gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/g3doc/user_guide/runtime_monitoring.md

gvisor.dev/gvisor@v0.0.0-20240520182842-f9d4d51c7e0f/g3doc/user_guide/runtime_monitoring.md (about)

     1  # Runtime Monitoring
     2  
     3  The **Runtime Monitoring** feature provides an interface to observe runtime
     4  behavior of applications running inside gVisor. Although it can be used for many
     5  purposes, it was built with the primary focus on threat detection.
     6  
     7  **NOTE**: Runtime monitoring is about the ability to understand the behavior of
     8  sandboxed workloads. This differs from
     9  [observability of gVisor itself](observability.md).
    10  
    11  Out of the box, gVisor comes with support to stream application actions (called
    12  trace points) to an external process, that is used to validate the actions and
    13  alert when abnormal behavior is detected. Trace points are available for all
    14  syscalls and other important events in the system, e.g. container start. More
    15  trace points can be easily added as needed. The trace points are sent to a
    16  process running alongside the sandbox, which is isolated from the sandbox for
    17  security reasons. Additionally, the monitoring process can be shared by many
    18  sandboxes.
    19  
    20  You can use the following links to learn more:
    21  
    22  *   [Overview](https://github.com/google/gvisor/blob/master/pkg/sentry/seccheck/README.md)
    23  *   [How to implement a monitoring process](https://github.com/google/gvisor/blob/master/pkg/sentry/seccheck/sinks/remote/README.md)
    24  *   [Design document](https://docs.google.com/document/d/1RQQKzeFpO-zOoBHZLA-tr5Ed_bvAOLDqgGgKhqUff2A)
    25  *   [Configuring Falco with gVisor](https://gvisor.dev/docs/tutorials/falco/)
    26  *   [Tracereplay tool for testing](https://github.com/google/gvisor/blob/master/tools/tracereplay/README.md)