{"id":13840365,"url":"https://github.com/chriskaliX/Hades","last_synced_at":"2025-07-11T07:33:35.458Z","repository":{"id":40565143,"uuid":"304822383","full_name":"chriskaliX/Hades","owner":"chriskaliX","description":"Hades is a Host-Based Intrusion Detection System based on eBPF(mainly)","archived":false,"fork":false,"pushed_at":"2024-10-27T17:31:58.000Z","size":19744,"stargazers_count":282,"open_issues_count":4,"forks_count":51,"subscribers_count":11,"default_branch":"main","last_synced_at":"2024-11-19T19:51:59.238Z","etag":null,"topics":["agent","ebpf","ebpf-programs","ebpf-sec","golang","hids","libbpf","linux","netlink","runtime-security","rust","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chriskaliX.png","metadata":{"files":{"readme":"README-zh_CN.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-10-17T07:28:29.000Z","updated_at":"2024-11-16T21:13:21.000Z","dependencies_parsed_at":"2024-06-19T04:01:22.823Z","dependency_job_id":"d8d02744-06af-4950-bd76-3da4ea89629a","html_url":"https://github.com/chriskaliX/Hades","commit_stats":null,"previous_names":["chriskalix/hids-linux"],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chriskaliX%2FHades","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chriskaliX%2FHades/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chriskaliX%2FHades/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chriskaliX%2FHades/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chriskaliX","download_url":"https://codeload.github.com/chriskaliX/Hades/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705376,"owners_count":17511281,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","ebpf","ebpf-programs","ebpf-sec","golang","hids","libbpf","linux","netlink","runtime-security","rust","security"],"created_at":"2024-08-04T17:00:46.498Z","updated_at":"2024-11-21T09:31:25.452Z","avatar_url":"https://github.com/chriskaliX.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"\u003cdiv align=center\u003e\n\u003cimg width=\"500\" height=\"152.5\" src=\"https://github.com/chriskaliX/Hades/blob/main/imgs/hades-low-resolution-logo-color-on-transparent-background.png\"/\u003e\n\u003c/div\u003e\n\n\u003cdiv align=center\u003e\n\u003cimg src=\"https://github.com/chriskaliX/Hades/actions/workflows/co-re.yaml/badge.svg\"/\u003e\n\u003c/div\u003e\n\n# Hades\n\nHades 是一个基于 eBPF 的主机入侵检测系统,同时兼容低版本下通过 netlink(cn_proc) 进行事件审计。\n\n申明:本项目借鉴了 [Tracee](https://github.com/aquasecurity/tracee) 以及 [Elkeid](https://github.com/bytedance/Elkeid) 中的代码以及思路等\n\n## 概览\n\n\u003e 后台逐步开发中\n\n\u003cimg src=\"https://github.com/chriskaliX/Hades/blob/main/imgs/hades-overview.png\"/\u003e\n\n\u003cimg src=\"https://github.com/chriskaliX/Hades/blob/main/imgs/hades-hostdetail.png\"/\u003e\n\n## 架构\n\n\u003e 注: Agent 部分基本参照 Elkeid 1.7 部分重构\n\n### Agent\n\n![data](https://github.com/chriskaliX/Hades/blob/main/imgs/agent.png)\n\n### 数据处理流程\n\n![data](https://github.com/chriskaliX/Hades/blob/main/imgs/data_analyze.png)\n\n## 