AI Agent Security Monitored at the Kernel — In-depth Analysis of eBPF-Based Runtime Governance Architecture

In early 2025, a fintech startup experienced an incident where its AI agent was subjected to a prompt injection attack, resulting in the target being hijacked and repeatedly calling an external payment API. No abnormal signals were recorded in the application layer logs, and the anomaly was only identified hours later. This was because there was no layer monitoring what the agent was actually doing at runtime.

You can monitor and block all agent actions in real-time at the kernel level without modifying a single line of code. This is made possible by a runtime governance architecture based on eBPF (extended Berkeley Packet Filter) and OpenClaw. File access, network connections, process creation—all agent actions ultimately lead to kernel syscalls, and eBPF can pass all these events to the policy engine with only 1–3% CPU overhead.

This article is intended for backend and DevSecOps engineers who are deploying or planning to deploy AI agents in production. Assuming basic familiarity with Linux syscalls and container environments, we will explore architectural patterns with code, ranging from the workings of eBPF to OpenClaw policy configuration and hash chain audit log design.

Key Concepts

Why the Kernel Layer — Syscall Convergence Principle

Regardless of the framework the agent is implemented in or the language it is written in, the actual system behavior eventually converges to kernel syscalls.

By intercepting these calls at the kernel layer, all behavior can be controlled without modifying the agent code. This is the fundamental premise of eBPF-based runtime governance.

Runtime Governance: A control layer that passes all tool calls, file accesses, network requests, and subprocess creation events to the policy engine to determine whether to allow or block them while the agent is running. It operates independently of model evaluation or prompt protection.

eBPF — A technology for measuring the kernel without rebooting

eBPF (extended Berkeley Packet Filter): A sandbox virtual machine that runs safely within the Linux kernel. It can observe and block syscalls, network packets, and process events without modifying kernel source or rebooting, and typically has less than 1% CPU overhead.

The reason eBPF programs can run safely in the kernel is due to the kernel built-in verifier. The verifier statically analyzes eBPF bytecode at load time to block infinite loops, out-of-bounds memory access, and unauthorized kernel function calls in advance. Thanks to this mechanism, eBPF programs run safely without kernel panics.

eBPF programs are attached to various hook points. The hooks primarily utilized in AI agent governance are as follows:

Note on uprobes and TLS traffic capture: Attaching uprobe at the entry point of the SSL_write/SSL_read functions in the SSL library (libssl) allows you to capture unencrypted plaintext data. This method reads memory that is already in a plaintext state at the moment the SSL function is called, rather than the kernel directly decrypting the TLS. Therefore, the attachment point of uprobe may vary depending on the library version or whether static linking is enabled.

BPF LSM (Linux Security Module) hooks have been supported since Linux 5.7 (May 2020). Since then, major platforms such as ARMO and AccuKnox have begun to actively utilize them for AI agent governance. If bpf_lsm_socket_connect returns 0, the connection is allowed, and if -EPERM is returned, it is blocked directly at the kernel level.

// 환경: Linux 5.7+, libbpf 0.8+, BTF 지원 커널 필요
// eBPF LSM 훅으로 에이전트의 네트워크 연결 차단 예시
 
// 허용 목적지 IP를 관리하는 BPF 해시 맵
struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __type(key, __u32);   // IPv4 주소 (네트워크 바이트 오더)
    __type(value, __u8);  // 1 = 허용
    __uint(max_entries, 256);
} allowed_ips SEC(".maps");
 
struct agent_policy {
    __u8 network_restricted;
};
 
struct {
    __uint(type, BPF_MAP_TYPE_HASH);
    __type(key, __u32);             // PID
    __type(value, struct agent_policy);
    __uint(max_entries, 1024);
} agent_policies SEC(".maps");
 
// 허용 IP 조회 헬퍼 함수
static __always_inline int is_allowed_destination(
    struct sockaddr *addr, struct agent_policy *policy)
{
    if (!policy->network_restricted) return 1; // 제한 정책 없으면 통과
    if (addr->sa_family != AF_INET) return 0;  // IPv4만 허용 예시
 
    struct sockaddr_in *addr4 = (struct sockaddr_in *)addr;
    __u32 dst_ip = addr4->sin_addr.s_addr;
    // BPF 맵에서 허용 IP 조회
    return bpf_map_lookup_elem(&allowed_ips, &dst_ip) != NULL;
}
 
SEC("lsm/socket_connect")
int BPF_PROG(restrict_agent_connect, struct socket *sock,
             struct sockaddr *address, int addrlen)
{
    u32 pid = bpf_get_current_pid_tgid() >> 32;
 
    struct agent_policy *policy = bpf_map_lookup_elem(&agent_policies, &pid);
    if (!policy) return 0; // 비에이전트 프로세스는 통과
 
    if (!is_allowed_destination(address, policy)) {
        bpf_printk("BLOCKED: agent %d attempted unauthorized connection\n", pid);
        return -EPERM; // 커널 수준 차단
    }
    return 0;
}

OpenClaw and Its Security Layer

OpenClaw: An open-source self-hosted AI agent gateway. It handles agent execution in an isolated sandbox and incorporates Landlock LSM, seccomp-BPF, and network namespace isolation as the default security layer. As a rapidly evolving ecosystem as of early 2026, it is strongly recommended to verify the release stability and compatibility of each tool before production deployment.

