{"id":25593950,"url":"https://github.com/ifoxhz/sshdog","last_synced_at":"2026-05-18T03:02:47.203Z","repository":{"id":278692694,"uuid":"936461799","full_name":"ifoxhz/sshdog","owner":"ifoxhz","description":"利用 ebpf  构建一个ssh 登录，以及操作的监控，主要是用于边缘计算的Linux 平台上,边缘节点总是面临安全威胁","archived":false,"fork":false,"pushed_at":"2025-05-30T21:56:54.000Z","size":13614,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-22T19:47:29.919Z","etag":null,"topics":["ebpf","elk","monitor","sshd"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ifoxhz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-02-21T06:02:52.000Z","updated_at":"2025-07-11T02:48:31.000Z","dependencies_parsed_at":"2025-02-21T07:33:25.614Z","dependency_job_id":null,"html_url":"https://github.com/ifoxhz/sshdog","commit_stats":null,"previous_names":["ifoxhz/sshdog"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ifoxhz/sshdog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ifoxhz%2Fsshdog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ifoxhz%2Fsshdog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ifoxhz%2Fsshdog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ifoxhz%2Fsshdog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ifoxhz","download_url":"https://codeload.github.com/ifoxhz/sshdog/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ifoxhz%2Fsshdog/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279006749,"owners_count":26084180,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-11T02:00:06.511Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","elk","monitor","sshd"],"created_at":"2025-02-21T10:22:29.646Z","updated_at":"2025-10-11T09:35:03.336Z","avatar_url":"https://github.com/ifoxhz.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# libbpf-bootstrap: 利用该框架开发ssh的监控模块，用于边缘计算平台的安全监控，记录ssh的登录以及操作，上传日志到ELK系统，用于检索和分析\n\n[![Github Actions](https://github.com/libbpf/libbpf-bootstrap/actions/workflows/build.yml/badge.svg)](https://github.com/libbpf/libbpf-bootstrap/actions/workflows/build.yml)\n[![Github Actions](https://github.com/libbpf/libbpf-bootstrap/actions/workflows/build-android.yml/badge.svg)](https://github.com/libbpf/libbpf-bootstrap/actions/workflows/build-android.yml)\n\n## bootstrap\n\n`bootstrap` is an example of a simple (but realistic) BPF application. It\ntracks process starts (`exec()` family of syscalls, to be precise) and exits\nand emits data about filename, PID and parent PID, as well as exit status and\nduration of the process life. With `-d \u003cmin-duration-ms\u003e` you can specify\nminimum duration of the process to log. In such mode process start\n(technically, `exec()`) events are not output (see example output below).\n\n`bootstrap` was created in the similar spirit as\n[libbpf-tools](https://github.com/iovisor/bcc/tree/master/libbpf-tools) from\nBCC package, but is designed to be more stand-alone and with simpler Makefile\nto simplify adoption to user's particular needs. It demonstrates the use of\ntypical BPF features:\n  - cooperating BPF programs (tracepoint handlers for process `exec` and `exit`\n    events, in this particular case);\n  - BPF map for maintaining the state;\n  - BPF ring buffer for sending data to user-space;\n  - global variables for application behavior parameterization.\n  - it utilizes BPF CO-RE and vmlinux.h to read extra process information from\n    kernel's `struct task_struct`.\n\n`bootstrap` is intended to be the starting point for your own BPF application,\nwith things like BPF CO-RE and vmlinux.h, consuming BPF ring buffer data,\ncommand line arguments parsing, graceful Ctrl-C handling, etc. all taken care\nof for you, which are crucial but mundane tasks that are no fun, but necessary\nto be able to do anything useful. Just copy/paste and do simple renaming to get\nyourself started.\n\nHere's an example output in minimum process duration mode:\n\n```shell\n$ sudo ./bootstrap -d 50\nTIME     EVENT COMM             PID     PPID    FILENAME/EXIT CODE\n19:18:32 EXIT  timeout          3817109 402466  [0] (126ms)\n19:18:32 EXIT  sudo             3817117 3817111 [0] (259ms)\n19:18:32 EXIT  timeout          3817110 402466  [0] (264ms)\n19:18:33 EXIT  python3.7        3817083 1       [0] (1026ms)\n19:18:38 EXIT  python3          3817429 3817424 [1] (60ms)\n19:18:38 EXIT  sh               3817424 3817420 [0] (79ms)\n19:18:38 EXIT  timeout          3817420 402466  [0] (80ms)\n19:18:43 EXIT  timeout          3817610 402466  [0] (70ms)\n19:18:43 EXIT  grep             3817619 3817617 [1] (271ms)\n19:18:43 EXIT  timeout          3817609 402466  [0] (321ms)\n19:18:44 EXIT  iostat           3817585 3817531 [0] (3006ms)\n19:18:44 EXIT  tee              3817587 3817531 [0] (3005ms)\n...