implementing-ebpf-security-monitoring
Installation
SKILL.md
Implementing eBPF Security Monitoring
When to Use
- When deploying kernel-level runtime security monitoring on Linux hosts or Kubernetes clusters
- When you need sub-millisecond visibility into process execution, network connections, and file access
- When traditional userspace monitoring tools introduce unacceptable performance overhead
- When building detection pipelines that require in-kernel filtering before events reach userspace
- When enforcing runtime security policies (kill process, send signal) at the kernel level
Prerequisites
- Linux kernel 5.3+ with BTF (BPF Type Format) support enabled
- Kubernetes 1.24+ cluster (for Kubernetes deployment) or standalone Linux host
- Helm 3.x installed (for Kubernetes deployment)
kubectlconfigured with cluster accesstetraCLI installed for local event streaming- Python 3.8+ with
requests,kubernetes,pyyamldependencies - Root or CAP_BPF/CAP_SYS_ADMIN capabilities for eBPF program loading