Introduction: The Growing Challenge of Container Security on VPS

As organizations increasingly shift their workloads to cloud-native architectures, Virtual Private Servers (VPS) frequently host containerized applications using engines like Docker. While containers offer unparalleled agility and isolation, they share the host operating system's kernel. This shared architecture introduces significant security vectors, most notably privilege escalation. When an attacker compromises a container and escalates privileges to root, the entire host VPS and adjacent containers are placed at severe risk.

Traditional security monitoring tools often rely on heavy user-space agents or periodic log analysis, both of which introduce performance overhead and create blind spots that sophisticated attackers can easily bypass. To address these vulnerabilities, security engineers are turning to eBPF (Extended Berkeley Packet Filter) and specialized tools like Cilium Tetragon. This article examines how the combination of eBPF and Tetragon delivers real-time, kernel-level visibility to identify and thwart container privilege escalation on VPS infrastructure.

---

Understanding Docker Privilege Escalation Mechanisms

Before implementing a defense mechanism, it is crucial to understand how privilege escalation occurs within a Docker environment. Attackers typically exploit misconfigurations, software vulnerabilities, or architectural weaknesses to break out of container isolation. Common escalation pathways include:

Privileged Containers: Running a container with the --privileged flag disables standard isolation barriers, granting the container direct access to host devices and kernel capabilities.
Capabilities Misconfiguration: Assigning broad Linux capabilities such as CAP_SYS_ADMIN, CAP_SYS_PTRACE, or CAP_CHOWN gives processes inside the container permission to manipulate host resources or inject code into host processes.
Kernel Exploits: Exploiting unpatched vulnerabilities within the host kernel (e.g., Dirty COW, Dirty Pipe) allows an unprivileged container process to execute arbitrary code with kernel-level privileges.
Sensitive Volume Mounts: Mounting critical host directories like /var/run/docker.sock or /etc into a container allows malicious actors to manipulate the Docker daemon or alter host system files.

Security Warning: A single misconfigured container flag can compromise the integrity of an entire VPS, making proactive, real-time monitoring non-negotiable for production environments.

---

The Paradigm Shift: Monitoring at the Kernel Level with eBPF

Traditional detection systems usually monitor system activity from user space, utilizing utilities like auditd or log management agents. However, user-space tools possess distinct disadvantages in high-throughput container environments:

Performance Overhead: Context switching between user space and kernel space to process system logs can severely degrade system performance under heavy workloads.
Evasiveness: Advanced attackers who gain root privileges can temper with user-space daemons, clear audit logs, or kill monitoring processes, leaving security teams completely blind.
Lack of Context: Standard logs often lack the precise container context (namespaces, cgroups, container IDs) required to trace a malicious action back to a specific containerized process.

eBPF (Extended Berkeley Packet Filter) revolutionizes this landscape by allowing developers to run sandboxed programs directly within the Linux kernel without modifying the kernel source code or loading external modules. By attaching eBPF programs to kernel probes (kprobes), userspace probes (uprobes), and tracepoints, security tools achieve unparalleled, low-overhead visibility into every system call, process lifecycle event, and network packet.

---

Introducing Tetragon: Cloud-Native Security Enforcement

Built on top of eBPF, Tetragon is a specialized security observability and runtime enforcement tool developed by the Cilium community. Unlike general-purpose eBPF tools, Tetragon is optimized specifically for cloud-native ecosystems. It processes kernel events directly within the eBPF subsystem, filtering and aggregating data before it ever reaches user space.

Key capabilities of Tetragon include:

Process Lifecycle Tracking: Monitors binary executions, forks, and exits along with complete ancestry trees, allowing security teams to see exactly how a process was spawned.
File Integrity Monitoring (FIM): Tracks unauthorized access or modifications to critical system paths, configuration files, and sensitive binary files.
Network Observability: Associates network sockets, connections, and data transfers directly with the specific process and container responsible for the traffic.
Real-time Security Enforcement: Tetragon does not merely log events; it can be configured to dynamically block malicious operations or terminate offending processes at the kernel level before damage occurs.

---

Deploying Tetragon to Detect Privilege Escalation on a VPS

1. Prerequisites and Installation

To deploy Tetragon on a standard Linux VPS hosting Docker, ensure your kernel version is 5.4 or higher to fully support the necessary eBPF features. Tetragon can be deployed either as a standalone binary systemd service or via a Docker container with access to the host's BPF filesystem.

docker run --name tetragon --privileged --pid=host -v /sys/kernel/debug:/sys/kernel/debug -v /sys/fs/bpf:/sys/fs/bpf cilium/tetragon:latest

2. Configuring Security Profiles for Escalation Detection

Tetragon utilizes Custom Resource Definitions (CRDs) or YAML configuration files called TracingPolicies to define what events to track. To detect privilege escalation, we must monitor specific kernel functions associated with privilege changes, such as credential modifications (commit_creds) or binary executions via execve.

Below is a conceptual structure of a TracingPolicy designed to alert on anomalous namespace changes or unauthorized execution of specific binaries (like sudo or nsenter) from within a container namespace:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: "detect-privilege-escalation"
spec:
  kprobes:
    - call: "sys_execve"
      syscall: true
      args:
        - index: 0
          type: "string"
      selectors:
        - matchArgs:
            - index: 0
              operator: "Prefix"
              values:
                - "/usr/bin/nsenter"
                - "/bin/su"
          matchActions:
            - action: Sigkill

This policy instructs the eBPF kernel program to monitor the sys_execve system call. If any process within a container attempts to execute nsenter (a common tool used to break out of namespaces), Tetragon immediately intercepts the call and can trigger a Sigkill action to terminate the process before it executes.

---

Analyzing Tetragon Security Alerts

When an escalation attempt occurs, Tetragon outputs highly structured JSON logs detailing the event context. A typical log event includes fields such as:

process.pod / process.container: The precise metadata identifying the source container.
process.binary: The binary that initiated the execution or system change.
process.cap: The Linux capabilities active during the event execution, indicating if the process had escalated rights.
parent.binary: The parent process path, allowing analysts to trace the lineage of a malicious script execution.

By forwarding these JSON payloads to a centralized SIEM (Security Information and Event Management) platform or an automated alerting pipeline, VPS administrators can instantly respond to container escape and escalation events, drastically reducing the Mean Time to Detection (MTTD).

---

Conclusion and Best Practices

Leveraging eBPF and Tetragon represents a modern milestone in securing VPS environments running Docker. By monitoring system behaviors directly inside the Linux kernel, security teams overcome the performance limitations and vulnerability blind spots inherent in traditional user-space solutions.

To build a robust defense-in-depth architecture, consider implementing these foundational best practices alongside Tetragon monitoring:

Adhere strictly to the Principle of Least Privilege; never run Docker containers with the --privileged flag in production.
Regularly patch and update the VPS host kernel to mitigate known zero-day escalation exploits.
Implement automated response playbooks within Tetragon to instantly isolate compromised containers upon detecting high-severity escalation metrics.

Securing VPS Infrastructures: Detecting Docker Container Privilege Escalation with eBPF and Tetragon