CloudArmour.io

Compliance Monitoring

elf-owl — Minimal Kubernetes Compliance Observer

Read-only, push-only compliance agent with eBPF runtime security monitoring for CIS Kubernetes v1.8 detection. Kernel-native visibility, zero enforcement, signed and encrypted evidence.

Get More about elf-owl Github Repo

Product Overview

What is elf-owl?

elf-owl is a minimal compliance observer that detects CIS Kubernetes v1.8 violations using cilium/ebpf kernel monitoring. The agent runs as a read-only DaemonSet with zero enforcement capability, collecting and pushing signed, encrypted evidence to the Owl SaaS platform in a secure, one-way outbound architecture.

Why it matters

  • Kernel-native visibility at scale. cilium/ebpf monitors process exec, network connections, DNS queries, file operations, and Linux capabilities directly from the kernel, capturing activity no API-only observer can see.
  • CIS Kubernetes compliance automation. 48 automated control mappings detect violations across processes, containers, networking, and RBAC—9 additional manual references guide remediation for policy-heavy controls.
  • Safe by design: read-only + push-only. Zero enforcement, no inbound command channels, no cluster modifications. Perfect for regulated industries requiring immutable audit trails and minimal blast radius.
  • Evidence integrity and confidentiality. HMAC-SHA256 signing and AES-256-GCM encryption protect evidence in transit. Batched, compressed, and delivered over TLS 1.3+ to Owl SaaS with automatic retry logic.

Capabilities

Cloud-native compliance monitoring without the overhead.

eBPF Runtime Security Monitoring

Process exec events, network connections (TCP/UDP, IPv4/IPv6), DNS queries, file operations, and Linux capability checks all instrumented with kernel-level precision and attributed to syscalls.

CIS Kubernetes Compliance Detection

48 automated control mappings detect privileged containers, root execution, capability abuse, and network policy violations. 9 manual references flag policy-heavy controls for auditor review.

Kubernetes Integration

In-cluster metadata enrichment with pod namespaces, labels, service accounts, and node info. Container ID to pod mapping, NetworkPolicy evaluation, and RBAC context scoring all built-in.

Evidence Protection Pipeline

HMAC-SHA256 signing for integrity, AES-256-GCM encryption for confidentiality, gzip batching for efficiency, and automatic retry logic with exponential backoff ensure evidence security.

Observability & Health

Health endpoint exposing uptime, event counts, and monitor status. Prometheus metrics track violations, push success/failure, and latency. Structured logging for troubleshooting and audit trails.

Cloud-Native Deployment

Kubernetes DaemonSet with Helm charts and Kustomize overlays. Read-only RBAC, minimal permissions, and zero enforcement capability ensure safe, auditable rollouts.

Problems elf-owl Solves

Compliance audit burden

Automated detection of 48 CIS controls eliminates manual reviewer overhead. Signed, encrypted evidence provides immutable audit trails for SOC 2, ISO 27001, and PCI-DSS assessments.

  • Example: A fintech firm reduces audit response time from 2 weeks to 2 hours with automated violation reports and evidence logs.

Runtime drift detection

eBPF detects process anomalies, capability abuse, and file access patterns that configuration management can't catch. Flags deviations from policy intent with pod-level precision.

  • Example: A healthcare provider catches an app container attempting to execute setuid binaries and logs evidence for immediate investigation.

Evidence chain of custody

Read-only agent with push-only architecture eliminates concerns about evidence tampering. Cryptographic signing ensures auditors trust the integrity of collected data.

  • Example: A regulated environment passes unannounced audits by proving through signed logs that no compliance controls were ever disabled or bypassed.

Architecture

Simple, safe, scalable monitoring pipeline

elf-owl follows a single-direction data flow: kernel events → enrichment → rule engine → evidence protection → Owl SaaS push. No inbound commands, no cluster modifications, no enforcement hooks. Pure observability with cryptographic guarantees.

elf-owl Data Flow

Kernel Events → Enrichment → Rules → Evidence → Owl SaaS (TLS, one-way)

cilium/ebpf Process / Network DNS / File / Capability Kernel Events Enrichment Container ID K8s Metadata Pod / Node / RBAC Rule Engine CIS Control Matching & Evaluation Evidence Sign (HMAC) Encrypt (AES) Buffer & Batch Owl SaaS (TLS 1.3+) Push API (One-way) Read-only, no inbound commands No enforcement, no cluster modification

Design Invariants

  • READ-ONLY: Zero enforcement capability, pure observation only
  • PUSH-ONLY: Outbound TLS only, no inbound command channels
  • SAFE FOR ANY ENVIRONMENT: Cannot modify cluster state, policies, or configurations
  • CRYPTOGRAPHICALLY SIGNED: HMAC-SHA256 proves evidence integrity
  • ENCRYPTED IN TRANSIT: AES-256-GCM with TLS 1.3+ for confidentiality

Quick Start

Deploy in minutes with Helm or Kustomize

Helm Installation

helm install elf-owl ./deploy/helm \
  --namespace elf-owl-system \
  --create-namespace \
  --set clusterID=prod-us-east-1 \
  --set owlAPIEndpoint=https://owl-saas.example.com

Kustomize Installation

kubectl apply -k deploy/kustomize/overlays/production/

Environment Variables

OWL_CLUSTER_ID              # Cluster identifier
OWL_NODE_NAME               # Node name (auto-populated)
OWL_API_ENDPOINT            # Owl SaaS endpoint URL
OWL_JWT_TOKEN               # JWT token for authentication
OWL_LOG_LEVEL               # Log level (debug, info, warn, error)
OWL_EBPF_PROCESS_ENABLED    # Enable process monitoring (default: true)
OWL_EBPF_NETWORK_ENABLED    # Enable network monitoring (default: true)

API Reference

Health checks and observability endpoints

Health Check (GET /health)

Returns agent status, event counts, and monitor states:

{
  "agent_version": "0.1.0",
  "uptime": "1h23m45s",
  "status": "healthy",
  "events_processed": 1523,
  "violations_found": 42,
  "monitors": {
    "process": true,
    "network": true,
    "dns": true,
    "file": true,
    "capability": true
  }
}

Prometheus Metrics (GET /metrics)

Standard Prometheus format metrics for integration with monitoring stacks:

  • elf_owl_events_processed_total — Total events processed by the agent
  • elf_owl_violations_found_total — Total CIS violations detected
  • elf_owl_push_success_total — Successful push operations to Owl SaaS
  • elf_owl_push_failure_total — Failed push operations (with retry)
  • elf_owl_push_latency_seconds — Push operation latency histogram

CIS Kubernetes Compliance

48 automated controls + 9 manual references

elf-owl maps and detects compliance against CIS Kubernetes v1.8 benchmarks. Automated controls leverage eBPF and K8s API queries; manual controls are flagged for auditor review.

Automated Controls

Detect privileged containers, root execution, Linux capability abuse, root filesystem writes, default ServiceAccount usage, and NetworkPolicy violations through eBPF and K8s metadata.

  • CIS 4.5.1: Privileged container detection
  • CIS 4.5.2: Root user execution detection
  • CIS 4.5.3: Linux capability usage
  • CIS 4.1.1: Default ServiceAccount detection
  • CIS 4.6.1: Default deny NetworkPolicy

Manual Controls

API server, kubelet, and etcd configuration controls that require node-level access and human auditor review. elf-owl flags these for manual remediation steps.

  • CIS 1.1–1.5: API server configuration
  • CIS 4.2: Kubelet configuration
  • + 7 policy-driven controls requiring auditor assessment

See config/rules/cis-controls.yaml and docs/remediation.md for complete control mappings and remediation guidance.