Sysdig announced today it has donated a sysdig kernel module, along with libraries for the Falco security platform for Kubernetes, to the Cloud Native Computing Foundation (CNCF) as part of an effort to advance Linux security.
The sysdig kernel module runs in the extended Berkeley Packet Filter (eBPF) microkernel created by the Linux community to enable security, networking and storage technologies to run closer to the Linux kernel without impacting how updates are made to the core operating system.
When Sysdig originally created Falco, it also created an eBPF probe that ran within the eBPF microkernel. The company previously donated Falco to the CNCF in 2018 and by contributing the eBPF probe, will enable other security vendors to build security technologies that run within a Linux microkernel.
Dan “Pop” Papandrea, lead for the open source community and ecosystem at Sysdig, says the goal is to make it simpler for security vendors to build offerings that can keep pace with the volume of cyberattacks that are being launched by being able to execute code at the microkernel level.
Sysdig claims it has spent more 100,000 hours of developer time creating the sysdig kernel module that, if embraced by other security vendors, will significantly improve the overall security posture of the open source operating system.
The sysdig kernel module implements a system call capture framework in the Linux kernel that includes system call capture functionality. The framework includes full support for capture file abstraction, along with a kernel event enrichment library based on more than 70,000 lines of code. By making that module available as open source code, many of the security offerings that today run in user space, or are deployed as part of a network overlay, will be able to run much faster at the microkernel level, Papandrea says.
Sysdig will continue to contribute to both the sysdig kernel module and Falco, which today is an incubation level project being advanced under the auspices of the CNCF. As a platform for securing runtimes on Kubernetes clusters, Falco has been downloaded more than 24 million times. Adopters of Falco include logz.io, Booz Allen Hamilton, Sumo Logic, Shopify and Rancher, which is now part of SUSE.
The future of security is defined by open source software that vendors collaborate on as part of an ongoing effort to thwart a wide range of cyberattacks that are increasing in both volume and sophistication, Papandrea adds.
It may take some time before security vendors move their offerings down to the microkernel level. However, since the eBPF became stable, most security vendors have, at the very least, explored the possibility. The sysdig kernel module could, in many cases, accelerate those efforts.
Less clear is to what degree that shift makes Linux a more secure platform than rival operating systems. What is clear, however, is that the ability of security technologies to scale alongside workloads running on Linux is about to be greatly enhanced.