集装箱的安全名称速度内核审核

尽管基于容器的云计算的广泛应用，但用于安全分析的容器审计主要依赖于内置主机审核系统，而内置主机审核系统往往缺乏捕获高保真容器日志的能力。最先进的参考监测审计技术大大提高了审计日志的质量，但其全系统架构成本太高，无法适应单个容器。此外，这些技术通常需要广泛的内核修改，因此很难在实际设置中部署。 在本文中，我们介绍了 SABPF（安全审计 BPF），这是 eBPF 框架的延伸，能够在容器粒度上部署安全系统级审计机制。我们通过设计审计框架、入侵检测系统和轻量级访问控制机制，展示了 saBPF 在库伯内特斯的实用性。我们评估 SABPF，并表明它在性能和安全保证方面与直接在核心中实施的文献审计系统具有可比性。

原文题目：Secure Namespaced Kernel Audit for Containers

原文：Despite the wide usage of container-based cloud computing, container auditing for security analysis relies mostly on built-in host audit systems, which often lack the ability to capture high-fidelity container logs. State-of-the-art reference-monitor-based audit techniques greatly improve the quality of audit logs, but their system-wide architecture is too costly to be adapted for individual containers. Moreover, these techniques typically require extensive kernel modifications, making them difficult to deploy in practical settings. In this paper, we present saBPF (secure audit BPF), an extension of the eBPF framework capable of deploying secure system-level audit mechanisms at the container granularity. We demonstrate the practicality of saBPF in Kubernetes by designing an audit framework, an intrusion detection system, and a lightweight access control mechanism. We evaluate saBPF and show that it is comparable in performance and security guarantees to audit systems from the literature that are implemented directly in the kernel.