techlist.io
KR EN

real-time-monitoring

2 posts

discord

Osprey: Open Sourcing our Rule Engine (opens in new tab)

Osprey is an open-source safety rules engine designed to help platforms address emerging threats without the need to build custom security infrastructure from scratch. Developed through a collaboration between industry experts and the internet.dev team, it provides a standardized framework for investigating real-time activities and deploying dynamic safety measures. By using this engine, companies can significantly reduce engineering overhead while maintaining a proactive stance against platform abuse. **The Osprey Safety Rules Engine** * Functions as an open-source toolset aimed at replacing the fragmented, "reinvent the wheel" approach many companies take toward platform safety. * Enables security and moderation teams to monitor live activity streams to identify patterns of misuse as they occur. * Allows for the rapid creation and implementation of dynamic rules, ensuring that safety protocols can evolve alongside shifting threat landscapes. **Streamlining Engineering and Investigation** * Reduces the technical debt typically associated with building and maintaining internal safety tools by providing a pre-built, scalable engine. * Facilitates deep-dive investigations into platform events, allowing teams to react to threats with minimal intervention from core engineering staff. * Promotes a collaborative approach to safety by making the underlying technology accessible to the broader developer community. For organizations looking to strengthen their security posture, Osprey offers a practical alternative to bespoke safety systems. Teams should consider integrating the engine to automate their threat responses and leverage its real-time investigation capabilities to protect their users more efficiently.

real-time-monitoringopen-sourcetrust-and-safetyosprey+3
datadog

Hardening eBPF for runtime security: Lessons from Datadog Workload Protection | Datadog (opens in new tab)

Scaling real-time file monitoring across high-traffic environments requires a strategy to process billions of kernel events without exhausting system resources. By leveraging eBPF, organizations can move filtering logic directly into the Linux kernel, drastically reducing the overhead associated with traditional userspace monitoring tools. This approach enables precise observability of file system activity while maintaining the performance necessary for large-scale production workloads. ### Limitations of Traditional Monitoring Tools * Conventional tools like `auditd` often struggle with performance bottlenecks because they require every event to be copied from the kernel to userspace for evaluation. * Standard APIs like `fanotify` and `inotify` lack the granularity needed for complex filtering, often resulting in "event storms" during high I/O operations. * The high frequency of context switching between kernel and userspace when processing billions of events per minute can lead to significant CPU spikes and system instability. ### Architecture of eBPF-Based File Monitoring * The system hooks into the Virtual File System (VFS) layer using `kprobes` and `tracepoints` to capture actions such as `vfs_read`, `vfs_write`, and `vfs_open`. * LSM (Linux Security Module) hooks are utilized for security-focused monitoring, providing a stable interface that is less prone to kernel version changes than raw kprobes. * By executing C-like code within the kernel’s sandboxed environment, the system can inspect file paths and process IDs (PIDs) instantly upon event creation. ### In-Kernel Filtering and Data Management * High-performance eBPF maps, specifically `BPF_MAP_TYPE_HASH` and `BPF_MAP_TYPE_LPM_TRIE`, are used to store allowlists and denylists for specific directories and file extensions. * The system implements prefix matching to ignore high-volume, low-value paths like `/proc`, `/sys`, or temporary build directories, discarding these events before they ever leave the kernel. * To minimize memory contention, per-CPU maps are employed, allowing the eBPF programs to aggregate data locally on each core without the need for expensive global locks. ### Efficient Data Transmission with Ring Buffers * The implementation utilizes `BPF_RINGBUF` rather than the older `BPF_PERF_EVENT_ARRAY` to handle data transfer to userspace. * Ring buffers provide a shared memory space between the kernel and userspace, offering better memory efficiency and guaranteeing event ordering. * By only pushing "filtered" events—representing a tiny fraction of the billions of raw kernel events—the system prevents userspace consumers from becoming overwhelmed. For organizations operating at massive scale, moving from reactive userspace logging to proactive kernel-level filtering is essential. Implementing an eBPF-based monitoring stack allows for deep visibility into file system changes with minimal performance impact, making it the recommended standard for modern, high-throughput cloud environments.

real-time-monitoringscalabilitylinuxebpf+2