Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/anfedotoff/ima-ebpfgo-example
https://github.com/anfedotoff/ima-ebpfgo-example
Last synced: about 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/anfedotoff/ima-ebpfgo-example
- Owner: anfedotoff
- Created: 2024-04-19T10:08:46.000Z (9 months ago)
- Default Branch: master
- Last Pushed: 2024-04-19T10:09:47.000Z (9 months ago)
- Last Synced: 2024-04-19T11:27:49.941Z (9 months ago)
- Language: Go
- Size: 1.95 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# FIM example based on IMA and LSM BPF
This example shows how to collect IMA-measured hashes of executed binaries and
opened files with LSM BPF hooks.
## Quick start
Enable IMA and LSM:
Add `rootflags=i_version lsm=integrity,bpf ima_policy=tcb` to
`GRUB_CMDLINE_LINUX` in `/etc/default/grub`. Update grub and reboot.
Install ebpf-go [dependencies](https://ebpf-go.dev/guides/getting-started/#ebpf-c-program)
```
go mod init ima-test && go mod tidy
go get github.com/cilium/ebpf/cmd/bpf2go
```
Get vmlinux.h:
```
bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
```
Run go generate and build:
```
go generate && go build
```
Run example:
```
sudo ./ima-test
```