{"id":19607058,"url":"https://github.com/bookingcom/bpfink","last_synced_at":"2025-04-27T19:33:08.144Z","repository":{"id":50736747,"uuid":"246280854","full_name":"bookingcom/bpfink","owner":"bookingcom","description":"BPF based FIM solution","archived":false,"fork":false,"pushed_at":"2023-05-22T19:45:44.000Z","size":209,"stargazers_count":42,"open_issues_count":4,"forks_count":12,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-05T03:02:05.858Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bookingcom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2020-03-10T11:17:54.000Z","updated_at":"2024-11-13T06:24:30.000Z","dependencies_parsed_at":"2023-10-20T18:32:00.175Z","dependency_job_id":null,"html_url":"https://github.com/bookingcom/bpfink","commit_stats":null,"previous_names":[],"tags_count":30,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Fbpfink","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Fbpfink/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Fbpfink/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bookingcom%2Fbpfink/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bookingcom","download_url":"https://codeload.github.com/bookingcom/bpfink/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251196447,"owners_count":21550953,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T10:08:36.933Z","updated_at":"2025-04-27T19:33:07.787Z","avatar_url":"https://github.com/bookingcom.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"bpfink (BPF based FIM solution) [![Build Status](https://github.com/bookingcom/bpfink/workflows/build/badge.svg)](https://github.com/bookingcom/bpfink/actions) [![Go Report Card](https://goreportcard.com/badge/github.com/bookingcom/bpfink)](https://goreportcard.com/report/github.com/bookingcom/bpfink)\n===============================\n\nThis program aim to track select files in order to detect changes and log the\ndifference between the old and new version. The creation of this program is\nmotivated by the desire to have near real time file monitoring on linux systems.\n\nDocumentation\n-------------\n\nMost of the documentation can be found in the [docs](./docs) directory.\n\nTechnical overview\n------------------\n\n__Main dependencies:__\n- [eBPF](https://github.com/iovisor/gobpf/) to handle kernel write events.\n- [boltdb](https://github.com/etcd-io/bbolt) for state persistence.\n- [graphite](https://graphiteapp.org/) optional to tracking installation, and number of events processed\n\n\n```text\n +--------------------+\n | |\n | File System |\n | |\n +---------+----------+\n |\n v\n +------+-------+\n | |\n | eBPF |\n | |\n +------+-------+\n |\n +------------+-------------+--------------------------+\n | | |\n v v v\n +----------+---------+ +----------+---------+ +----------+---------+\n | | | | | |\n | Consumer | | Consumer | | Consumer |\n | | | | | |\n | /etc/access.conf | | /etc/password | | Generic |\n | | | /etc/shadow | | any file |\n | | | | | or dir |\n +----------+---------+ +----------+---------+ +----------+---------+\n | | |\n v v v\n+---------------+-----------+ +------------+--------------+ +---------+------------+\n| | | | | |\n| parser | | parser | | parser |\n| | | | | |\n+--------------+------------+ +--------------+------------+ +--------------+-------+\n | | |\n +-----------------------------+-----------------------------+\n |\n +--------------+ | +---------------------+\n | | | | |\n | BoltDB +\u003c-----+---\u003e+ STDOUT |\n | | | |\n +--------------+ +---------------------+\n```\n\nbpfink Is a set of consumers connected to file system watcher. We are currently using eBPF to watch vfs_write syscalls in the kernel.\nWhen an event is fired the associated consumer is called, we have currently two\ndifferent consumers for four different use cases:\n\n- User consumer, watch for the __/passwd__, __/shadow__ file to detect password changes\n(password hash is not logged to avoid offline brute force on leaked logs),\nit also watches for user home directory to detect ssh key injection.\n- Access consumer, just watch __/access.conf__\n- Generic consumer, watches for any existing or new files/directories for any given parent directory\n- Generic diff consumer, same as generic consumer, but provides diff of content instead of hashes \n\nAll consumers hold their own states to keep track of changes and diffing. If\na difference is spotted, the diff is logged to our stdout in json format.\nIn parallel consumers are persisting their state in a key value store (currently BoltDB).\n\nCurrent status\n--------------\n\nThis project is actively being developed, and is currently in a beta status. It is functional but things\nwill be changing. We will be working on coming up with tasks, so that other can contribute to the project.\n\n\nContributions\n-------------\nWe welcome all contributions, and hope to build a great product with a community of backers. Please read our [Contributions guide](./CONTRIBUTING.md) for expectations when contributing to this repo. \n\n\nACKNOWLEDGMENT\n--------------\n\nThis software was originally developed at [Booking.com](http://www.booking.com).\nWith an approval from [Booking.com](http://www.booking.com), this software was released\nas Open Source, for which the authors would like to express their gratitude.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbookingcom%2Fbpfink","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbookingcom%2Fbpfink","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbookingcom%2Fbpfink/lists"}