Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Mar 12, 2017
Linux Monitoring at Scale with eBPF
The latest Linux kernels have implemented a Berkeley Packet Filter (BPF) virtual machine which can provide safe and efficient syscall hooking. There are many logging systems in Linux that provide security relevant data, and several excellent open source tools that sit on top of these. These existing options provide many features that are useful during response, but at scale we focus on lightweight alerting across the fleet, to be followed up with heavy scrutiny of a subset for a limited time. We landed on the need for three basic monitoring capabilities - process execution, network connections and file integrity. Our goal is to provide meaningful security monitoring at under 1% overhead.