This article explains the evolution of Linux kernel tracepoints, the design of the TRACE_EVENT() macro, its six parameters, and how to define, compile, and use tracepoints such as sched_switch for efficient, low‑overhead kernel tracing across various tracers.
The article analyzes how attackers can abuse eBPF to steal data, elevate privileges, execute commands, and hide processes, then presents concrete eBPF code for such attacks and outlines practical protection, detection, and auditing techniques—including file analysis, bpftool usage, and kernel tracing—to mitigate these threats.
The article explains how to use eBPF tracepoints to monitor and record changes in Linux process capabilities, detailing the kernel data structures, BPF program logic, and user‑space handling needed to debug real‑world capability issues such as tcpdump failures and systemd service launches.
