Skip to content

v0.47

Choose a tag to compare

@github-actions github-actions released this 18 Jun 11:29

cert-analyzer v0.47

This release adds optional support for pulling certificates out of TLS sockets in response to a security_socket_bind kprobe (off by default).

The screenshot below is a dashboard capture with the port_probe configuration option enabled whilst running the port probe test. There are 2 entries that correspond to the code in that test:

NB. If you have set the checksum_enabled configuration option then the certificate count will accurately reflect the number of unique certificates.

dashboard_secure_socket_bind

Container Images

Pull from GHCR:

ghcr.io/bensanmorris/cert-analyzer:v0.47-ubi8
ghcr.io/bensanmorris/cert-analyzer:v0.47-ubi9
ghcr.io/bensanmorris/cert-test-generator:v0.47

Or load from the attached tar files:

docker load < cert-analyzer-ubi8-v0.47.tar.gz
docker load < cert-analyzer-ubi9-v0.47.tar.gz
docker load < cert-test-generator-v0.47.tar.gz

RPM Packages

RPMs for RHEL 8 (.el8) and RHEL 9 (.el9) are attached below.

cert-analyzer (Tetragon event consumer):

sudo dnf install ./cert-analyzer-<version>.el8.x86_64.rpm   # RHEL 8
sudo dnf install ./cert-analyzer-<version>.el9.x86_64.rpm   # RHEL 9

Java agent (JVM certificate interception — install on hosts running JVMs):

# Install the JNI stub and agent JAR
sudo dnf install ./cert-agent-jni-<version>.el9.x86_64.rpm
# Install the deployer daemon (attaches the agent to running JVMs)
sudo dnf install ./cert-agent-deployer-<version>.el9.x86_64.rpm
sudo systemctl enable --now cert-agent-deployer

Tetragon Policies (tar.gz)

Policies are shipped separately so they can be updated independently of the agent. tetragon-policies-v0.47.tar.gz is attached below.

tar -xzf tetragon-policies-v0.47.tar.gz

# Detects your RHEL version, loads all appropriate policies, and persists
# them to /etc/tetragon/tetragon.tp.d/ so they survive Tetragon restarts:
sudo bash tetragon-policies/apply-policies.sh

Probe Tests

probe-tests-v0.47.tar.gz — attached below. Native binaries (built on RHEL 9 / UBI 9) for manually exercising Tetragon uprobe hooks. Run with Tetragon active to confirm cert_analyzer.py receives the expected events:

tar -xzf probe-tests-v0.47.tar.gz
./test_openssl3_cert_load /path/to/cert.pem

Tetragon Version

Built against Tetragon v1.7.0.