUP="${NAME}-group"az group create --name "${AZURE_RESOURCE_GROUP}" -l westus2az aks create --resource-group "${AZURE_RESOURCE_GROUP}" --name "${NAME}"az aks get-credentials --resource-group "${AZURE_RESOURCE_GROUP}" --name "${NAME}"

部署Tetragon

helm repo add cilium https://helm.cilium.iohelm repo updatehelm install tetragon ${EXTRA_HELM_FLAGS[@]} cilium/tetragon -n kube-systemkubectl rollout status -n kube-system ds/tetragon -w

Docker本地安裝

docker run -d --name tetragon --rm --pull always \--pid=host --cgroupns=host --privileged ????????????\-v /sys/kernel/btf/vmlinux:/var/lib/tetragon/btf ???\quay.io/cilium/tetragon:v1.3.0

工具配置

Kubernetes配置

kubectl edit cm -n kube-system tetragon-config# Change your configuration setting, save and exit# Restart Tetragon daemonsetkubectl rollout restart -n kube-system ds/tetragon

Docker配置

# Change configuration inside /etc/tetragon/ then restart container.# Example:# ??1. As a privileged user, write to the file /etc/tetragon/tetragon.conf.d/export-file# ?????the path where to export events, example "/var/log/tetragon/tetragon.log"# ??2. Bind mount host /etc/tetragon into container /etc/tetragon# Tetragon events will be exported to /var/log/tetragon/tetragon.logecho "/var/log/tetragon/tetragon.log" > /etc/tetragon/tetragon.conf.d/export-filedocker run --name tetragon --rm -d \--pid=host --cgroupns=host --privileged \-v /etc/tetragon:/etc/tetragon \-v /sys/kernel:/sys/kernel \-v /var/log/tetragon:/var/log/tetragon \quay.io/cilium/tetragon:v1.3.0 \/usr/bin/tetragon

工具使用

Kubernetes單節點

kubectl exec -ti -n kube-system ds/tetragon -c tetragon -- tetra getevents -o compact --pods xwing

Kubernetes多節點

POD=$(kubectl -n kube-system get pods -l 'app.kubernetes.io/name=tetragon' -o name --field-selector spec.nodeName=$(kubectl get pod xwing -o jsonpath='{.spec.nodeName}'))kubectl exec -ti -n kube-system $POD -c tetragon -- tetra getevents -o compact --pods xwing

Docker

docker exec tetragon tetra getevents -o compact

輸出結果

{"process_exec": {"process": {"exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4Njc0MzIxMzczOjUyNjk5","pid": 52699,"uid": 0,"cwd": "/","binary": "/usr/bin/curl","arguments": "https://ebpf.io/applications/#tetragon","flags": "execve rootcwd","start_time": "2023-10-06T22:03:57.700327580Z","auid": 4294967295,"pod": {"namespace": "default","name": "xwing","container": {"id": "containerd://551e161c47d8ff0eb665438a7bcd5b4e3ef5a297282b40a92b7c77d6bd168eb3","name": "spaceship","image": {"id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6","name": "docker.io/tgraf/netperf:latest"},"start_time": "2023-10-06T21:52:41Z","pid": 49},"pod_labels": {"app.kubernetes.io/name": "xwing","class": "xwing","org": "alliance"},"workload": "xwing"},"docker": "551e161c47d8ff0eb665438a7bcd5b4","parent_exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjcwODgzMjk5OjUyNjk5","tid": 52699},"parent": {"exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjcwODgzMjk5OjUyNjk5","pid": 52699,"uid": 0,"cwd": "/","binary": "/bin/bash","arguments": "-c \"curl https://ebpf.io/applications/#tetragon\"","flags": "execve rootcwd clone","start_time": "2023-10-06T22:03:57.696889812Z","auid": 4294967295,"pod": {"namespace": "default","name": "xwing","container": {"id": "containerd://551e161c47d8ff0eb665438a7bcd5b4e3ef5a297282b40a92b7c77d6bd168eb3","name": "spaceship","image": {"id": "docker.io/tgraf/netperf@sha256:8e86f744bfea165fd4ce68caa05abc96500f40130b857773186401926af7e9e6","name": "docker.io/tgraf/netperf:latest"},"start_time": "2023-10-06T21:52:41Z","pid": 49},"pod_labels": {"app.kubernetes.io/name": "xwing","class": "xwing","org": "alliance"},"workload": "xwing"},"docker": "551e161c47d8ff0eb665438a7bcd5b4","parent_exec_id": "Z2tlLWpvaG4tNjMyLWRlZmF1bHQtcG9vbC03MDQxY2FjMC05czk1OjEzNTQ4NjQ1MjQ1ODM5OjUyNjg5","tid": 52699}},"node_name": "gke-john-632-default-pool-7041cac0-9s95","time": "2023-10-06T22:03:57.700326678Z"}

許可證協議

本項目的開發與發布遵循Apache-2.0開源許可協議。

項目地址

Tetragon：【GitHub傳送門】

參考資料

https://tetragon.io/

本文來自互聯網用戶投稿，該文觀點僅代表作者本人，不代表本站立場。本站僅提供信息存儲空間服務，不擁有所有權，不承擔相關法律責任。
如若轉載，請注明出處：http://www.pswp.cn/news/895458.shtml
繁體地址，請注明出處：http://hk.pswp.cn/news/895458.shtml
英文地址，請注明出處：http://en.pswp.cn/news/895458.shtml

如若內容造成侵權/違法違規/事實不符，請聯系多彩編程網進行投訴反饋email:809451989@qq.com，一經查實，立即刪除！