{"id":48482875,"url":"https://github.com/Cybereason-Public/owLSM","last_synced_at":"2026-04-08T00:00:34.786Z","repository":{"id":336223543,"uuid":"1133399800","full_name":"Cybereason-Public/owLSM","owner":"Cybereason-Public","description":"Sigma Rules Engine inside the Linux Kernel using eBPF. Focusing on prevention capabilities","archived":false,"fork":false,"pushed_at":"2026-04-04T13:05:24.000Z","size":2967,"stargazers_count":227,"open_issues_count":2,"forks_count":9,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-04T15:50:25.640Z","etag":null,"topics":["ebpf","linux-kernel","linux-security-module","security","sigma-rule"],"latest_commit_sha":null,"homepage":"https://cybereason-public.github.io/owLSM/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Cybereason-Public.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":".github/CLA.md"}},"created_at":"2026-01-13T09:45:28.000Z","updated_at":"2026-04-04T13:05:26.000Z","dependencies_parsed_at":"2026-03-27T19:00:47.845Z","dependency_job_id":null,"html_url":"https://github.com/Cybereason-Public/owLSM","commit_stats":null,"previous_names":["cybereason-labs/owlsm","cybereason-public/owlsm"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Cybereason-Public/owLSM","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason-Public%2FowLSM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason-Public%2FowLSM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason-Public%2FowLSM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason-Public%2FowLSM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Cybereason-Public","download_url":"https://codeload.github.com/Cybereason-Public/owLSM/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Cybereason-Public%2FowLSM/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31533824,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"ssl_error","status_checked_at":"2026-04-07T16:28:06.951Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","linux-kernel","linux-security-module","security","sigma-rule"],"created_at":"2026-04-07T09:00:17.825Z","updated_at":"2026-04-08T00:00:34.776Z","avatar_url":"https://github.com/Cybereason-Public.png","language":"C","funding_links":[],"categories":["Projects Related to eBPF"],"sub_categories":["Security"],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg width=\"525\" height=\"150\" alt=\"owLSM_logo-Photoroom\" src=\"docs/owLSM_logo-Photoroom.png\" /\u003e\n \u003cbr\u003e\u003cbr\u003e\n šŸ›”ļø \u003ci\u003eowLSM aspires to become the gold standard for prevention and detection for Linux\u003c/i\u003e šŸ›”ļø\n \u003cbr\u003e\u003cbr\u003e\n \u003ca href=\"https://cybereason-public.github.io/owLSM/\"\u003e\u003cimg src=\"https://img.shields.io/badge/Docs-GitHub%20Pages-blue?style=flat-square\u0026logo=github\" alt=\"Docs\"\u003e\u003c/a\u003e\n \u003ca href=\"https://discord.gg/gQk5Jxd6vs\"\u003e\u003cimg src=\"https://img.shields.io/discord/1467824033188941952?label=Discord\u0026logo=discord\u0026style=flat-square\" alt=\"Discord\"\u003e\u003c/a\u003e\n \u003ca href=\"AGENTS.md\"\u003e\u003cimg src=\"https://img.shields.io/badge/AI%20Agents-Friendly-blueviolet?style=flat-square\" alt=\"Agent Friendly\"\u003e\u003c/a\u003e\n \u003ca href=\"https://github.com/Cybereason-Public/owLSM/actions/runs/23287577166\"\u003e\u003cimg src=\"https://img.shields.io/badge/CI-passing-brightgreen?style=flat-square\" alt=\"CI passing\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nowLSM is an eBPF LSM agent that implements a stateful Sigma rules engine focused on prevention.\n\n\u003cp\u003e\n\u003cb\u003e\u003cspan style=\"font-size:1.15em\"\u003eWhat is the project:\u003c/span\u003e\u003c/b\u003e owLSM focuses on three main things:\u003cbr\u003e\n1) Prevention capabilities using a Sigma Rules Engine implemented via eBPF LSM.\u003cbr\u003e\n2) Data correlation between eBPF probes for stateful prevention capabilities.\u003cbr\u003e\n3) Security-focused system monitoring where each event contains all the context a security expert needs.\n\u003c/p\u003e\n\n\u003cp\u003e\n\u003cb\u003e\u003cspan style=\"font-size:1.15em\"\u003eWho is it for:\u003c/span\u003e\u003c/b\u003e Teams that defend Linux systems, companies offering Linux/Cloud security solutions, and developers or agents looking for implementation examples of complex eBPF solutions.