Linux Workload Attestor
The Linux attestor identifies workloads by reading process information from the kernel.
Configuration
Enable the Linux attestor in the WorkloadAttestation section:
section: WorkloadAttestation
schema: v1
spec:
linux:
enabled: true
discoverWorkloadPath: true
| Field | Default | Description |
|---|---|---|
linux.enabled | true | Enable or disable Linux attestation |
linux.discoverWorkloadPath | false | Discover the workload binary path. See note below. |
Workload binary path discovery
To read the binary path of a workload process, the agent must have the CAP_SYS_PTRACE Linux capability — a kernel-level permission that allows a process to inspect other processes running as different users. Without it, Linux blocks access to the binary path for processes the agent doesn't own.
Common ways to grant this capability:
Kubernetes
Add the capability to the agent container's security context:
containers:
- name: spirl-agent
securityContext:
capabilities:
add:
- SYS_PTRACE
Linux hosts — systemd unit file
If the agent runs as a systemd service, grant the capability in the unit file:
[Service]
AmbientCapabilities=CAP_SYS_PTRACE
If your unit file already restricts CapabilityBoundingSet, also add CAP_SYS_PTRACE there — the bounding set acts as a ceiling on which capabilities the process can have.
Linux hosts — setcap
Alternatively, grant the capability directly on the agent binary:
sudo setcap cap_sys_ptrace+ep /path/to/spirl-agent
The binary must not be world-writable — Linux strips capabilities at exec time from writable binaries as a security measure.
Attributes
The following attributes are collected for workloads running in Linux and can be used in path templates, JWT custom claims, and X.509 Subject customization.
| Linux Attribute | Path Template Variable | Notes |
|---|---|---|
| User Name | linux.user.name | |
| User ID | linux.user.id | |
| Group Name | linux.group.name | |
| Group ID | linux.group.id | |
| Supplementary Group Name | linux.supp_group.name | |
| Supplementary Group ID | linux.supp_group.id | |
| Binary Path | linux.binary.path | Requires discoverWorkloadPath |
| Binary SHA256 | linux.binary.sha256 | Requires discoverWorkloadPath |
The linux.binary.path and linux.binary.sha256 attributes are only
emitted when discoverWorkloadPath is enabled for the Linux attestor.