owLSM vs Tetragon – Enforcement capabilities
Tetragon is a leading eBPF-based monitor with growing enforcement support. The owLSM maintainers have used it for years. this page is not meant to disparage Tetragon, but for showing how superior owLSM enforcement capabilities are.
Compared versions: owLSM v0.2.0 and Tetragon v1.6.1.
We cover enforcement only: what policies can block, which fields exist at the decision point (not full post-hoc event payloads) and what features do the prevention/enforcment policies offer.
Glossary
| Term | Meaning |
|---|---|
| Enforcement / Prevention | Block an action before it happens (inline event evaluation). |
| Visibility / monitoring | Observe what happened on the system (async events). |
| Enforcement policy / Rules | Yaml files that define what to block and what to allow. |
| Event | data about a specific operation that happened on the system. These come from the kernel and enriched in userspace before shown to the user. Event has data that wasn’t available at the time of the enforcement decision. |
What we compare
- Valuable features available in the enforcement policy.
- Data available to the enforcement policy and at the the enforcement point (when enforcement decisions are made).
- knowlege required to write an enforcement policy.
We do not score general observability or “nice” telemetry as we only focus on enforcement. Again, data that is available in the event, isn’t always available at the time of the enforcement decision.
Comparison table
Click on a row for details.
| Feature | owLSM v0.2.0 | Tetragon v1.6.1 |
|---|---|---|
| Simple string matchingExact, prefix, suffix | ✅ | ✅ |
| Substring matchingString contains | ✅ | ❌ |
| Regex matching | ✅ | ❌ |
| Fieldref matchingCompare two runtime fields | ✅ | ❌ |
| Mask matchingBitwise AND on numeric values | ❌ | ✅ |
| Basic conditionsLimited AND / OR | ✅ | ✅ |
| Complex conditionsAND, OR, NOT, parentheses, X of Y | ✅ | ❌ |
| Match full process command lineRules ability to match against full argv string | ✅ | ❌ |
| Match on shell commandRules ability to match against the shell command that triggered this operatrion | ✅ | ❌ |
| Stateful enforcementCorrelate data across hooks | ✅ | ❌ |
| Keyword matchingSearch a string across all event fields | ✅ | ❌ |
| Match original parent processAfter reparenting, still target the original parent | ✅ | ❌ |
| Rich process contextA lot of high-value process fields exposed to rules | ✅ | ⚠️ |
| Kill process as enforcement action | ✅ | ✅ |
| Kill parent process as enforcement action | ✅ | ❌ |
| Broad kernel attach surfaceAll LSM's, kprobes with ALLOW_ERROR_INJECTION, etc' | ❌ | ✅ |
| Kernel abstractionUsers need no kernel knowledge | ✅ | ❌ |
| Standard rules languageuse of a standard rules language | ✅ | ❌ |