{"id":28991583,"url":"https://github.com/aleyi17/infrasight","last_synced_at":"2025-10-12T12:45:44.656Z","repository":{"id":298191092,"uuid":"999133695","full_name":"ALEYI17/InfraSight","owner":"ALEYI17","description":"InfraSight is a modular eBPF-based observability platform for Linux and Kubernetes environments. It provides deep visibility into system activity using custom eBPF programs, a centralized ClickHouse backend, and a Kubernetes-native controller.","archived":false,"fork":false,"pushed_at":"2025-09-24T23:22:04.000Z","size":838,"stargazers_count":30,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-25T00:24:16.422Z","etag":null,"topics":["ebpf"],"latest_commit_sha":null,"homepage":"https://aleyi17.github.io/InfraSight/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ALEYI17.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-09T19:40:59.000Z","updated_at":"2025-09-24T23:21:49.000Z","dependencies_parsed_at":"2025-09-05T22:08:54.232Z","dependency_job_id":"d344412a-6357-4a7e-8bf5-4e5283895ef7","html_url":"https://github.com/ALEYI17/InfraSight","commit_stats":null,"previous_names":["aleyi17/infrasight"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ALEYI17/InfraSight","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2FInfraSight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2FInfraSight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2FInfraSight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2FInfraSight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ALEYI17","download_url":"https://codeload.github.com/ALEYI17/InfraSight/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ALEYI17%2FInfraSight/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279011300,"owners_count":26084928,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-12T02:00:06.719Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf"],"created_at":"2025-06-25T02:00:34.947Z","updated_at":"2025-10-12T12:45:44.650Z","avatar_url":"https://github.com/ALEYI17.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# InfraSight\n\n## ๐Ÿ“– Project Overview\n\n\u003e **โ€œKernel-level observability made simple with eBPF โ€” for Linux and Kubernetes.โ€**\n\n**InfraSight** is a modular, open-source observability and auditing platform built on top of **eBPF** (Extended Berkeley Packet Filter). It is designed to extract fine-grained, low-level events from Linux systems in real time to provide deep visibility into system and application behavior.\n\nInfraSight provides deep visibility into system and container activity, helping operators, developers, and security teams understand what is happening on their infrastructure.\n\nAt its core, InfraSight traces key system calls (such as `execve`, `open`, `connect`, and more) at the kernel level using safe and efficient eBPF programs. These probes operate directly within the Linux kernel without modifying application code or requiring sidecars.\n\nThe collected data is streamed through a gRPC pipeline, where it is enriched and then stored in a ClickHouse database for high-performance querying and analysis.\n\nThe platform is suitable for both **standalone Linux systems** and **Kubernetes clusters**. In Kubernetes environments, InfraSight includes components to simplify agent deployment and lifecycle management through custom resources and a dedicated controller.\n\nInfraSight is composed of four main components:\n\n* A **Kubernetes controller** to manage and deploy eBPF agents across the cluster.\n* A user-space **agent** that runs eBPF programs and streams structured events.\n* A **server** that receives, enriches, and stores telemetry data in a ClickHouse database.\n* A **Helm chart** to deploy the system in Kubernetes environments.\n* A **Machine Learning** anomaly detection (resource + syscall frequency)\n* A **Rules engine** for predefined threats.\n\nInfraSight provides the foundation for building advanced observability, auditing, and security tools with a low-overhead, event-driven architecture.\n\n## ๐Ÿ” Supported Syscalls \u0026 Their Purpose\n\nInfraSight currently supports tracing the following system calls using eBPF:\n\n| Syscall | Purpose |\n| --------- | ----------------------------------------------------------------------------------------------------------------------------------- |\n| `execve` | Captures process execution events, including command-line arguments. Useful for auditing what commands are being run on the system. |\n| `open` | Monitors when files are opened. Helps track access to sensitive files or unexpected file usage. |\n| `chmod` | Detects permission changes on files. Useful to monitor unauthorized attempts to alter access rights. |\n| `connect` | Tracks outbound network connections made by processes. Essential for detecting unexpected or malicious network behavior. |\n| `accept` | Captures inbound connections to servers. Important to understand what is listening and who is connecting. |\n| `ptrace` | Monitors process tracing and injection attempts. Useful for detecting debugging or code injection behavior. |\n| `mmap` | Tracks memory mappings. Can reveal suspicious allocations often used in exploits. |\n| `mount` | Observes filesystem mounting. Helps detect container escapes or persistence mechanisms. |\n| `umount` | Observes filesystem mounting. Helps detect container escapes or persistence mechanisms. |\n| `resource` | Monitors low-level resource usage and memory management (context switches, page faults, mmap/munmap, brk, read/write, and process exit). Useful for detecting anomalous resource consumption or crashes. |\n| `syscall frequency` | Counts syscall invocations and aggregates frequency metrics per process until exit. Useful for anomaly detection based on unusual syscall usage patterns. |\n\n\nThese syscalls were selected for their importance in understanding:\n\n* Process activity (`execve`)\n* File system access (`open`, `chmod`)\n* Network behavior (`connect`, `accept`)\n* etc\n\nBy tracing these operations at the kernel level, InfraSight provides visibility into both user and system behavior whether it's detecting a rogue shell command, a file access violation, or unexpected network traffic.