Enable eBPF for Linux Agent 3.x

Introduction

With the Linux Agent 3.0.0 release, F5 Distributed Cloud App Infrastructure Protection (AIP) includes a new eBPF component that reports additional network telemetry. eBPF safely and efficiently extends the Linux kernel’s capabilities without requiring you to change the kernel’s existing code or modules and allows you to add additional capabilities to the operating system (OS) at runtime.

eBPF enables event-driven custom code to run natively in your OS kernel without requiring changes to applications or the kernel to observe and enforce runtime security and observability.

Use cases:

  • Security – eBPF facilitates visibility over all aspects of the kernel, allowing you to develop security systems that operate with more context and control.
  • Networking – eBPF’s efficiency and programmability provide ways to add additional protocol passers and program any forwarding logic to address changes in requirements without leaving the kernel’s packet processing context.
  • Tracing and profiling – Attaching eBPF programs to trace points as well as kernel and user application probe points provides visibility into the system and runtime behavior to help you troubleshoot system performance issues.
  • Observability and monitoring – eBPF increases visibility and decreases overall system overhead by collecting only the required visibility data and producing data structures at the event’s source, rather than depending on sample exports.
Enable eBPF

Note

Do not use Low Power Mode in combination with eBPF for Linux Agent 3.0.0. These features will be enhanced for compatibility in a future Distributed Cloud AIP Linux Agent release.

Host-Based Agent Installation
  1. To configure the agent to run eBPF sensors, run the following command:
    $ sudo tsagent config --set enable_bpf_sensors 1
  2. To start Distributed Cloud AIP service, run the following command:
    $ sudo systemctl start threatstack
  3. To check Distributed Cloud AIP Agent status, run the following command:
    $ sudo tsagent status

You receive the following output:

UP Threat Stack Agent Daemon
UP Threat Stack Backend Connection
UP Threat Stack Heartbeat Service
UP Threat Stack Network Tracer
UP Threat Stack DNS Tracer
UP Threat Stack Login Collector
UP Threat Stack Log Scan Service
UP Threat Stack Vulnerability Scanner
UP Threat Stack Audit Collection
UP Threat Stack File Integrity Monitor
Containerized Agent Installation
  1. Open the Command Line.
  2. Type or copy and paste the following command as one block and press ENTER. This is the deploy command for the container.

    export DEPLOY_KEY= <your deploy key>
    sudo docker run -it -d \
    -e THREATSTACK_SETUP_ARGS="-deploy-key ${DEPLOY_KEY}
    -ruleset 'Base Rule Set, Docker Rule Set'" \
    -e THREATSTACK_CONFIG_ARGS="enable_bpf_sensors 1" \
    --name=ts-docker \
    --network=host \
    --pid=host \
    --security-opt=apparmor=unconfined \
    --cap-add=AUDIT_CONTROL \
    --cap-add=SYS_ADMIN \
    --cap-add=SYS_PTRACE \
    --cap-add=SYS_NICE \
    --cap-add=SYS_RESOURCE \
    --cap-add=IPC_LOCK \
    -v /:/threatstackfs/:ro \
    -v /sys/kernel/debug:/sys/kernel/debug \
    < paste IMAGE ID here >
    1. Replace <your deploy key> with your deployment key.
    2. Replace <paste IMAGE ID here> with the image ID.
  3. Confirm the Containerized Agent successfully deployed to the Docker environment:
    1. Log into Distributed Cloud AIP and view the new server.
    2. Log into the container and run the following command, replacing <container name> with the container name specified in step 2 for --name.:
      sudo docker exec <container name> tsagent status
  4. If successful, you receive the following output:
    UP Threat Stack Agent Daemon
    UP Threat Stack Backend Connection
    UP Threat Stack Heartbeat Service
    UP Threat Stack Docker Monitoring
    UP Threat Stack Containerd Monitoring
    UP Threat Stack Network Tracer
    UP Threat Stack DNS Tracer
    UP Threat Stack Login Collector
    UP Threat Stack Log Scan Service
    UP Threat Stack Vulnerability Scanner
    UP Threat Stack Audit Collection
    UP Threat Stack File Integrity Monitor
    
Troubleshoot eBPF Sensors (Net Tracer, DNS Tracer)

If you see this error message:

"cannot open kprobe_events: open /sys/kernel/debug/tracing/kprobe_events: no such file or directory\n"

and/or Network Tracer shows as DOWN in sudo tsagent status, you may need to mount debugfs on this host.

To check whether debugfs is mounted, run the following command:

sudo mount | grep debug

If debugfs is not reported in the command output:

  • In a Host environment:
    1. Run the following command:
      sudo mount -t debugfs debugfs /sys/kernel/debug
    2. Restart the Agent. 
  • In a Container environment:
    1. Stop the container.
    2. Remove the container.
    3. Run and mount the command above.
    4. Recreate the container with the following bind mount in the host filesystem:
      /sys/kernel/debug
Was this article helpful?
0 out of 0 found this helpful