{"id":15152213,"url":"https://github.com/elastic/ebpf","last_synced_at":"2025-08-19T19:10:16.849Z","repository":{"id":37050438,"uuid":"343913260","full_name":"elastic/ebpf","owner":"elastic","description":"Elastic's eBPF","archived":false,"fork":false,"pushed_at":"2025-03-27T08:35:41.000Z","size":17328,"stargazers_count":68,"open_issues_count":16,"forks_count":11,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-03-30T22:13:50.757Z","etag":null,"topics":["ebpf","security"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/elastic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-03-02T21:09:30.000Z","updated_at":"2025-02-11T06:23:49.000Z","dependencies_parsed_at":"2023-10-01T19:40:08.062Z","dependency_job_id":"f1cd0a01-507a-45e6-918f-6126c9f9fce7","html_url":"https://github.com/elastic/ebpf","commit_stats":{"total_commits":480,"total_committers":22,"mean_commits":"21.818181818181817","dds":0.7291666666666667,"last_synced_commit":"99cc9dfa7e8f1ba1cc4c0088bf025c2f168fd6e7"},"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Febpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Febpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Febpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/elastic%2Febpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/elastic","download_url":"https://codeload.github.com/elastic/ebpf/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247608151,"owners_count":20965952,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","security"],"created_at":"2024-09-26T16:00:43.004Z","updated_at":"2025-04-07T07:10:11.459Z","avatar_url":"https://github.com/elastic.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg alt=\"elastic-loves-ebpf\" src=\"https://user-images.githubusercontent.com/8242268/184464400-f485dfab-c4c1-49d2-850e-d419256bdecc.png\"\u003e\n\n[![CI](https://github.com/elastic/ebpf/actions/workflows/ci.yml/badge.svg)](https://github.com/elastic/ebpf/actions/workflows/ci.yml)\n\nThis repository contains eBPF code as well as associated userspace tools and\ncomponents used in the Linux build of [Elastic Endpoint\nSecurity](https://www.elastic.co/security/endpoint-security).\n\nElastic Endpoint on Linux currently leverages eBPF for two use-cases: host\nisolation and event sourcing, with all code pertaining to the two being hosted\nhere. At a high level, this repository is divided up on licensing grounds. eBPF\ncode, which must be GPL-licensed for the kernel to accept and load it, is\nlocated under the `GPL/` directory while all non-GPL code is located under the\n`non-GPL` directory.\n\n## Event Sourcing\n\nOn newer kernels (5.10.16+), Elastic endpoint uses eBPF to source the various\nsecurity events it ultimately sends up to an Elasticsearch cluster (e.g.\nprocess execution, file creation, file rename). On older kernels, this data is\nsourced via\n[tracefs](https://www.kernel.org/doc/Documentation/trace/ftrace.txt) instead.\n\nEvent sourcing eBPF code is found under `GPL/Events` and associated userspace\ntools can be found under `non-GPL/Events`. See [docs/events.md](docs/events.md)\nfor detailed information on the event sourcing code.\n\n## Host Isolation\n\n[Host\nisolation](https://www.elastic.co/guide/en/security/current/host-isolation-api.html)\nis essentially an incredibly strict firewall that allows only Elastic Endpoint\nto communicate with the outside world. It can be manually enabled in Kibana and\nis meant be used in cases where a host is known or suspected to be compromised,\nallowing security teams more time to locate the threat at hand.\n\nHost isolation eBPF code is found under `GPL/HostIsolation` and associated userspace\ntools can be found under `non-GPL/HostIsolation`. See\n[docs/hostisolation.md](docs/hostisolation.md) for detailed information on the\nhost isolation code.\n\n## Building\n\nTo build all artifacts in the repository, run:\n\n```\nmake build ARCH=\u003carch\u003e\n```\n\nWhere `arch` is one of `x86_64` or `aarch64`. The build is run in a docker\ncontainer with all required dependencies bundled inside.\n\n## Repository Layout\n\n```\n.\n|-- GPL                              # Dual BSD/GPLv2-licensed sources (mainly eBPF code)\n|   |-- Events                       # Event sourcing eBPF code\n|   |   |-- File                     # Code to source file events\n|   |   |-- Network                  # eBPF code to source network events\n|   |   `-- Process                  # eBPF code to source process events\n|   `-- HostIsolation                # Host isolation eBPF code and tests\n|       |-- KprobeConnectHook\n|       `-- TcFilter\n|-- cmake\n|   `-- modules                      # CMake modules to build third party dependencies\n|-- contrib                          # Third party dependency sources\n|   |-- elftoolchain\n|   |-- googletest\n|   |-- kernel_hdrs                  # Kernel headers used in HostIsolation eBPF code (copied from kernel)\n|   |-- libbpf\n|   `-- vmlinux                      # bpftool-generated vmlinux.h (see contrib/vmlinux/README.md)\n|       |-- aarch64\n|       `-- x86_64\n|-- docker                           # Dockerfiles used to build/test\n|-- licenses                         # Licenses used in the codebase\n|-- non-GPL                          # Elastic-2.0 licensed code (userspace tools and libraries)\n|   |-- Events                       # Userspace tools and libraries related to event sourcing\n|   |   |-- EventsTrace              # Simple command-line utility to load and use event probes\n|   |   |-- Lib                      # Userspace library to load and use event probes used by EventsTrace\n|   `-- HostIsolation                # Userspace tools and libraries related to host isolation\n|       |-- Demos                    # Demo binaries for the various, granular parts of host isolation\n|       `-- Lib                      # Userspace library that allows for use of host isolation functionality\n`-- testing                          # Infrastructure to test eBPF code on many kernels (see testing/README.md)\n```\n\n## Testing\n\nThis repository contains infrastructure to test our eBPF code against a wide\narray of kernels. See [testing/README.md](testing/README.md) for more\ninformation. For more details on kernels that are excluded from testing, see [EXCLUSIONS.md](EXCLUSIONS.md)\n\n## Licensing\n\nVarious licenses are used in this repository, see the [LICENSE.txt](LICENSE.txt) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Febpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felastic%2Febpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felastic%2Febpf/lists"}