\n\u003c/p\u003e\n\n\u003cp\u003e\n\u003cb\u003e\u003cspan style=\"font-size:1.15em\"\u003eWhere is it already being used:\u003c/span\u003e\u003c/b\u003e Customers of the security firms Cybereason and LevelBlue.\n\u003c/p\u003e\n\n\u003cp\u003e\n\u003cb\u003e\u003cspan style=\"font-size:1.15em\"\u003eWhy we created this project:\u003c/span\u003e\u003c/b\u003e After years of using projects like Falco, Tetragon, and KubeArmor, we kept running into the same gaps. These solutions offer little to no prevention (enforcement) capabilities. Those that do offer enforcement policies lack basic features like substring matching, full process command line access, and parent termination of malicious processes.\u003cbr\u003e\nWe decided to take a completely different approach:\u003cbr\u003e\n1) Use the standard Sigma rules structure and support as many Sigma rules features as possible (constantly adding more).\u003cbr\u003e\n2) Solve the core limitation of current eBPF LSM projects: they are stateless. Almost all data available in an enforcement rule comes only from the current hook.\u003cbr\u003e\nWe created stateful eBPF programs that use multiple consecutive hook points and correlate data between them, so at the point of the prevention decision, users have all the data they need. We took this stateful approach so far that, for example, when monitoring write events, you can specify prevention rules based on the shell command that initiated the write.\n\u003c/p\u003e\u003cbr\u003e\n\nHelp us grow and protect the world by giving us a ā­ \n \u003cbr\u003e\n\u003e **Cloud support will come in the future**\n\n\n## How to build\n\n```bash\n# Build the Docker image (one-time setup):\ndocker build -t owlsm-ci-ubuntu20 .\n\n# Start the build container\ndocker run -it --rm -v \"$PWD\":/workspace -w /workspace owlsm-ci-ubuntu20 bash\n\n# Build owLSM\nmake -j$(nproc)\n\n# Build unit tests\nmake test -j$(nproc)\n\n# Exit container, can't run owlsm or the tests inside the docker\nexit\n```\n\n## Run owLSM\n\nDo this outside the docker\n```bash\ncd build/owlsm/bin\n\n# run without config \nsudo ./owlsm \n\n# run with config \nsudo ./owlsm -c /config/path.json\n\n# run with config and excluded pid's (usually we want to exclude parent processes)\nsudo ./owlsm -c /path/to/config.json -e 123 -e 456\n\n# run owlsm and pass config via stdin (when you don't want to save your config file on the disk)\n# owLSM expects to recive the config in under 10 seconds. \nsudo ./owlsm --stdin\n```\n\n\u003e **Note:** owLSM Startup takes **10ā€“50 seconds** depending on the system. This is the eBPF verifier validating all programs before they are loaded into the kernel. Once complete, owLSM is fully active.\n\n## Config and rules\nSee [Rules/README.md](Rules/README.md)\n\n## Run Unit Tests\n\n```bash\ncd build/unit_tests/bin\n\n# Run the unit tests\nsudo ./unit_tests\n```\n\n## Check Compatibility\n\nBefore running owLSM, verify your system meets the requirements:\n\n```bash\nchmod +x scripts/check_compatibility.sh \u0026\u0026 ./scripts/check_compatibility.sh\n```\n\n## Automation Tests (Integration Testing)\nSee [src/Tests/Automation/README.md](src/Tests/Automation/README.md) for running the automation tests.\n\n# Join the community \nTo get involved with the owLSM project visit our [discord](https://discord.gg/gQk5Jxd6vs). \nIf you have any questions please ask them on the discord or open a relevant issue.\n\nšŸ“– Visit the [documentation](https://cybereason-public.github.io/owLSM/) for everything you need ā€” how to use the project, write rules, understand the architecture, and more.\n\n## Contributers \nWe're thrilled that you're interested in contributing to owLSM! \nPlease check [CONTRIBUTING.md](.github/CONTRIBUTING.md) to know about the rules, conventions and even **cool AI tools and agents** that will help you a lot!\n\n## License\n\nowLSM is licensed under the **GNU General Public License v2.0** (GPL-2.0).\n\n### Third-Party Libraries\n\nThis project includes several third-party libraries with their own licenses\n(all GPL-compatible). See [THIRD_PARTY_LICENSES](THIRD_PARTY_LICENSES) for\ndetails.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCybereason-Public%2FowLSM","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCybereason-Public%2FowLSM","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCybereason-Public%2FowLSM/lists"}