docs(roadmap): Epic B slice B1 — host-wide Linux detection implementation plan#120
Draft
gnanirahulnutakki wants to merge 1 commit into
Draft
docs(roadmap): Epic B slice B1 — host-wide Linux detection implementation plan#120gnanirahulnutakki wants to merge 1 commit into
gnanirahulnutakki wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Planning document only — no code changed, no work authorized. Adds
docs/roadmap/epic-b-b1-linux-detection-plan.md, the file-level build plan for the first Epic B build slice.Grounded in the merged Epic B docs — slice plan (#114), cost/reliability SLOs (#117 "the CrowdStrike tax"), policy-selection (#116) — and the current code (
go/pkg/kernelcapture/process_exec.bpf.c, which today gates oncgroup_allowed()and captures onlycomm[16]). No separate Linux-detection/fingerprinting research PR is open, so this is built from the two merged research docs + the code.What B1 is
A second, parallel, host-wide detection path that leaves the scoped correlator feed byte-for-byte intact. It runs on every exec (no cgroup gate), captures resolved binary path + leading argv + uid, prefilters in-kernel against a known-agent basename set, emits survivors to a new 256 KB detection ring, and maintains per-CPU counters for the #39 observability-gap metric. It stops there — no classify (B2), attest (B3), adopt (B4), or enforce (B5). The detection stream never reaches the Correlator or
apply_policy.Key decisions in the plan
main.gocontrol routing, session registry), shared CI workflow, and the rule that any new control method inherits B0's per-peer authz. Observe-only B1 doesn't touch security(daemon): apply_policy & set_kill_switch lack per-session peer authorization (IDOR / global enforcement kill) #108/security(enforce): stale policy state — inactive op slot not cleared & allowlists never revoked/pruned #109/security(enforce): concurrent apply_policy races the double-buffer active_slot swap (CWE-362) #110 but must not ship on top of them.lsm/bprm_committed_creds(observe-only by construction — void return can't deny;bpf_d_pathlegal here for the resolved path; needs BPF-LSM, same as Slice 4.2). Fallback = ungatedsched_process_exectracepoint (basename of__data_loc filename, resolve via/proc/pid/exe) for hosts without BPF-LSM.python3/node) excluded in B1 — matching them host-wide is the FP-flood/cost hole (docs(research): Epic B cost + false-positive/negative budget (the CrowdStrike tax) #117 §2.2/§5), so B1 measures that gap via Land the live Linux eBPF capture daemon + emit the observability-gap metric #39 rather than pretend to close it.process_detect.bpf.c(+ bpf2go bindings),detect_source/decode/prefilter/observabilityGo,ardur-detect-smoke+ardur-detect-bench; changestypes.go,linux_ebpf_daemon_linux.go,main.go,kernel-enforce.yml. Full add/change table in §3. Explicitly not touched:process_exec.bpf.c,correlator.go,apply_policy,process_guard.bpf.c.bpf-generate(drift-check the new object), adddetect-smoke(KVM+virtme-ng, proves it fires host-wide AND drops non-agents in-kernel — the thingbpf-generatecan't show), adddetect-bench(SLO-1 p99 ≤ 10 µs gate).Gated by SLO-1..SLO-4 (from #117)
p50 ≤ 2 µs / p99 ≤ 10 µs added miss-path latency; ≤ 1% core @ 1k execs/s (Tetragon-side, not Falco-side); ≤ 16 MB fixed maps; drops counted not silent. SLO-5/6/7 (classifier) are B2/B5; SLO-8 (macOS) is B6. Full acceptance gate ("what B1 must prove") in §6.