OpenClaw's security architecture consists of a combination of three kernel technologies.

┌──────────────────────────────────────────────┐
│              AI 에이전트 프로세스              │
├──────────────────────────────────────────────┤
│  seccomp-BPF  │  허용된 syscall 화이트리스트  │
├──────────────────────────────────────────────┤
│  Landlock LSM │  선언적 파일시스템 접근 제한  │
├──────────────────────────────────────────────┤
│  네트워크 NS  │  에이전트별 독립 네트워크 스택 │
├──────────────────────────────────────────────┤
│  eBPF 감사    │  모든 이벤트 JSONL 로깅 + 차단 │
└──────────────────────────────────────────────┘

seccomp-BPF: Short for "secure computing mode with BPF", it is a Linux kernel feature that restricts the list of syscalls a process can call to a whitelist. It can prevent an agent from executing an arbitrary process with execve() or manipulating another process with ptrace().

Audit Architecture — Immutable Hash Chain Log

The hash chain audit log implemented by the Clawprint project is structured so that each event forms a chain by including the hash of the previous event. If any point in the chain is tampered with, all subsequent hash verifications fail.

// JSONL 감사 로그 형식 (한 줄 = 한 이벤트)
{
  "seq": 1,
  "timestamp": "2026-04-14T09:23:01.234Z",
  "agent_id": "agent-abc123",
  "event_type": "file_open",
  "path": "/etc/passwd",
  "pid": 4821,
  "action": "BLOCKED",
  "policy_rule": "no_sensitive_files",
  "hash_prev": "0000000000000000000000000000000000000000000000000000000000000000",
  "hash_self": "a3f8d2c1e9b47056f3a2d1c8e6b4f9a2c7d3e8f1b5a9c2d6e4f7b3a8c1d5e9f2"
}

In high-frequency environments where events occur in parallel, seq number collisions or event order reversal may occur. A single-threaded collector is recommended for serializing events, and in high-frequency environments, it is recommended to utilize the order guarantee option of the eBPF ring buffer.

# 환경: Python 3.9+
# 해시 체인 검증 유틸리티
 
import hashlib
import json
 
def verify_audit_chain(log_path: str) -> bool:
    """감사 로그의 해시 체인 무결성을 검증합니다."""
    prev_hash = "0" * 64
    line_num = 0  # 빈 파일 처리를 위해 미리 초기화
 
    with open(log_path) as f:
        for line_num, line in enumerate(f, 1):
            event = json.loads(line.strip())
 
            # hash_prev가 직전 이벤트의 hash_self와 일치하는지 확인
            if event["hash_prev"] != prev_hash:
                print(f"체인 무결성 위반: {line_num}번째 이벤트")
                return False
 
            # 현재 이벤트의 hash_self 재계산
            payload = json.dumps(
                {k: v for k, v in event.items() if k != "hash_self"},
                sort_keys=True
            )
            expected_hash = hashlib.sha256(payload.encode()).hexdigest()
 
            if event["hash_self"] != expected_hash:
                print(f"이벤트 위변조 감지: {line_num}번째 이벤트")
                return False
 
            prev_hash = event["hash_self"]
 
    if line_num == 0:
        print("감사 로그가 비어 있습니다.")
        return True
 
    print(f"감사 로그 무결성 확인 완료: {line_num}개 이벤트")
    return True

Practical Application

We cover three tools. Since selection criteria vary depending on requirements, please refer to the matrix below first.

The three examples consist of the flow of observation → policy implementation → baseline learning.

Example 1: Tracking AI-Coded Agent Behavior with AgentSight

AgentSight is an open-source project that measures AI coding agents such as Claude Code and Gemini CLI using eBPF. It captures LLM communication content in plaintext using the SSL_read/SSL_write uprobes of the SSL library and constructs a process tree using sched_process_exec tracepoints.