插件列表\n\n- [EDriver](https://github.com/chriskaliX/Hades/tree/main/plugins/edriver)\n- [Collector](https://github.com/chriskaliX/Hades/tree/main/plugins/collector)\n- [Eguard](https://github.com/chriskaliX/Hades/tree/main/plugins/eguard)\n- [NCP](https://github.com/chriskaliX/Hades/tree/main/plugins/ncp)\n- Scanner\n- Logger\n\n## 采集能力\n\n---\n\n### EDriver\n\n\u003e 支持 `21` 种 Hook,涵盖大部分安全审计检测需求,采集字段基本和 Elkeid 相同\n\n[Hook](https://github.com/chriskaliX/Hades/tree/main/plugins/edriver) 详情查看\n\n\u003cdetails\u003e\u003csummary\u003e eBPF driver 插件 Hook 事件详情 \u003c/summary\u003e\n\u003cp\u003e\n\n| Hook | Status \u0026 Description | ID |\n| :----------------------------------------- | :------------------------------------ | :--- |\n| tracepoint/syscalls/sys_enter_execve | ON | 700 |\n| tracepoint/syscalls/sys_enter_execveat | ON | 698 |\n| tracepoint/syscalls/sys_enter_memfd_create | ON | 614 |\n| tracepoint/syscalls/sys_enter_prctl | ON(PR_SET_NAME \u0026 PR_SET_MM) | 1020 |\n| tracepoint/syscalls/sys_enter_ptrace | ON(PTRACE_PEEKTEXT \u0026 PTRACE_POKEDATA) | 1021 |\n| kprobe/security_socket_connect | ON | 1022 |\n| kprobe/security_socket_bind | ON | 1024 |\n| kprobe/commit_creds | ON | 1011 |\n| k(ret)probe/udp_recvmsg | ON(53/5353 for dns data) | 1025 |\n| kprobe/do_init_module | ON | 1026 |\n| kprobe/security_kernel_read_file | ON | 1027 |\n| kprobe/security_inode_create | ON | 1028 |\n| kprobe/security_sb_mount | ON | 1029 |\n| kprobe/call_usermodehelper | ON | 1030 |\n| kprobe/security_inode_rename | ON | 1031 |\n| kprobe/security_inode_link | ON | 1032 |\n| uprobe/trigger_sct_scan | ON | 1200 |\n| uprobe/trigger_idt_scan | ON | 1201 |\n| kprobe/security_file_permission | ON | 1202 |\n| uprobe/trigger_module_scan | ON | 1203 |\n| kprobe/security_bpf | ON | 1204 |\n\n\u003c/p\u003e\u003c/details\u003e\n\n---\n\n### Collector\n\n\u003e S 代表异步采集,P 代表周期采集,C 代表触发采集\n\n\u003cdetails\u003e\u003csummary\u003e collector 插件 hook 详情 \u003c/summary\u003e\n\u003cp\u003e\n\n| Event | Type | ID |\n| :-------: | :--: | :-: |\n| processes | P | 1001 |\n| crontab | P | 2001 |\n|sshdconfig | P | 3002 |\n| ssh login | S | 3003 |\n| user | P | 3004 |\n| sshconfig | P | 3005 |\n| yum | P | 3006 |\n|host detect| C | 3007 |\n| apps | P | 3008 |\n| kmod | P | 3009 |\n| disk | P | 3010 |\n| systemd | P | 3011 |\n| interface | P | 3012 |\n| iptable | P | 3013 |\n|bpf_program| P | 3014 |\n| jar | P | 3015 |\n| dpkg | P | 3016 |\n| rpm | P | 3017 |\n| container | P | 3018 |\n| socket | P | 5001 |\n\n\u003c/p\u003e\u003c/details\u003e\n\n### NCP\n\n---\n\n\u003e Netlink CN_PROC 事件采集\n\n___\n\n## 联系 \u0026 交流\n\n输入 `Hades` 获取相关群二维码\n\n\u003cimg src=\"https://github.com/chriskaliX/Hades/blob/main/imgs/weixin.png\" width=\"50%\" style=\"float:left;\"/\u003e\n\n## 404 星链计划\n\n\u003cimg src=\"https://github.com/knownsec/404StarLink-Project/raw/master/logo.png\" width=\"30%\"\u003e\n\nHades 现已加入 [404 星链计划](https://github.com/knownsec/404StarLink)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FchriskaliX%2FHades","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FchriskaliX%2FHades","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FchriskaliX%2FHades/lists"}