Upgrade to Pro — share decks privately, control downloads, hide ads and more …

D1-I1 Henri Dubois-Ferriere - Cloudy with a Chance of Syscalls

D1-I1 Henri Dubois-Ferriere - Cloudy with a Chance of Syscalls

Ignite Talk

TLDR; The Linux system call interface is becoming an increasingly useful instrumentation point for monitoring, troubleshooting, and security. This talk covers why that is happening, what you can get from it, and how it will make your life better.

Once upon a time, you could use packet capture to answer questions like: How many outbound TCP connections in the past hour? Top HTTP requests? Did the latest SQL injection attack happen to my database?

But then the cloud happened, we lost access to a span port, and no longer had a good place to capture traffic. And then containers and their orchestration happened (hello k8s!), and we lost the straightforward mapping between network tuples and applications.

But there’s good news! There’s another instrumentation point which is still largely overlooked, but is even richer in the detail it provides: system calls. By tapping syscalls, you can get pretty much anything you can get from tapping the network, and a lot more. And we’re now getting good support (both kernel and associated tooling) to tap into this instrumentation point.

We’ll give highlights of some of those open-source tools, such as go-audit, sysdig, falco, and maybe even a taste of ebpf. Most importantly, we’ll cover practical examples of using system calls to answer analytics, security, and monitoring questions on realistic environments.

DevOpsDays Zurich

May 09, 2017
Tweet

More Decks by DevOpsDays Zurich

Other Decks in Technology

Transcript

  1. Cloudy with a Chance of Syscalls DevopsDays Zürich 2017 @henridf

    12th Ave Labs From Pixar’s “Partly Cloudy”
  2. Cloudy with a Chance of Syscalls DevopsDays Zürich 2017 @henridf

    12th Ave Labs From Pixar’s “Partly Cloudy”
  3. $ strace -e open /usr/sbin/nginx open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 open("/etc/localtime",

    O_RDONLY|O_CLOEXEC) = 3 open("/var/log/nginx/error.log", O_WRONLY|O_CREAT| O_APPEND, 0644) = 3 open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = 4 open("/sys/devices/system/cpu/online", O_RDONLY| O_CLOEXEC) = 4 open(“/opt/var/weird/nginx.conf", O_RDONLY) = 4 open("/var/log/nginx/access.log", O_WRONLY|O_CREAT| O_APPEND, 0644) = 4 open("/var/log/nginx/error.log", O_WRONLY|O_CREAT| O_APPEND, 0644) = 5