# 환경: Linux 5.15+, Rust 1.70+, CAP_BPF 권한 필요
# AgentSight 설치 및 에이전트 모니터링 시작
git clone https://github.com/eunomia-bpf/agentsight
cd agentsight
 
# eBPF 데몬 빌드 (Rust + C)
cargo build --release
 
# 에이전트 모니터링 시작
# --capture-tls: libssl SSL_write/SSL_read 함수 진입점 후킹으로 평문 캡처
# --trace-process: sched_process_exec으로 프로세스 트리 구성
sudo ./target/release/agentsight monitor \
  --pid $(pgrep -f "claude") \
  --capture-tls \
  --trace-process \
  --output jsonl \
  --output-file /var/log/agent-audit.jsonl

// 주의: 아래 SDK는 현재 개발 중이며 API가 변경될 수 있습니다.
// 실제 사용 전 저장소에서 최신 설치 방법과 API를 확인하세요.
 
const ALLOWED_ENDPOINTS = ['api.openai.com', 'api.anthropic.com'];
const SENSITIVE_PATHS = ['/etc/', '/root/', '/.ssh/'];
 
// AgentSight 이벤트 핸들러 예시 (실제 SDK API는 저장소 README 참고)
function onAgentEvent(event: AgentEvent): void {
  // 비정상적인 외부 연결 탐지
  if (event.type === 'network_connect' &&
      !ALLOWED_ENDPOINTS.includes(event.destination)) {
    console.warn(`비허가 외부 연결 시도: ${event.destination}`);
    // blockAgent(event.pid);
  }
 
  // 민감 파일 접근 탐지
  if (event.type === 'file_open' &&
      SENSITIVE_PATHS.some(p => event.path.startsWith(p))) {
    console.error(`민감 파일 접근 시도: ${event.path}`);
    // blockAgent(event.pid);
  }
}

AgentSight is an observation-centric tool. It is best utilized to identify the actual behavioral patterns of current agents before implementing policies.

Example 2: OpenClaw Enterprise Gateway — Risk-based Approval Workflow

Once the observation phase is complete, the next step is policy enforcement. In an enterprise environment, not all agent requests need to follow the same policy. You can configure a gateway that branches to automatic allow, human approval, or automatic block based on risk level.

# openclaw-policy.yaml — 게이트웨이 위험도 분류 정책
version: "1.0"
agent_id: "finance-agent-v2"
 
policies:
  # 저위험: 자동 허용
  - name: read_internal_docs
    match:
      tool: ["file_read", "search"]
      path_prefix: ["/workspace/docs/"]
    action: ALLOW
    audit: true
 
  # 중위험: 자동 허용 + 상세 로깅
  - name: internal_api_calls
    match:
      tool: ["http_request"]
      destination_domain: ["*.internal.company.com"]
    action: ALLOW
    audit: true
    log_level: VERBOSE
 
  # 고위험: 인간 승인 필요
  - name: production_db_query
    match:
      tool: ["db_query"]
      database: ["prod-*"]
    action: HUMAN_APPROVAL
    approval_channel: "#agent-approvals"   # Slack 알림
    timeout_seconds: 300                   # 5분 내 미승인 시 자동 차단
 
  # 최고위험: 즉시 차단
  - name: block_external_payments
    match:
      tool: ["http_request"]
      destination_domain: ["stripe.com", "paypal.com"]
    action: BLOCK
    alert: true

# 주의: openclaw 패키지는 현재 개발 중이며 API가 변경될 수 있습니다.
# 실제 도입 전 공식 문서와 릴리스 노트를 확인하세요.
# OpenClaw 정책 엔진 Python SDK 활용
 
from openclaw import PolicyEngine, AuditLogger
 
engine = PolicyEngine.from_config("openclaw-policy.yaml")
logger = AuditLogger(
    output="/var/log/openclaw/audit.jsonl",
    hash_chain=True   # SHA-256 해시 체인 활성화
)
 
@engine.intercept
async def handle_tool_call(agent_id: str, tool: str, params: dict):
    """모든 도구 호출이 이 핸들러를 통과합니다."""
    decision = await engine.evaluate(agent_id, tool, params)
 
    # 감사 로그 기록
    await logger.record(
        agent_id=agent_id,
        tool=tool,
        params=params,
        decision=decision
    )
 
    if decision.action == "HUMAN_APPROVAL":
        approved = await request_human_approval(
            channel=decision.channel,
            context={"agent": agent_id, "tool": tool, "params": params},
            timeout=decision.timeout_seconds
        )
        return approved
 
    return decision.action == "ALLOW"

Example 3: ARMO-based Agent Behavior Baseline Learning

It is difficult to perfectly define an agent's normal behavior in advance. An effective approach is to learn behavioral patterns during the observation period to generate "Application Profile DNA," similar to ARMO's approach, and then convert it into a policy.

