InGRAIN by Red Sift

Announcing ingraind 1.0

Almost 2 years ago when I joined Red Sift, I kicked off development on ingraind and its core, RedBPF, with the goal of building a better kind of security agent to monitor file access, network traffic, and DNS queries in our infrastructure. We have shared our journey on this blog, and received a lot of helpful input from the Rust and Linux kernel community during this time.

Just under 1000 git commits later in the two repositories combined, we are happy to announce version 1.0.

Of course, we are actively dogfooding ingraind ourselves, and running it in our production system. Combined with our data processing backend, the data collected by ingraind is extremely helpful to resolve issues with the help of great visualisations.

InGRAIN showing network and file access of the Docker and Kubernetes runtimes

However, the full list of operating systems ingraind supports has grown to support main cloud providers out of the box, making sure you can get it running in Google and AWS Kubernetes deployments quickly.

RedBPF behind ingraind

A lot of effort went into creating an efficient toolchain to run Rust eBPF programs in the kernel by the amazing Alessandro Decina. We have removed all C code from the ingraind sources and exclusively rely on our own idiomatic Rust library, RedBPF.

We introduced the cargo bpf tool to help build new monitoring modules so that extending ingraind is easy and safe for most programmers even with only superficial knowledge of Rust. If you need to hook a specific system call or kernel function, you can easily do that and incorporate it into your own deployment. An extensive documentation will also help you get there.

On top of this, Alessandro dived into LLVM to figure out a reliable way to unroll large loops, an important part of making eBPF programming easier, where loops don’t exist. In order to support code that panics, such as boundary checks when indexing arrays or accessing kernel memory using slices, we transform the LLVM bitcode to inline panic handlers which are normally annotated with #[never(inline)].

To make Rust programs more comfortable to write, we also generate bindings for kernel structures, so some of the convenient preprocessor-generated accessors that are available in C is turned into simple function calls in Rust.

I also want to thank all our external contributors for the amazing feedback that helped push ingraind and RedBPF to where they are now.

The entire team at Red Sift are really excited to publish the new website for the project, ingraind.org. It collects all the documentation and resources that you need to get started on working with ingraind.

To learn more about eBPF and systems monitoring in Rust, head over to ingraind.org, or the GitHub repositories for ingraind and RedBPF. We’d love to hear about your experience!

Find out more

PUBLISHED BY

Peter Parkanyi

1 Apr. 2020

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Keep your Microsoft Online Email Routing Address secure with Red Sift OnDMARC

Faisal Misle

Every Microsoft 365 tenant includes a default domain in the format tenantname.onmicrosoft.com. This is known as the Microsoft Online Email Routing Address (MOERA). What many don’t realize is that attackers have started using these domains to impersonate organizations in phishing attacks. If left unmonitored, MOERA domains can become a blind spot in your email…

Read more
News

Red Sift OnDMARC ranked #1 in EMEA and Europe for DMARC in…

Francesca Rünger-Field

G2’s Spring 2025 Report is here, and we’ve got some exciting news to share! Red Sift OnDMARC has been named the #1-rated DMARC solution in both EMEA and Europe, and that’s just the start. We also took the #1 spot in the Mid-Market Results Index and Mid-Market Usability Index, and were featured in 18…

Read more
DMARC

The Mail Check deadline has passed: Is your organisation at risk? 

Jack Lilley

The National Cyber Security Centre (NCSC) proposed changes to Mail Check services came into effect on 24 March 2025, including the ending of DMARC aggregate reporting. Organisations who are yet to comply must now seek an alternative provider or risk exposure to harmful cybersecurity incidents. This change comes as a measure to expand the…

Read more
Awards

Red Sift named a Top 50 company in 2025 Emerging Stars Awards

Jack Lilley

We’re pleased to share that Red Sift has been named Best Performing Company – Security & Infrastructure in the 2025 Emerging Stars Awards. These awards, part of the Megabuyte100 series, recognise the UK’s 50 best-performing scale-up technology companies based on solid financial performance, from over 800 entries.  Being recognised in this category reflects the…

Read more