Read-only, push-only compliance agent with eBPF runtime security monitoring for CIS Kubernetes v1.8 detection. Kernel-native visibility, zero enforcement, signed and encrypted evidence.
elf-owl is a minimal compliance observer that detects CIS Kubernetes v1.8 violations using cilium/ebpf kernel monitoring. The agent runs as a read-only DaemonSet with zero enforcement capability, collecting and pushing signed, encrypted evidence to the Owl SaaS platform in a secure, one-way outbound architecture.
Monitors process exec, network connections, DNS queries, file ops, and Linux capabilities directly from the kernel.
46 automated control mappings detect violations across processes, containers, networking, and RBAC.
Read-only + push-only. Zero enforcement, no inbound command channels. Perfect for regulated industries.
Single-direction data flow. No inbound commands. No cluster modifications. No enforcement hooks. Pure observability with cryptographic guarantees.
Process · Network · DNS · File · Capability
Container ID · Pod · Node · RBAC context
Matching & evaluation
HMAC + AES · buffer & batch
One-way, outbound only
Cloud-native compliance monitoring that installs in minutes and stays out of the way.
Process exec, network connections, DNS queries, file operations, and Linux capability checks — all instrumented with kernel-level precision.
46 automated control mappings detect privileged containers, root execution, and network policy violations. 9 manual references flag policy-heavy controls.
In-cluster metadata enrichment with pod namespaces, labels, and node info. Container ID to pod mapping and RBAC context scoring built in.
HMAC-SHA256 signing for integrity, AES-256-GCM encryption for confidentiality, gzip batching, and automatic retry logic.
Health endpoint exposing uptime and monitor status. Prometheus metrics track violations and push latency. Structured logging for audit trails.
DaemonSet with Helm charts and Kustomize overlays. Read-only RBAC, minimal permissions, zero enforcement ensure safe rollouts.
Continuous, cryptographically-attestable evidence — no manual reviewer overhead.
Automated detection of 46 CIS controls. Signed, encrypted evidence provides immutable audit trails for SOC 2, ISO 27001, and PCI-DSS assessments.
A fintech firm reduces audit response time from 2 weeks to 2 hours with automated violation reports and evidence logs.
eBPF detects process anomalies, capability abuse, and file access patterns. Flags deviations from policy intent with pod-level precision.
A healthcare provider catches an app container attempting to execute setuid binaries and logs evidence for immediate investigation.
Cryptographic signing ensures auditors trust the integrity of collected data end-to-end.
A regulated environment passes unannounced audits by proving through signed logs that no compliance controls were ever disabled or bypassed.
Ship as a read-only DaemonSet. No enforcement surface, no inbound channels — just evidence.
helm install elf-owl ./deploy/helm \
--namespace elf-owl-system \
--create-namespace \
--set clusterID=prod-us-east-1 \
--set owlAPIEndpoint=https://owl-saas.example.com
kubectl apply -k deploy/kustomize/overlays/production/
| OWL_CLUSTER_ID | Cluster identifier |
|---|---|
| OWL_NODE_NAME | Node name (auto-populated) |
| OWL_API_ENDPOINT | Owl SaaS endpoint URL |
| OWL_JWT_TOKEN | JWT token for authentication |
| OWL_LOG_LEVEL | Log level (debug, info, warn, error) |
Standard endpoints for integration with your monitoring stack.
{
"agent_version": "0.1.0",
"uptime": "1h23m45s",
"status": "healthy",
"events_processed": 1523,
"violations_found": 42,
"monitors": {
"process": true,
"network": true,
"dns": true,
"file": true,
"capability": true
}
}
elf-owl maps and detects compliance against CIS Kubernetes v1.8 benchmarks. Automated controls leverage eBPF and K8s API queries; manual controls are flagged for auditor review.
Detect privileged containers, root execution, Linux capability abuse, root filesystem writes, default ServiceAccount usage, and NetworkPolicy violations through eBPF and K8s metadata.
API server, kubelet, and etcd configuration controls that require node-level access and human auditor review. elf-owl flags these for manual remediation.
See config/rules/cis-controls.yaml and docs/remediation.md for complete mappings.