# 환경: Kubernetes 1.24+, KubeArmor 설치 필요
# 1단계: 관찰 모드로 에이전트 실행 (정책 시행 없이 행동만 기록)
kubectl annotate pod my-agent-pod \
  kubearmor-policy=audit \
  kubearmor-visibility=process,file,network
 
# 72시간 관찰 후 생성된 프로파일 확인
kubectl get applicationprofile my-agent-pod -o yaml

# 학습된 Application Profile DNA를 기반으로 생성된 KubeArmor 정책
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: agent-learned-policy
spec:
  selector:
    matchLabels:
      app: my-agent
 
  # 관찰된 정상 프로세스만 허용
  process:
    matchPaths:
      - path: /usr/bin/python3
      - path: /usr/local/bin/node
    action: Allow
 
  # 관찰된 정상 파일 접근만 허용
  file:
    matchDirectories:
      - dir: /workspace/
        recursive: true
    action: Allow
 
  # 민감 경로 차단
  file:
    matchPaths:
      - path: /etc/
      - path: /root/
    action: Block

This approach is particularly useful when it is difficult to individually predefine the normal range of an agent's behavior. It is recommended to transition to a policy after ensuring a sufficient observation period. A minimum of 48 to 72 hours is recommended, ideally including the entire typical work cycle.

Pros and Cons Analysis

Advantages

Disadvantages and Precautions

The Most Common Mistakes in Practice

1. Switch immediately to enforcement mode: Activating enforce mode immediately without an observation period may block the normal operation of the agent and lead to operational failures. It is recommended to observe for at least 48 to 72 hours.
2. Judging that eBPF alone is sufficient: As with the semantic blind spots discussed earlier, kernel events tell you what was done, but not why (prompt injection, goal hijacking, etc.). They must be performed in parallel with L7 application layer analysis to obtain a complete context.
3. Omit Agent Identity Tracking: In a multi-agent environment, it becomes impossible to analyze the cause of an incident if you do not track which agent performed which action with which credentials. It is important to include unique identifiers and credential ranges for each agent in the audit logs.

In Conclusion

Runtime governance is not the last line of defense for AI agent security. As discussed in the semantic blind spot, kernel events tell us what the agent did, but they do not tell us why. It is accurate to understand runtime governance as an essential layer responsible for execution points that existing security layers—such as prompt protection, model evaluation, and application layer validation—cannot reach. All security layers complement one another.

The high-risk provisions of the EU AI Act will take effect in four months, in August 2026. The auditability of agent behavior is becoming a compliance requirement rather than an option. Now is the right time to adopt a runtime governance architecture.

3 Steps to Start Right Now:

1. If you prefer standalone observation, you can start by analyzing current agent behavior with AgentSight. After git clone https://github.com/eunomia-bpf/agentsight, you can use the sudo ./agentsight monitor --pid $(pgrep -f "your-agent") command to observe all syscalls and network requests from currently running agents. This is the fastest way to grasp the current status first without enforcing policies.
2. If there are auditability requirements, you can configure SHA-256 hash chain audit logs using Clawprint. You can add the hash_prev/hash_self fields to the existing agent logs by referring to the JSONL schema of github.com/cyntrisec/clawprint, and configure an integrity verification pipeline using the Python verification utility introduced above.
3. If you are running a LangChain·AutoGen-based stack, you can integrate the Microsoft Agent Governance Toolkit. github.com/microsoft/agent-governance-toolkit provides middleware that can be integrated with major agent frameworks. We recommend that you initially set it to audit mode only and first check the status of event occurrences by OWASP Agentic AI Top 10 items.

Next Post: OWASP Agentic AI Top 10 In-depth Analysis — Specific Architecture Patterns to Defend Against Goal Hijacking, Memory Poisoning, and Cascading Failures

Reference Materials

• AgentSight: System-Level Observability for AI Agents Using eBPF | arXiv
• AgentSight: eBPF-Powered AI Agent Observability | eunomia
• eBPF for AI Agent Enforcement: What Kernel-Level Security Catches (and What It Misses) | ARMO
• Introducing the Agent Governance Toolkit | Microsoft Open Source Blog
• Top Runtime AI Governance & Security Platforms for Production LLMs & Agentic AI (2026) | AccuKnox
• OWASP Top 10 for Agentic Applications 2026 | OWASP Gen AI Security Project
• Defensible Design for OpenClaw: Securing Autonomous Tool-Invoking Agents | arXiv
• OpenClaw Security Architecture and Hardening Guide | Nebius
• NemoClaw Architecture — OpenShell Runtime & Security Layers Deep Dive
• GitHub: cyntrisec/clawprint — Tamper-Evident Audit Trail for OpenClaw
• GitHub: knostic/openclaw-telemetry — JSONL + SIEM Telemetry for OpenClaw
• GitHub: microsoft/agent-governance-toolkit
• AI Agents Are Actors, Not Tools: Why Enterprises Need Runtime Governance | StrongDM
• eBPF Foundation 2025 Year in Review