Bringing Kernel-Deep Diagnostics to Linux: ET Ducky on eBPF
ET Ducky's Windows agent uses ETW for kernel-level event tracing. The Linux agent uses eBPF for the equivalent capability. The agents share a common downstream pipeline; OS-specific behavior is handled by the cloud-side query and analysis layers.
eBPF as the Linux equivalent of ETW
The Windows kernel exposes hundreds of ETW providers. A subscription to the kernel-process provider returns each NtCreateProcess with the parent PID, image path, command line, and a microsecond timestamp. A subscription to disk I/O returns each IRP_MJ_READ with the file path and latency.
Linux does not expose ETW providers, but the Linux kernel provides tracepoints, kprobes, and uprobes. eBPF programs attach to these and execute in a verified, sandboxed virtual machine inside the kernel. The data extracted has the same structure: process exec with parent PID and command line, file open with path, network connect with destination address and port. The verifier enforces termination, prevents kernel crashes, and restricts memory access to permitted regions.
ET Ducky's Linux agent compiles a small set of eBPF programs (under 600 lines of C) attached to four tracepoints:
sched_process_execandsched_process_exitfor process lifecyclesys_enter_openatandsys_enter_closefor file eventssys_enter_connectfor outbound network connectionssys_exit_accept4for inbound accepts
CO-RE and BTFHub
eBPF programs are sensitive to kernel data structure changes between versions. A program built against one kernel's type definitions reads incorrect data when run against another. Compiling per-host is the historical workaround.
CO-RE (compile once, run everywhere) addresses this. The agent's eBPF programs are built against generic field accessors. At load time, the kernel's BTF (BPF Type Format) data is consulted to relocate each field reference to the correct offset for the running kernel. The same agent binary works on any kernel that exposes /sys/kernel/btf/vmlinux.
Older kernels (RHEL 7, Ubuntu 16.04 LTS, certain locked-down kernel builds) do not ship BTF. For those, the agent falls back to BTFHub, a community-maintained collection of BTF data for kernels without native BTF. The agent ships a subset of BTFHub data alongside the binary and uses it when the local kernel does not expose its own BTF.
When both options are unavailable, the agent runs in a degraded mode. Health metrics, hardware health, and the live-session AI flow continue to function. Only the kernel-event capture is unavailable.
Shared event pipeline
The eBPF programs emit a packed binary structure into a per-CPU ring buffer. Agent code reads from the buffer, normalizes each event into the same SystemEvent shape used by the Windows agent, and feeds it into the same downstream pipeline: the recent-events cache, the inflection bracketing path, the behavioral rule engine, and the live-session prompt builder.
A cross-fleet query for top memory consumers returns rows from both Windows and Linux hosts. A behavioral rule definition that detects a shell spawning a downloader executes on either OS without modification. Columns that are OS-specific (BitLocker for Windows, ClamAV for Linux) are filtered by the smart-report query planner.
Unprivileged agent and resource limits
The Linux agent runs as the unprivileged etducky user under a hardened systemd unit. It does not hold CAP_SYS_ADMIN. The capabilities held are CAP_BPF, CAP_PERFMON, and the subset required by operator-elevated commands.
The systemd unit applies cgroup limits of 512 MB memory, 50% CPU, and 256 tasks. The eBPF capture path is rate-limited per-process inside the kernel programs.
Linux agent capability list (May 2026)
- Health metrics: CPU, memory, disk I/O, network, per-NIC breakdown, system info, distribution and kernel identity. Shared DTOs with the Windows agent.
- Hardware health: thermal zones, battery state, optional SMART via
smartctl(opt-in at install). - Optional heartbeat sub-objects: top-N processes, disk space per mount, active user sessions (via
who), security posture (firewall state via ufw/firewalld/nft, SecureBoot via efivars, ClamAV state). - Inflection detection: cross-platform rule comparing consecutive heartbeat snapshots and emitting inflection records for CPU spikes, memory drops, disk-queue saturation. Shared detector class with the Windows agent.
- eBPF kernel-event capture: process lifecycle, file open/close, network connect, network accept. Rate-limited per-process.
- Live-session AI flow: shell exec, file push and pull, command output streaming. The agent runs unprivileged; privileged commands route through the operator-elevation flow.
- Remote desktop: Wayland portal capture via xdg-desktop-portal and PipeWire, with x11vnc as an X11 fallback. Browser-side WebCodecs decoding when available.
- Behavioral security rule engine: cross-platform rules subscribing to the eBPF event stream.
- Smart Reports: natural-language queries that read the Linux-specific JSON columns (
ProcessesJson,DiskSpaceJson,UserSessionsJson,SecurityPostureJson).
Capabilities not currently available on the Linux agent: fine-grained user-mode provider taps equivalent to the Windows agent's user-mode ETW providers, and automatic network isolation on encryption-sweep detection. The cross-platform behavioral rule engine provides earlier-stage detection on Linux.
ET Ducky
Documentation and pricing are available on this site. The Linux agent and the Windows agent share the same management surface.
View Pricing