Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/foniod/foniod
Data first monitoring agent using (e)BPF, built on RedBPF
https://github.com/foniod/foniod
agent ebpf monitoring rust statsd-client
Last synced: 2 months ago
JSON representation
Data first monitoring agent using (e)BPF, built on RedBPF
- Host: GitHub
- URL: https://github.com/foniod/foniod
- Owner: foniod
- License: gpl-3.0
- Archived: true
- Created: 2018-04-18T09:08:30.000Z (over 6 years ago)
- Default Branch: main
- Last Pushed: 2023-04-13T17:13:28.000Z (over 1 year ago)
- Last Synced: 2024-09-25T21:59:52.150Z (3 months ago)
- Topics: agent, ebpf, monitoring, rust, statsd-client
- Language: Rust
- Homepage:
- Size: 3.39 MB
- Stars: 412
- Watchers: 19
- Forks: 33
- Open Issues: 17
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-observability - ingraind - Security monitoring agent built around RedBPF for complex containerized environments and endpoints. (3. Collect / Metrics)
- awesome-rust-security - foniod - Data first monitoring agent using (e)BPF, built on RedBPF (Threat Detection and Forensics / Packing, Obfuscation, Encryption, Anti-analysis)
- awesome-hacking-lists - foniod/foniod - Data first monitoring agent using (e)BPF, built on RedBPF (Rust)
README
ingraind
Data-first Monitoring
ingraind is a security monitoring agent built around [RedBPF](https://github.com/redsift/redbpf)
for complex containerized environments and endpoints. The ingraind agent uses eBPF
probes to provide safe and performant instrumentation for any Linux-based environment.InGrain provides oversight of assets and risks:
* Your customer data - an employee copying your customer database to their
personal cloud store.
* Your infrastructure - an attacker executing a zero day attack to gain access
to your web servers.
* Your resources - malware using your users machines compute resources to mine
cryptocurrency.This is what `curl https://redsift.com` looks like if seen through ingraind:
![ingrain listening to DNS & TLS](./screencast.gif)
## Requirements
* LLVM/Clang version 9 or newer
* Rust toolchain [rustup.rs](https://rustup.rs)
* Linux 4.15 kernel or newer including kernel headers
* capnproto## Compile
The usual Rust compilation ritual will produce a binary in `target/release`:
$ cargo build --release
or for a kernel version other than the running one:
$ export KERNEL_VERSION=1.2.3
$ cargo build --releaseor with a custom kernel tree path (needs to include generated files):
$ export KERNEL_SOURCE=/build/linux
$ cargo build --release
We keep `ingraind` compatible with the `musl` target on `x86_64`,
which you can build like so:$ cargo build --release --target=x86_64-unknown-linux-musl
## Build a docker image
To build a Docker image, use the instructions above to build an
ingrain binary for the desired kernel. By default, the Dockerfile will
assume you've built `ingraind` for the `musl` target.$ docker build .
You can specify an arbitrary `ingraind` binary by setting the
`BINARY_PATH` environment variable:$ docker build --build-arg BINARY_PATH=./target/x86_64-unknown-linux-musl/release/ingraind .
## Configuration & Run
To get an idea about the configuration [file
structure](https://github.com/redsift/ingraind/wiki/Configuration), consult the
wiki or take a look at the [example config](./config.toml.example) for a full reference.To start `ingraind`, run:
$ ./target/release/ingraind config.toml
Depending on the backends used in the config file, some secrets may need to be
passed as environment variables. These are documented in
[config.toml.example](./config.toml.example), which should be a good starting point,
and a sane default to get `ingraind` running, printing everything to the standard output.## Repo structure
The `bpf` directory contains the BPF programs written in C. These are compiled
by `build.rs`, and embedded in the final binary, and will be managed by the
grains.The `ingraind-probes` directory contains the BPF programs written in Rust.
# Anything else?
For more information, take a look at the [Wiki](https://github.com/redsift/ingraind/wiki)
# Contribution
This project is for everyone. We ask that our users and contributors
take a few minutes to review our [code of conduct](https://github.com/ingraind/project/blob/main/CODE_OF_CONDUCT.md).Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you, as defined in the GPL-3.0 license, shall
be licensed as GPL-3.0, without any additional terms or conditions.For further advice on getting started, please consult the
[Contributor's
Guide](https://github.com/ingraind/project/blob/main/CONTRIBUTING.md). Please
note that all contributions MUST contain a [Developer Certificate of
Origin](https://github.com/ingraind/project/blob/developer-certificate-of-origin/CONTRIBUTING.md#developer-certificate-of-origin)
sign-off line.