https://github.com/lumontec/lsmtrace
Trace deep kernel events through eBPF and lsm hooks
https://github.com/lumontec/lsmtrace
ebpf kernel linux-security-module security tracing
Last synced: about 1 month ago
JSON representation
Trace deep kernel events through eBPF and lsm hooks
- Host: GitHub
- URL: https://github.com/lumontec/lsmtrace
- Owner: lumontec
- License: apache-2.0
- Created: 2021-01-13T12:55:35.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2021-02-09T09:25:08.000Z (about 5 years ago)
- Last Synced: 2024-07-30T18:13:46.864Z (over 1 year ago)
- Topics: ebpf, kernel, linux-security-module, security, tracing
- Language: C
- Homepage:
- Size: 3.46 MB
- Stars: 32
- Watchers: 3
- Forks: 8
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# lsmtrace
Trace all Linux Security Modules hooks touched by executable.
Have a look at my **[blog post](https://lumontec.com/1-building-a-security-tracing)** to find out more.
## Requirements
Your kernel must have been compiled with the follwing options:
* BPF_SYSCALL
* BPF_LSM
* DEBUG_INFO
* DEBUG_INFO_BTF
## Compilation
```shell
$ git submodule update --init --recursive # check out libbpf
$ cd src
$ make
```
## Run
```shell
$ sudo ./lsmtrace /usr/bin/ls -a /home
Attaching hooks, don`t rush..
-> HOOK_CALL: -> cred_getsecid( const struct cred *c, u32 *secid )
-> HOOK_CALL: -> file_permission( struct file *file, int mask )
file,f_mode = 32797
file,f_path.dentry,d_flags = 64
file,f_path.dentry,d_name.name = ls
file,f_path.dentry,d_inode,i_ino = 3670696
...
```