https://github.com/aessecurity/oburix

eBPF-based runtime agent for Endpoint Detection and Response for Linux based operating systems.
https://github.com/aessecurity/oburix

agent cybersecurity ebpf edr linux runtime-security xdr

Last synced: 3 months ago
JSON representation

eBPF-based runtime agent for Endpoint Detection and Response for Linux based operating systems.

• Host: GitHub
• URL: https://github.com/aessecurity/oburix
• Owner: aessecurity
• License: mit
• Created: 2025-06-27T13:59:21.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2025-08-19T12:05:09.000Z (5 months ago)
• Last Synced: 2025-08-29T21:42:07.201Z (4 months ago)
• Topics: agent, cybersecurity, ebpf, edr, linux, runtime-security, xdr
• Language: C
• Homepage:
• Size: 608 KB
• Stars: 2
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Oburix

**Oburix** is an eBPF-based runtime agent for Endpoint Detection and Response (EDR). It targets Linux systems and continues to rely on eBPF for lightweight, kernel-observed telemetry collection.

Repository and organization:

- Organization: https://github.com/aessecurity

- Repository: https://github.com/aessecurity/oburix

## ✨ Features

- 🐧 Linux support via native eBPF programs

- 📡 Real-time process, file, and network activity monitoring

- 🚨 Rule-based detection engine (YAML rules in `rules/`)

- 🔥 Lightweight, low-overhead architecture

- 📦 Integrates easily into SIEM/XDR pipelines

## Important changes

- The project no longer uses Rust. Any previous Rust components were removed.

- A new KernelScript format is used for certain automation/config tasks: files with the `.ks` extension ("KernelScript"). See the repository for examples and current usage.

- Development step-by-step instructions have been removed from this README. For low-level artifacts and build files, inspect the `runtime/` directory (for example `runtime/CMakeLists.txt`).

> Note: Oburix remains eBPF-based; the change is internal (tooling and scripting), not the telemetry backend.

## 📦 Build / Runtime

Low-level build artifacts and native components are located under `runtime/`. This repository no longer keeps full step-by-step development instructions in the top-level README; consult the corresponding subdirectory READMEs or CMake files for details.

## 🧠 How It Works

Oburix uses eBPF to observe system-level events without intrusive kernel modules. It runs in userspace and collects telemetry from:

- Process execution

- Network connections

- File system activity

- Custom rules and detection logic (YAML rules in `rules/`)

## 🚧 Status

Oburix is in active development. Use with caution and feel free to provide feedback or contributions.

## 🤝 Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss your design.

If you contribute KernelScript files (`*.ks`), document their intended runtime location and interpreter in your PR.

## 📣 Contact

Start a discussion or open an issue on the GitHub repository: https://github.com/aessecurity/oburix

## 📄 License

Licensed under the **MIT License**. See the [LICENSE](./LICENSE) file for details.