Back to Blog

Bringing Kernel-Deep Diagnostics to Linux: ET Ducky on eBPF

Christopher 7 min read
linuxebpfdiagnosticskernel

ET Ducky's Windows agent uses ETW for kernel-level event tracing. The Linux agent uses eBPF for the equivalent capability. The agents share a common downstream pipeline; OS-specific behavior is handled by the cloud-side query and analysis layers.

eBPF as the Linux equivalent of ETW

The Windows kernel exposes hundreds of ETW providers. A subscription to the kernel-process provider returns each NtCreateProcess with the parent PID, image path, command line, and a microsecond timestamp. A subscription to disk I/O returns each IRP_MJ_READ with the file path and latency.

Linux does not expose ETW providers, but the Linux kernel provides tracepoints, kprobes, and uprobes. eBPF programs attach to these and execute in a verified, sandboxed virtual machine inside the kernel. The data extracted has the same structure: process exec with parent PID and command line, file open with path, network connect with destination address and port. The verifier enforces termination, prevents kernel crashes, and restricts memory access to permitted regions.

ET Ducky's Linux agent compiles a small set of eBPF programs (under 600 lines of C) attached to four tracepoints:

CO-RE and BTFHub

eBPF programs are sensitive to kernel data structure changes between versions. A program built against one kernel's type definitions reads incorrect data when run against another. Compiling per-host is the historical workaround.

CO-RE (compile once, run everywhere) addresses this. The agent's eBPF programs are built against generic field accessors. At load time, the kernel's BTF (BPF Type Format) data is consulted to relocate each field reference to the correct offset for the running kernel. The same agent binary works on any kernel that exposes /sys/kernel/btf/vmlinux.

Older kernels (RHEL 7, Ubuntu 16.04 LTS, certain locked-down kernel builds) do not ship BTF. For those, the agent falls back to BTFHub, a community-maintained collection of BTF data for kernels without native BTF. The agent ships a subset of BTFHub data alongside the binary and uses it when the local kernel does not expose its own BTF.

When both options are unavailable, the agent runs in a degraded mode. Health metrics, hardware health, and the live-session AI flow continue to function. Only the kernel-event capture is unavailable.

Shared event pipeline

The eBPF programs emit a packed binary structure into a per-CPU ring buffer. Agent code reads from the buffer, normalizes each event into the same SystemEvent shape used by the Windows agent, and feeds it into the same downstream pipeline: the recent-events cache, the inflection bracketing path, the behavioral rule engine, and the live-session prompt builder.

A cross-fleet query for top memory consumers returns rows from both Windows and Linux hosts. A behavioral rule definition that detects a shell spawning a downloader executes on either OS without modification. Columns that are OS-specific (BitLocker for Windows, ClamAV for Linux) are filtered by the smart-report query planner.

Unprivileged agent and resource limits

The Linux agent runs as the unprivileged etducky user under a hardened systemd unit. It does not hold CAP_SYS_ADMIN. The capabilities held are CAP_BPF, CAP_PERFMON, and the subset required by operator-elevated commands.

The systemd unit applies cgroup limits of 512 MB memory, 50% CPU, and 256 tasks. The eBPF capture path is rate-limited per-process inside the kernel programs.

Linux agent capability list (May 2026)

Capabilities not currently available on the Linux agent: fine-grained user-mode provider taps equivalent to the Windows agent's user-mode ETW providers, and automatic network isolation on encryption-sweep detection. The cross-platform behavioral rule engine provides earlier-stage detection on Linux.

ET Ducky

Documentation and pricing are available on this site. The Linux agent and the Windows agent share the same management surface.

View Pricing