Tetragon on RHEL 10: A Junior's first impression

Can a Linux beginner build a kernel firewall? My journey deploying Tetragon on RHEL 10, accidentally locking myself out, and learning why OS security fights back.

Comment

Inspiration

I am a Junior Network Engineer with only 10 days of Linux experience. The "Kernel" used to scare me.

Instead of a safe Docker quickstart, I chose "Hard Mode": deploying Cilium Tetragon on Red Hat Enterprise Linux (RHEL) 10 Beta. My goal: Can a beginner build a Kernel-Level Firewall in 8 hours?

What it does

A field report on transitioning from Observability to Enforcement:

  • Observability: Monitors sensitive file access (/etc/passwd) using sys_openat hooks.
  • Enforcement: Attempts to block access using Sigkill and Syscall Override.
  • Stress Test: Validates policies against Race Conditions and Enterprise Security Constraints.

How we built it

  • Environment: RHEL 10 Beta (VM).
  • Core: Cilium Tetragon v1.6.0 (Native Binary).
  • Mechanism: Custom YAML TracingPolicies hooking into kernel functions.
  • Workflow: Iterate through Post (Log) -> Sigkill (Kill) -> Override (Error Injection).

Challenges we ran into

  1. The Race Condition: Sigkill failed against fast processes like cat. Data leaked before the process was killed, proving reactive defense has speed limits.
  2. The Lockout: My policy was too aggressive. It killed ls and sudo (since they read /etc/passwd for user names), locking me out of the server.
  3. The Wall (Kernel Lockdown): RHEL 10's Secure Boot blocked my Syscall Override attempt with a Helper not available error. The OS actively prevented eBPF from modifying syscalls to stop Rootkits.

Accomplishments that we're proud of

  • Successfully deployed Tetragon on a bleeding-edge Enterprise OS (RHEL 10).
  • Validated the trade-offs of eBPF enforcement: Speed (Race Conditions) vs. Security (Kernel Lockdown).
  • Moved from fearing the kernel to interacting with it in < 24 hours.

What we learned

  • Security is a Trade-off: Observability is safe; Enforcement is risky (side effects) or restricted (OS hardening).
  • Linux Internals: I learned why ls needs /etc/passwd (the "phone book" concept) by accidentally killing it.

What's next for Tetragon on RHEL 10: A Junior's first impression

I plan to implement Smart Enforcement using matchBinaries to whitelist legitimate tools (like ls) and explore Network Observability to trace connections without firewall overhead.

Built With

Share this project:

Updates