\n```\n\n```shell\n$ sudo cat /sys/kernel/debug/tracing/trace_pipe\n           \u003c...\u003e-823887  [000] d.s1 602386.079100: bpf_trace_printk: packet size: 75\n           \u003c...\u003e-823887  [000] d.s1 602386.079141: bpf_trace_printk: packet size: 66\n           \u003c...\u003e-2813507 [000] d.s1 602386.696702: bpf_trace_printk: packet size: 77\n           \u003c...\u003e-2813507 [000] d.s1 602386.696735: bpf_trace_printk: packet size: 66\n```\n\n\n## lsm\n`lsm` serves as an illustrative example of utilizing [LSM BPF](https://docs.kernel.org/bpf/prog_lsm.html). In this example, the `bpf()` system call is effectively blocked. Once the `lsm` program is operational, its successful execution can be confirmed by using the `bpftool prog list` command.\n\n```shell\n$ sudo ./lsm\nlibbpf: loading object 'lsm_bpf' from buffer\n...\nSuccessfully started! Please run `sudo cat /sys/kernel/debug/tracing/trace_pipe` to see output of the BPF programs.\n..........\n```\n\nThe output from `lsm` in `/sys/kernel/debug/tracing/trace_pipe` is expected to resemble the following:\n\n# Building\n\nlibbpf-bootstrap supports multiple build systems that do the same thing.\nThis serves as a cross reference for folks coming from different backgrounds.\n\n## Install Dependencies\n\nYou will need `clang` (at least v11 or later), `libelf` and `zlib` to build\nthe examples, package names may vary across distros.\n\nOn Ubuntu/Debian, you need:\n```shell\n$ apt install clang libelf1 libelf-dev zlib1g-dev\n```\n\nOn CentOS/Fedora, you need:\n```shell\n$ dnf install clang elfutils-libelf elfutils-libelf-devel zlib-devel\n```\n## Getting the source code\n\nDownload the git repository and check out submodules:\n```shell\n$ git clone --recurse-submodules https://github.com/libbpf/libbpf-bootstrap\n```\n\n## C Examples\n\nMakefile build:\n\n```shell\n$ git submodule update --init --recursive       # check out libbpf\n$ cd examples/c\n$ make\n$ sudo ./bootstrap\nTIME     EVENT COMM             PID     PPID    FILENAME/EXIT CODE\n00:21:22 EXIT  python3.8        4032353 4032352 [0] (123ms)\n00:21:22 EXEC  mkdir            4032379 4032337 /usr/bin/mkdir\n00:21:22 EXIT  mkdir            4032379 4032337 [0] (1ms)\n00:21:22 EXEC  basename         4032382 4032381 /usr/bin/basename\n00:21:22 EXIT  basename         4032382 4032381 [0] (0ms)\n00:21:22 EXEC  sh               4032381 4032380 /bin/sh\n00:21:22 EXEC  dirname          4032384 4032381 /usr/bin/dirname\n00:21:22 EXIT  dirname          4032384 4032381 [0] (1ms)\n00:21:22 EXEC  readlink         4032387 4032386 /usr/bin/readlink\n^C\n```\n\nCMake build:\n\n```shell\n$ git submodule update --init --recursive       # check out libbpf\n$ mkdir build \u0026\u0026 cd build\n$ cmake ../examples/c\n$ make\n$ sudo ./bootstrap\n\u003c...\u003e\n```\n\n\n# Troubleshooting\n\nLibbpf debug logs are quire helpful to pinpoint the exact source of problems,\nso it's usually a good idea to look at them before starting to debug or\nposting question online.\n\n`./minimal` is always running with libbpf debug logs turned on.\n\nFor `./bootstrap`, run it in verbose mode (`-v`) to see libbpf debug logs:\n\n```shell\n$ sudo ./bootstrap -v\nlibbpf: loading object 'bootstrap_bpf' from buffer\nlibbpf: elf: section(2) tp/sched/sched_process_exec, size 384, link 0, flags 6, type=1\nlibbpf: sec 'tp/sched/sched_process_exec': found program 'handle_exec' at insn offset 0 (0 bytes), code size 48 insns (384 bytes)\nlibbpf: elf: section(3) tp/sched/sched_process_exit, size 432, link 0, flags 6, type=1\nlibbpf: sec 'tp/sched/sched_process_exit': found program 'handle_exit' at insn offset 0 (0 bytes), code size 54 insns (432 bytes)\nlibbpf: elf: section(4) license, size 13, link 0, flags 3, type=1\nlibbpf: license of bootstrap_bpf is Dual BSD/GPL\n...\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fifoxhz%2Fsshdog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fifoxhz%2Fsshdog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fifoxhz%2Fsshdog/lists"}