elf-owl runs as a read-only DaemonSet, collecting 46 automated CIS Kubernetes v1.8 controls via eBPF and the K8s API, then pushing signed and encrypted evidence to the Owl API. Here is how regulated teams use it.
cis_4.5.1 · privileged=true · aes-256-gcm · hmac-sha256
Read-only by design. Evidence for auditors without touching workload traffic.
Hospitals deploy elf-owl as a read-only DaemonSet to continuously detect privileged containers, root execution, and capability abuse in pods handling patient data — generating signed, encrypted evidence for auditors without touching workload traffic.
elf-owl flags CIS 4.5.1 violations in the EHR namespace. The AES-256-GCM encrypted evidence batch is pushed to the Owl API for the next compliance review cycle.
Payment processors use elf-owl's eBPF capability monitor to detect unauthorized Linux capability usage around card-processing pods. The K8s informer stream flags NetworkPolicy gaps, producing immutable CIS evidence for QSA reviews.
HMAC-signed evidence batches as point-in-time proof for auditor sampling windows.
Fintechs targeting SOC 2 Type II run elf-owl across production clusters to generate a continuous, tamper-proof record of CIS control status. HMAC-signed evidence batches serve as point-in-time proof for auditor sampling windows.
Security teams use elf-owl's RBAC-enriched events to detect default ServiceAccount usage and overly permissive role bindings. CIS controls 4.1.1 through 4.1.8 fire automatically, producing violations with full K8s metadata context.
Tenant-scoped evidence, hot-reloadable rules, zero pod restarts.
Platform teams enable kubernetes_only: true to discard host-level events and focus evidence collection exclusively on pod workloads — reducing noise in shared-node environments and keeping the audit trail scoped to tenant namespaces.
Security engineers update CIS rule mappings via ConfigMap or file — elf-owl polls every 30s, hashes the new ruleset, and hot-swaps the engine on signature change. Prometheus metrics track rule match errors in real time.