seikaikyo/implementing-ebpf-security-monitoring
external/anthropic-cybersecurity-skills/skills/implementing-ebpf-security-monitoring/SKILL.md
Implements eBPF-based security monitoring using Cilium Tetragon for real-time process execution tracking, network connection observability, file access auditing, and runtime enforcement. Covers TracingPolicy CRD authoring with kprobe/tracepoint hooks, in-kernel filtering via matchArgs/matchBinaries selectors, JSON event export, and integration with SIEM pipelines. Use when building kernel-level runtime security observability for Linux hosts or Kubernetes clusters.
$ install --global
skillsauthnpx skillsauth add seikaikyo/dash-skills implementing-ebpf-security-monitoringInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 8, 2026, 5:01 AM124.4s3 files scanned
SKILL.md
- name:
- implementing-ebpf-security-monitoring
- description:
- Implements eBPF-based security monitoring using Cilium Tetragon for
- domain:
- cybersecurity
- subdomain:
- security-operations
- version:
- 1.0
- author:
- mukul975
- license:
- Apache-2.0
Implementing eBPF Security Monitoring
When to Use
- When deploying kernel-level runtime security monitoring on Linux hosts or Kubernetes clusters
- When you need sub-millisecond visibility into process execution, network connections, and file access
- When traditional userspace monitoring tools introduce unacceptable performance overhead
- When building detection pipelines that require in-kernel filtering before events reach userspace
- When enforcing runtime security policies (kill process, send signal) at the kernel level
Prerequisites
- Linux kernel 5.3+ with BTF (BPF Type Format) support enabled
- Kubernetes 1.24+ cluster (for Kubernetes deployment) or standalone Linux host
- Helm 3.x installed (for Kubernetes deployment)
kubectlconfigured with cluster accesstetraCLI installed for local event streaming- Python 3.8+ with
requests,kubernetes,pyyamldependencies - Root or CAP_BPF/CAP_SYS_ADMIN capabilities for eBPF program loading
Instructions
1. Install Tetragon on Kubernetes
Deploy Tetragon via Helm to get default process lifecycle observability:
helm repo add cilium https://helm.cilium.io
helm repo update
helm install tetragon cilium/tetragon -n kube-system \
--set tetragon.enableProcessCred=true \
--set tetragon.enableProcessNs=true
Verify the installation:
kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragon
kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -c export-stdout -f | head -20
2. Install Tetragon on Standalone Linux
For non-Kubernetes Linux hosts, install from the tarball release:
curl -LO https://github.com/cilium/tetragon/releases/latest/download/tetragon-linux-amd64.tar.gz
tar xzf tetragon-linux-amd64.tar.gz
sudo cp tetragon /usr/local/bin/
sudo cp tetra /usr/local/bin/
# Start tetragon daemon
sudo tetragon --btf /sys/kernel/btf/vmlinux &
# Stream events
tetra getevents -o compact
3. Monitor Process Execution (Default)
Tetragon generates process_exec and process_exit events by default without any TracingPolicy:
# Stream process events in compact format
tetra getevents -o compact
# Stream in JSON for SIEM ingestion
tetra getevents -o json | jq '.process_exec // .process_exit'
Example process_exec JSON event:
{
"process_exec": {
"process": {
"binary": "/usr/bin/curl",
"arguments": "https://malicious.example.com/payload",
"cwd": "/tmp",
"uid": 1000,
"pod": {
"namespace": "default",
"name": "webapp-7b4d9f8c6-x2k9p"
},
"parent": {
"binary": "/bin/bash",
"pid": 1234
}
}
}
}
4. Author TracingPolicy for File Access Monitoring
Create a TracingPolicy CRD to monitor access to sensitive files via the sys_openat kprobe:
# file-access-monitor.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: monitor-sensitive-file-access
spec:
kprobes:
- call: "fd_install"
syscall: false
args:
- index: 0
type: "int"
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/passwd"
- "/etc/sudoers"
- "/root/.ssh/"
- "/etc/kubernetes/pki/"
matchActions:
- action: Post
Apply and observe:
kubectl apply -f file-access-monitor.yaml
tetra getevents -o compact --process-filter "event_set:PROCESS_KPROBE"
5. Author TracingPolicy for Network Connection Monitoring
Monitor outbound TCP connections using the tcp_connect kprobe:
# network-monitor.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: monitor-tcp-connections
spec:
kprobes:
- call: "tcp_connect"
syscall: false
args:
- index: 0
type: "sock"
selectors:
- matchActions:
- action: Post
6. Author TracingPolicy for Privilege Escalation Detection
Detect setuid/setgid calls that may indicate privilege escalation:
# privilege-escalation-detect.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-privilege-escalation
spec:
kprobes:
- call: "__sys_setuid"
syscall: false
args:
- index: 0
type: "int"
selectors:
- matchArgs:
- index: 0
operator: "Equal"
values:
- "0"
matchActions:
- action: Post
- call: "commit_creds"
syscall: false
args:
- index: 0
type: "cred"
selectors:
- matchActions:
- action: Post
7. Runtime Enforcement with Sigkill Action
Block unauthorized binary execution by killing the process in-kernel:
# enforce-binary-allowlist.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: enforce-no-crypto-miners
spec:
kprobes:
- call: "sys_execve"
syscall: true
args:
- index: 0
type: "string"
selectors:
- matchArgs:
- index: 0
operator: "Postfix"
values:
- "xmrig"
- "minerd"
- "cpuminer"
- "cryptonight"
matchActions:
- action: Sigkill
8. Export Events to SIEM
Configure Tetragon to export JSON events to a file sink for Fluentd/Filebeat/Vector ingestion:
# Helm values for file export
helm upgrade tetragon cilium/tetragon -n kube-system \
--set tetragon.exportFilename=/var/log/tetragon/tetragon.log \
--set tetragon.exportFileMaxSizeMB=100 \
--set tetragon.exportFileMaxBackups=5
Then configure your log shipper (e.g., Filebeat) to tail /var/log/tetragon/tetragon.log and send to your SIEM.
