Falco and Tetragon are both runtime security tools that leverage eBPF to monitor system activity, but they approach the problem from slightly different angles and offer distinct features.
Here’s what Tetragon looks like in action, monitoring file access to a sensitive configuration file:
# Start Tetragon in verbose mode
sudo tetragon --log-level debug
# In another terminal, try to read the file
cat /etc/passwd
You’ll see output from Tetragon detailing the open and read syscalls, including the process that performed them, its PID, and the file path.
{
"syscall": "open",
"pid": 12345,
"process_name": "cat",
"args": {
"pathname": "/etc/passwd",
"flags": "O_RDONLY|O_LARGEFILE"
},
"parent_pid": 1234,
"parent_process_name": "bash"
}
{
"syscall": "read",
"pid": 12345,
"process_name": "cat",
"args": {
"fd": 3,
"count": 4096
},
"parent_pid": 1234,
"parent_process_name": "bash"
}
Falco, on the other hand, would typically be configured with rules that trigger alerts for such events. A Falco rule might look like this:
- rule: Read sensitive file
desc: Detect reading of sensitive files like /etc/passwd
condition: openat and evt.dirpath="/etc/passwd" and fd.type="file"
output: Sensitive file read by process %1 (pid %2)
priority: WARNING
When Falco detects this, it would generate an alert:
10:00:00.123456789: Warning: Sensitive file read by process cat (pid 12345)
The core problem both tools solve is the blind spot in traditional security. Network firewalls and host-based intrusion detection systems (HIDS) often rely on static configurations or signatures, failing to detect novel or sophisticated attacks that operate by manipulating legitimate system processes. eBPF provides a way to observe the kernel’s behavior in real-time, allowing for dynamic, context-aware security policies.
Tetragon’s internal model is built around event processing. It attaches eBPF programs to syscall entry and exit points. When a syscall occurs, the eBPF program captures the event data and sends it to the Tetragon userspace daemon. This daemon then processes these events, filters them based on configured policies, and can trigger actions like logging, alerting, or even enforcing security policies by blocking or killing processes. Tetragon’s strength lies in its granular event collection and its policy enforcement capabilities, which allow for more complex security logic.
Falco, while also using eBPF (often via libscap), has a slightly different architecture and focus. Falco’s primary mechanism is rule-based alerting. It defines a rich set of event sources (syscalls, network activity, file modifications) and allows users to define complex rules using a declarative syntax. When an event matches a rule, Falco generates a human-readable alert. Falco’s strength is its extensive rule library and its ease of use for generating alerts based on known suspicious patterns.
The most surprising aspect of eBPF-based security tools is how much information is available directly from the kernel. You’re not just seeing process names and command lines; you’re seeing the exact arguments passed to system calls, the file descriptors involved, the network packets being sent and received, and the memory regions being accessed. This level of detail allows for incredibly precise detection and response, far beyond what was previously possible with userspace monitoring. For instance, Tetragon can track the entire lifecycle of a file descriptor, from its opening to its closing, and correlate it with specific syscalls and network events, providing a comprehensive audit trail.
A subtle but powerful feature in Tetragon is its ability to intercept and modify syscall arguments. This goes beyond mere detection and allows for proactive security. For example, you could configure Tetragon to prevent specific sensitive files from being opened by unprivileged processes, effectively enforcing a least-privilege model at the kernel level without modifying application code.
The next concept you’ll likely encounter is how to manage and scale these tools in a large Kubernetes environment, including strategies for policy management and data aggregation.