{"id":18131669,"url":"https://github.com/mrtc0/cxray","last_synced_at":"2026-03-08T00:32:32.740Z","repository":{"id":54808643,"uuid":"229852670","full_name":"mrtc0/cxray","owner":"mrtc0","description":"Tracing security events in container with BPF","archived":false,"fork":false,"pushed_at":"2023-12-15T02:21:12.000Z","size":71,"stargazers_count":15,"open_issues_count":1,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-09-12T01:34:40.898Z","etag":null,"topics":["bcc","bpf","container","devsecops","ebpf","security","trace"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mrtc0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-24T02:06:43.000Z","updated_at":"2022-11-20T08:07:24.000Z","dependencies_parsed_at":"2024-06-19T02:58:19.870Z","dependency_job_id":null,"html_url":"https://github.com/mrtc0/cxray","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/mrtc0/cxray","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fcxray","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fcxray/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fcxray/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fcxray/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mrtc0","download_url":"https://codeload.github.com/mrtc0/cxray/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mrtc0%2Fcxray/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30238880,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-08T00:30:53.000Z","status":"ssl_error","status_checked_at":"2026-03-08T00:30:44.061Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bcc","bpf","container","devsecops","ebpf","security","trace"],"created_at":"2024-11-01T12:08:35.415Z","updated_at":"2026-03-08T00:32:32.721Z","avatar_url":"https://github.com/mrtc0.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cxray\n\n[![Build Status](https://mrtc0.semaphoreci.com/badges/cxray/branches/master.svg)](https://semaphoreci.com/mrtc0/cxray)\n\ncxray is a tool for profiling security events in containers.  \nIt can create a white list of events(running processes, opendfile and binaries, destination HTTP Requests) in container, which is useful for creating rules for other tools(e.g. falco).\n\n# Background\n\nContainer security tools should be able to automatically profile containerized apps using behavioral learning and build.  \nAccording to [NIST.SP.800-19](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf), should monitoring the following events:\n\n * Invalid or unexpected process execution,\n * Invalid or unexpected system calls,\n * Changes to protected configuration files and binaries,\n * Writes to unexpected locations and file types,\n * Creation of unexpected network listeners,\n * Traffic sent to unexpected network destinations, and\n * Malware storage or execution.\n\ncxray can profiling these events. Executes in a test environment and records events in the container, and can be used for monitoring rules.  \n\n# Install\n\nDownload binary from [releases page](https://github.com/mrtc0/cxray/releases).  \n\n# Example\n\n```shell\n$ sudo ./cxray \u003e log.json\n\n$ docker run --rm -it alpine:latest sh\n/ # id\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)\n/ # uname -a\nLinux 5af89d05295b 5.0.0-37-generic #40~18.04.1-Ubuntu SMP Thu Nov 14 12:06:39 UTC 2019 x86_64 Linux\n/ # cat /etc/passwd\nroot:x:0:0:root:/root:/bin/ash\n...\n/ # curl https://example.com/\n...