Runtime Sensor

Overview

Welcome to the Runtime Sensor documentation! Runtime Sensor is a lightweight Linux security agent that provides real-time threat detection and policy enforcement using eBPF technology.

What is Runtime Sensor?

Runtime Sensor is a security monitoring system that uses eBPF (Extended Berkeley Packet Filter) and LSM (Linux Security Module) hooks to provide runtime security monitoring and policy enforcement at the kernel level. The sensor intercepts security-relevant operations before they execute, enabling proactive threat prevention with minimal performance impact.

Key Features

• Kernel-Level Security: eBPF LSM hooks intercept operations at the kernel level for real-time policy enforcement
• Multi-Domain Monitoring: File system, process, network, memory, and capability monitoring
• Policy Enforcement: JSON-defined security policies with expression-based rules
• Flexible Modes: Configurable enforcement vs observability (audit-only) modes
• Team Server Integration: Centralized management, policy distribution, and telemetry aggregation
• Broad Platform Support: Native packages for all major Linux distributions

Security Enforcement Technology

Runtime Sensor leverages eBPF for optimal security policy enforcement:

eBPF LSM Hooks (Primary Mode)

• Intercepts security-relevant operations at the kernel level
• Enables real-time policy decisions before operations complete
• Can reject unauthorized operations before they execute
• Provides the strongest security posture with minimal performance impact

eBPF fentry Hooks (Fallback Mode)

• Used when eBPF LSM hooks are unavailable
• Monitors operations but cannot prevent their execution
• Terminates offending processes via SIGKILL after detection
• Still provides security value through rapid threat response

Deployment Options

Runtime Sensor offers multiple deployment methods to meet different infrastructure requirements.

1. Native Package Installation

Deploy using native packages optimized for your Linux distribution:

• RPM Packages: For RedHat, CentOS, Fedora, SUSE, Oracle Linux, AlmaLinux, and Rocky Linux
• DEB Packages: For Debian and Ubuntu distributions
• Tarball (TGZ): For Alpine, Arch, and Amazon Linux

2. Container Distribution

The Sensor is packaged as a container image at ghcr.io/endurasecurity/container/endura-sensor, providing:

• Consistent deployment across container orchestration platforms
• Simplified updates and rollbacks
• Support for Docker, Podman, and other container runtimes

3. Kubernetes (Helm)

Deploy as a DaemonSet using our Helm chart for enterprise-scale operations:

• Automatic deployment to all nodes in your cluster
• Centralized configuration via Helm values
• Integration with existing Kubernetes infrastructure

Prerequisites

Before deploying Runtime Sensor, ensure you have the following prerequisites in place:

System Requirements

• Kernel Version: Linux kernel 4.18+ (5.8+ recommended for optimal eBPF LSM support)
• Architecture: x86_64 or ARM64
• Memory: Minimum 512MB RAM, 1GB recommended for production workloads
• Disk Space: 1GB available space for installation and logs
• systemd: Required for service management on all distributions

Network Requirements

• HTTPS (443/tcp) to Team Server for policy updates and telemetry (if using Team Server mode)
• HTTPS (443/tcp) to package repositories for installation

Administrative Access

Sufficient administrative privileges for your chosen deployment method:

• Root access for native package installation
• Privileged container execution for containerized deployments
• Kubernetes cluster access with appropriate RBAC permissions for Helm deployments

Operating Modes

Runtime Sensor can operate in two modes:

Standalone Mode

Local policy enforcement without centralized management:

• Policies configured locally via configuration files
• Logs stored locally or forwarded to external systems
• Suitable for isolated environments or air-gapped deployments

Team Server Mode

Centralized management and policy distribution:

• Policies managed centrally through Team Server web interface
• Real-time telemetry and alert aggregation
• Centralized logging and compliance reporting
• Sensor token authentication for secure communication

Performance

Runtime Sensor is designed for minimal overhead:

• CPU: Typically <2% CPU utilization under normal workloads
• Memory: Base usage of ~100-200MB depending on policy complexity
• Network: Minimal bandwidth for telemetry with configurable batching
• Latency: Near-zero latency security enforcement via eBPF

Getting Started

Once you have the prerequisites in place, you can proceed with deploying Runtime Sensor:

1. Choose your deployment method based on your infrastructure and distribution
2. Install the sensor following the platform-specific guide
3. Configure Team Server connection (optional) for centralized management
4. Define security policies for your environment
5. Monitor and tune based on your security requirements

Next Steps

Choose your platform-specific deployment guide:

• Alpine Linux
• Amazon Linux 2023
• Arch Linux
• CentOS Stream
• Debian/Ubuntu
• Fedora
• Oracle Linux
• RHEL/AlmaLinux/Rocky Linux
• SUSE Linux

For Kubernetes deployments, see:

• Kubernetes Deployment Guide