Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/trailofbits/linuxevents
A sample PoC for container-aware exec events for osquery
https://github.com/trailofbits/linuxevents
bpf ebpf linux monitoring runtime-code-generation tracing
Last synced: about 1 month ago
JSON representation
A sample PoC for container-aware exec events for osquery
- Host: GitHub
- URL: https://github.com/trailofbits/linuxevents
- Owner: trailofbits
- License: apache-2.0
- Created: 2022-03-07T20:56:29.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2024-02-15T18:55:44.000Z (10 months ago)
- Last Synced: 2024-10-31T01:42:40.861Z (about 2 months ago)
- Topics: bpf, ebpf, linux, monitoring, runtime-code-generation, tracing
- Language: C++
- Homepage: https://www.trailofbits.com/services/security-engineering
- Size: 20.5 KB
- Stars: 23
- Watchers: 5
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## LibLinuxEvents
This is a **proof-of-concept** for a container-aware process and network event publisher library with no runtime dependencies (i.e. kernel headers).
It works by using LLVM/Clang, the BTF debug information ([btfparse](https://github.com/trailofbits/btfparse)) and our C++ BPF utilities ([ebpf-common](https://github.com/trailofbits/ebpf-common)).
## Build instructions
1. Download and extract the [osquery-toolchain](https://github.com/osquery/osquery-toolchain)
2. Clone the repository: `git clone --recursive https://github.com/trailofbits/linuxevents`
3. Install the following dependencies: LLVM libraries, Clang libraries, Ninja, CMake
4. Configure the project: `cmake -S linuxevents -B build-linuxevents -DCMAKE_TOOLCHAIN_FILE=cmake/toolchain.cmake -G Ninja -DCMAKE_BUILD_TYPE=Release`
5. Build the project: `cmake --build build-linuxevents`
6. Run the `execsnoop` sample: `sudo build-linuxevents/examples/execsnoop/execsnoop`## Runtime requirements
Since this library uses BTF, you need a kernel that is recent enough to support it. You can quickly check if your system is supported by checking for the existance of the following file: `/sys/kernel/btf/vmlinux`