\n\nInfraSight is extensible, and support for additional syscalls (such as `unlink`, `bind`, or `setuid`) can be added in future iterations.\n\n\n## ๐Ÿ—บ๏ธ Architecture Diagram\n\nThe diagram below illustrates the high-level architecture of the **InfraSight** platform:\n\n![InfraSight Architecture](https://github.com/ALEYI17/InfraSight/blob/main/docs/images/infrasight.png)\n\nInfraSight follows a modular pipeline:\n\n* **eBPF Agents** collect raw syscall events (like `execve`, `open`, `connect`, etc.) directly from the kernel using eBPF programs.\n* These events are enriched at the source (e.g., resolving user names, container metadata), then streamed via **gRPC** to the central **InfraSight Server**.\n* The server performs further enrichment (timestamps, formatting, latency conversion) and writes the data into **ClickHouse**, a columnar database optimized for analytical queries.\n* A Machine Learning module analyzes patterns in resource usage and syscall frequency to detect anomalies.\n* A Rules engine applies predefined detection logic to generate alerts on known threats\n* Finally, users can analyze and visualize the collected data using tools like **Grafana**, **pytorch**, or direct SQL queries.\n\nThis architecture enables deep observability on both standalone Linux hosts and Kubernetes clusters.\n\n### 4. **๐Ÿงฉ Project Components**\n\n| Component | Description |\n| --------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |\n| [`ebpf_loader`](https://github.com/ALEYI17/ebpf_loader) | Lightweight agent that runs eBPF programs on each node and sends telemetry to the server |\n| [`ebpf_server`](https://github.com/ALEYI17/ebpf_server) | Receives, enriches, and stores events in ClickHouse |\n| [`infrasight-controller`](https://github.com/ALEYI17/infrasight-controller) | Kubernetes-native controller for deploying and managing eBPF agents |\n| [`ebpf_deploy`](https://github.com/ALEYI17/ebpf_deploy) | Helm-based deployment for ClickHouse and the server in Kubernetes |\n| [`InfraSight_ml`](https://github.com/ALEYI17/InfraSight_ml) | Machine learning models for anomaly detection (resource + syscall frequency) |\n| [`InfraSight_sentinel`](https://github.com/ALEYI17/InfraSight_sentinel) | Rules engine for generating alerts based on predefined detection logic |\n| [`ClickHouse`](https://clickhouse.com/) | High-performance columnar database used for storing and querying enriched eBPF event data |\n\n\n### 5. **๐Ÿš€ Getting Started**\n\nInfraSight is composed of multiple modular components that can be deployed individually or together, depending on your needs. It supports both **Kubernetes** and **non-Kubernetes (bare-metal or VM)** environments.\n\nTo get started, **follow the README files in each of the individual repositories**. Each one contains specific setup and usage instructions tailored to its component:\n\n| Component | Repository |\n| ------------------------ | --------------------------------------------------------------------------- |\n| eBPF Agent (Loader) | [`ebpf_loader`](https://github.com/ALEYI17/ebpf_loader) |\n| Event Server \u0026 Ingestion | [`ebpf_server`](https://github.com/ALEYI17/ebpf_server) |\n| Kubernetes Controller | [`infrasight-controller`](https://github.com/ALEYI17/infrasight-controller) |\n| Helm-based Deployment | [`ebpf_deploy`](https://github.com/ALEYI17/ebpf_deploy) |\n| ML Anomaly Detection | [`InfraSight_ml`](https://github.com/ALEYI17/InfraSight_ml) |\n| Rules Engine | [`InfraSight_sentinel`](https://github.com/ALEYI17/InfraSight_sentinel) |\n\n\n### 6. **โœจ Features**\n\n* **Kernel-Level Tracing with eBPF**\n Trace key system calls like `execve`, `open`, `chmod`, `connect`, and `accept` directly from the Linux kernel.\n\n* **Real-Time Event Streaming**\n Events are streamed over gRPC for minimal latency and efficient transport.\n\n* **Structured Storage with ClickHouse**\n Events are stored in a high-performance, columnar database for fast querying and analysis.\n\n* **Machine Learning Anomaly Detection**\n Detect resource usage spikes and unusual syscall frequency patterns.\n\n* **Rules Engine for Threat Detection**\n Catch predefined malicious behaviors such as reverse shells, privilege escalation, or container escapes.\n\n* **Works in Bare Metal or Kubernetes**\n InfraSight can run on regular Linux systems or be deployed in Kubernetes using Helm and a custom controller.\n\n* **Kubernetes Controller with CRD Support**\n Deploy and manage tracing agents with fine-grained configuration using a custom resource.\n\n### 8. **๐Ÿ”ฎ Future Work**\n\nInfraSight is designed to be extensible. The following enhancements are under consideration to make the platform even more powerful and user-friendly:\n\n* [x] **Anomaly Detection \u0026 Behavior Profiling**\n Machine learning models for syscall frequency and resource usage anomaly detection.\n\n* [x] **Resilience \u0026 Scalability**\n Retries, graceful shutdown, batching, and optional message queue integration for scaling the server.\n* [x] **Threat Detection Capabilities**\n Add rule-based detection for attack patterns such as privilege escalation, reverse shells, or unauthorized access attempts.\n* [x] **Sentinel Integration**\n Static analysis and correlation engine for combining runtime events with code-level insights.\n\n* [ ] **Standard Dashboards (Grafana / Metabase)**\n Ready-made dashboards for visualizing telemetry data.\n\n* [ ] **Alerting System**\n Integrate with email, Slack, or webhook notifications when anomalies or threats are detected.\n\n* [ ] **Web Interface or CLI**\n User-friendly interface to explore and interact with traced events.\n\n\u003e Have an idea or suggestion to improve InfraSight?\nFeel free to open an issue or reach out โ€” contributions and feedback are always welcome!\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faleyi17%2Finfrasight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faleyi17%2Finfrasight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faleyi17%2Finfrasight/lists"}