9. Kubernetes-Aware Namespace Filtering
Use TracingPolicyNamespaced to scope monitoring to specific namespaces:
apiVersion: cilium.io/v1alpha1
kind: TracingPolicyNamespaced
metadata:
name: monitor-production-file-access
namespace: production
spec:
kprobes:
- call: "fd_install"
syscall: false
args:
- index: 0
type: "int"
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/shadow"
- "/etc/passwd"
Examples
Detect Reverse Shell Connections
# reverse-shell-detect.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-reverse-shells
spec:
kprobes:
- call: "tcp_connect"
syscall: false
args:
- index: 0
type: "sock"
selectors:
- matchBinaries:
- operator: "In"
values:
- "/bin/bash"
- "/bin/sh"
- "/usr/bin/python3"
- "/usr/bin/perl"
- "/usr/bin/nc"
- "/usr/bin/ncat"
matchActions:
- action: Post
Monitor Container Escape Attempts
# container-escape-detect.yaml
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: detect-container-escape
spec:
kprobes:
- call: "sys_openat"
syscall: true
args:
- index: 0
type: "int"
- index: 1
type: "string"
selectors:
- matchArgs:
- index: 1
operator: "Prefix"
values:
- "/proc/1/root"
- "/proc/1/ns"
- "/sys/kernel/security"
- "/proc/sysrq-trigger"
matchActions:
- action: Post
- call: "sys_mount"
syscall: true
args:
- index: 0
type: "string"
- index: 1
type: "string"
- index: 2
type: "string"
selectors:
- matchActions:
- action: Post
Full Event Pipeline: Tetragon to Elasticsearch
# Use tetra CLI to pipe events through jq into Elasticsearch
tetra getevents -o json | jq -c 'select(.process_kprobe != null)' | \
while IFS= read -r line; do
curl -s -X POST "http://elasticsearch:9200/tetragon-events/_doc" \
-H "Content-Type: application/json" \
-d "$line"
done
Related Skills
seikaikyo/performing-soc2-type2-audit-preparation
development
VerifiedTrustedCommunity
Automates SOC 2 Type II audit preparation including gap assessment against AICPA Trust Services Criteria (CC1-CC9), evidence collection from cloud providers and identity systems, control testing validation, remediation tracking, and continuous compliance monitoring. Covers all five TSC categories (Security, Availability, Processing Integrity, Confidentiality, Privacy) with automated evidence gathering from AWS, Azure, GCP, Okta, GitHub, and Jira. Use when preparing for or maintaining SOC 2 Type II certification.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soc-tabletop-exercise
testing
VerifiedTrustedCommunity
Performs tabletop exercises for SOC teams simulating security incidents through discussion-based scenarios to test incident response procedures, communication workflows, and decision-making under pressure without impacting production systems. Use when organizations need to validate IR playbooks, train analysts, or meet compliance requirements for incident response testing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-soap-web-service-security-testing
development
VerifiedTrustedCommunity
Perform security testing of SOAP web services by analyzing WSDL definitions and testing for XML injection, XXE, WS-Security bypass, and SOAPAction spoofing.
1SKILL.mdUpdated Jun 13, 2026
seikaikyo/performing-service-account-credential-rotation
devops
VerifiedTrustedCommunity
Automate credential rotation for service accounts across Active Directory, cloud platforms, and application databases to eliminate stale secrets and reduce compromise risk.
1SKILL.mdUpdated Jun 13, 2026