kflowd: Kernel-based Process Monitoring on Linux Endpoints via eBPF
kflowd
kflowd runs as an agent on Linux endpoints to monitor processes via eBPF kernel subsystem for filesystem and TCP and UDP networking events, enabling immediate threat and anomaly detection on suspicious activities.
Advanced non-ebpf related features such as DNS and HTTP application message decoding, checksum calculation for virus detection, process and file versioning for vulnerability detection and file device, network interface, and user-group identification for files and processes can be enabled via open-binary plugin modules. These modules can be downloaded here or please contact us at kflow@tarsal.co for more details.
kflowd contains an eBPF program running in kernel context and its control application running in userspace.
The eBPF program traces kernel functions to monitor processes based on file system and networking events. Events are aggregated into records and submitted into a ringbuffer where they are polled by the userspace control application. All Records are enriched with process information and then converted into a message in JSON output format.
Final messages are printed to stdout console and can be sent via UDP protocol to specified hosts for ingestion in a security data pipeline.
kflowd runs on Linux kernels 5.10+ and is built with the libbpf+CO-RE (Compile-Once-Run-Everywhere) eBPF development toolchain using BTF (BPF Type Format) to allow portability by avoiding dependencies on differences in kernel headers between kernel versions on deployment.