\n\n$ cat log.json\n{\"data\":{\"container_id\":\"5af89d052\",\"event\":{\"name\":\"execve\",\"data\":{\"argv\":\"\",\"comm\":\"\",\"pid\":\"12555\",\"ret\":\"0\",\"uid\":\"0\",\"user\":\"root\"}}},\"level\":\"info\",\"msg\":\"execve\",\"time\":\"2019-12-24T12:45:36Z\"}\n{\"data\":{\"container_id\":\"5af89d052\",\"event\":{\"name\":\"execve\",\"data\":{\"argv\":\"\",\"comm\":\"/usr/bin/id\",\"pid\":\"12605\",\"ret\":\"0\",\"uid\":\"0\",\"user\":\"root\"}}},\"level\":\"info\",\"msg\":\"execve\",\"time\":\"2019-12-24T12:45:37Z\"}\n{\"data\":{\"container_id\":\"5af89d052\",\"event\":{\"name\":\"execve\",\"data\":{\"argv\":\"-a\",\"comm\":\"/bin/uname\",\"pid\":\"12608\",\"ret\":\"0\",\"uid\":\"0\",\"user\":\"root\"}}},\"level\":\"info\",\"msg\":\"execve\",\"time\":\"2019-12-24T12:45:39Z\"}\n{\"data\":{\"container_id\":\"5af89d052\",\"event\":{\"name\":\"execve\",\"data\":{\"argv\":\"/etc/passwd\",\"comm\":\"/bin/cat\",\"pid\":\"12609\",\"ret\":\"0\",\"uid\":\"0\",\"user\":\"root\"}}},\"level\":\"info\",\"msg\":\"execve\",\"time\":\"2019-12-24T12:45:41Z\"}\n{\"data\":{\"container_id\":\"5af89d052\",\"event\":{\"name\":\"open\",\"data\":{\"comm\":\"cat\",\"fname\":\"/etc/passwd\",\"pid\":\"14134\",\"ret\":\"3\",\"uid\":\"0\"}}},\"level\":\"info\",\"msg\":\"open\",\"time\":\"2019-12-25T02:02:27Z\"}\n{\"data\":{\"container_id\":\"5af89d052\",\"event\":{\"name\":\"tcp_v4_connect\",\"data\":{\"comm\":\"curl\",\"daddr\":\"93.184.216.34\",\"dport\":\"443\",\"pid\":\"17408\",\"ret\":\"0\",\"saddr\":\"172.17.0.2\",\"uid\":\"0\"}}},\"level\":\"info\",\"msg\":\"tcp_v4_connect\",\"time\":\"2019-12-25T16:12:01Z\"}\n```\n\n## Executing Processes (execve)\n\n```json\n{\n  \"data\": {\n    \"container_id\": \"b85bd4425\",\n    \"event\": {\n      \"name\": \"execve\",\n      \"data\": {\n        \"argv\": \"-a\",\n        \"comm\": \"/bin/uname\",\n        \"pid\": \"1714\",\n        \"ret\": \"0\",\n        \"uid\": \"0\",\n        \"user\": \"root\"\n      }\n    }\n  },\n  \"level\": \"info\",\n  \"msg\": \"execve\",\n  \"time\": \"2020-01-04T15:40:12Z\"\n}\n```\n\n## Opening File and Binaries (open)\n\n```json\n{\n  \"data\": {\n    \"container_id\": \"b85bd4425\",\n    \"event\": {\n      \"name\": \"open\",\n      \"data\": {\n        \"comm\": \"cat\",\n        \"fname\": \"/etc/shadow\",\n        \"pid\": \"1715\",\n        \"ret\": \"3\",\n        \"uid\": \"0\"\n      }\n    }\n  },\n  \"level\": \"info\",\n  \"msg\": \"open\",\n  \"time\": \"2020-01-04T15:41:20Z\"\n}\n```\n\n## HTTP Connection (tcp_v4_connect)\n\n```json\n{\n  \"data\": {\n    \"container_id\": \"b85bd4425\",\n    \"event\": {\n      \"name\": \"tcp_v4_connect\",\n      \"data\": {\n        \"comm\": \"wget\",\n        \"daddr\": \"93.184.216.34\",\n        \"dport\": \"443\",\n        \"pid\": \"1716\",\n        \"ret\": \"0\",\n        \"saddr\": \"172.17.0.2\",\n        \"uid\": \"0\"\n      }\n    }\n  },\n  \"level\": \"info\",\n  \"msg\": \"tcp_v4_connect\",\n  \"time\": \"2020-01-04T15:42:04Z\"\n}\n```\n\n## Network Listeners (inet_listen)\n\n```json\n{\n  \"data\": {\n    \"container_id\": \"\",\n    \"event\": {\n      \"name\": \"inet_listen\",\n      \"data\": {\n        \"comm\": \"nc\",\n        \"listen_addr\": \"0.0.0.0\",\n        \"listen_port\": \"12345\",\n        \"pid\": \"1723\",\n        \"protocol\": \"tcp\",\n        \"uid\": \"0\"\n      }\n    }\n  },\n  \"level\": \"info\",\n  \"msg\": \"inet_listen\",\n  \"time\": \"2020-01-04T15:42:43Z\"\n}\n```\n\n# Support Events\n\n * [x] Process Execution\n * [x] Access to files and binaries\n * [x] Creation of network listeners\n * [x] Traffic sent to network destinations\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrtc0%2Fcxray","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmrtc0%2Fcxray","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmrtc0%2Fcxray/lists"}