CoursesRuntime & eBPF securityeBPF & kernel foundations

Kernel events & enrichment

The syscalls that matter, plus container context.

Advanced30 min · lesson 3 of 15

Detection starts with knowing which events matter and where they come from. Runtime security tools watch a small set of high-signal kernel events; understanding them tells you what your rules can and cannot see.

The events that matter

Most meaningful actions surface as syscalls: process execution (execve), file access (open, openat), network connections (connect, accept), privilege changes (setuid, capset), and namespace/mount operations (unshare, mount). A runtime tool captures these at the kernel, enriches them with context — which container, which pod, which image, which user — and evaluates rules against the enriched stream. The enrichment is what turns a raw "execve of /bin/bash" into "an interactive shell in the payments-api container", which is the difference between noise and a real alert.

the enriched event a rule sees
# A raw syscall becomes a contextual security event:
#
# execve("/bin/bash") ← kernel event
# + container.id = 9f2c... ← runtime enrichment
# + k8s.pod = payments-api-7c9, ns = prod
# + image = registry/payments@sha256:...
# + user = root, parent = sh
# ⇒ rule: "shell spawned in a container" → ALERT (Warning)
#
# On a node you can watch exec events live with a tracer:
# bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s\n", comm); }'

Context is the signal

The same syscall is benign or malicious entirely depending on context: a shell in a debug pod is normal; a shell in a production API container is a hands-on-keyboard indicator. Good runtime detection leans on the Kubernetes and container metadata to scope rules tightly — this image, this namespace, this expected process tree — so alerts fire on deviation from a known-good baseline rather than on the raw event. That scoping is also what keeps the alert volume low enough to be trusted.

High-signal runtime events
process
execve
new process — shells, unexpected binaries
setuid / capset
privilege changes
file + network
open / write
writes to /etc, sensitive paths
connect / accept
unexpected egress, C2
isolation
mount / unshare
escape-adjacent operations
Capture the syscalls that matter, enrich with container/K8s context, and scope rules to a known-good baseline. Context turns events into signal.
Unenriched events are unmanageable noise
Watching raw syscalls without container/pod context produces a firehose no one can triage — every normal exec looks like the malicious one. Insist on runtime tooling that enriches events with workload identity, and write rules against that context, or the detection layer will be ignored.