v0.47
cert-analyzer v0.47
This release adds optional support for pulling certificates out of TLS sockets in response to a security_socket_bind kprobe (off by default).
The screenshot below is a dashboard capture with the port_probe configuration option enabled whilst running the port probe test. There are 2 entries that correspond to the code in that test:
- The 2nd entry in the screenshot is a kernel level intercept of the test loading a certificate
- The 1st entry in the screenshot is a kernel level intercept of the test binding a security socket
NB. If you have set the checksum_enabled configuration option then the certificate count will accurately reflect the number of unique certificates.
Container Images
Pull from GHCR:
ghcr.io/bensanmorris/cert-analyzer:v0.47-ubi8
ghcr.io/bensanmorris/cert-analyzer:v0.47-ubi9
ghcr.io/bensanmorris/cert-test-generator:v0.47
Or load from the attached tar files:
docker load < cert-analyzer-ubi8-v0.47.tar.gz
docker load < cert-analyzer-ubi9-v0.47.tar.gz
docker load < cert-test-generator-v0.47.tar.gzRPM Packages
RPMs for RHEL 8 (.el8) and RHEL 9 (.el9) are attached below.
cert-analyzer (Tetragon event consumer):
sudo dnf install ./cert-analyzer-<version>.el8.x86_64.rpm # RHEL 8
sudo dnf install ./cert-analyzer-<version>.el9.x86_64.rpm # RHEL 9Java agent (JVM certificate interception — install on hosts running JVMs):
# Install the JNI stub and agent JAR
sudo dnf install ./cert-agent-jni-<version>.el9.x86_64.rpm
# Install the deployer daemon (attaches the agent to running JVMs)
sudo dnf install ./cert-agent-deployer-<version>.el9.x86_64.rpm
sudo systemctl enable --now cert-agent-deployerTetragon Policies (tar.gz)
Policies are shipped separately so they can be updated independently of the agent. tetragon-policies-v0.47.tar.gz is attached below.
tar -xzf tetragon-policies-v0.47.tar.gz
# Detects your RHEL version, loads all appropriate policies, and persists
# them to /etc/tetragon/tetragon.tp.d/ so they survive Tetragon restarts:
sudo bash tetragon-policies/apply-policies.shProbe Tests
probe-tests-v0.47.tar.gz — attached below. Native binaries (built on RHEL 9 / UBI 9) for manually exercising Tetragon uprobe hooks. Run with Tetragon active to confirm cert_analyzer.py receives the expected events:
tar -xzf probe-tests-v0.47.tar.gz
./test_openssl3_cert_load /path/to/cert.pemTetragon Version
Built against Tetragon v1.7.0.