README.md

bpfd

Framework for running BPF programs with rules on Linux as a daemon. Container aware.

NOTE: WIP If you want to contribute see "How it Works" below and consider adding more example rules or programs. Thanks!!

How it Works

Currently the programs are in the programs/ folder. The idea is that you can add any tracers you would like and then create rules for them.

Programs

The programs that exist today are based off a few bcc-tools programs. Writing these requires knowledge of BPF but you can use the base provided here to create your own programs and add them in a fork, if you so wish for say an enterprise who doesn't want others to reverse engineer what they are tracing and how they alert.

Rules

These are toml files that hold some logic for what you would like to trace. You can search for anything returned by a Program in it's map[string]string data struct.

You can also filter based off the container runtime you would like to alert on.

Notifications

COMING SOON

There will also be an interface for notifications. That way you can send alerts on the rules you set up to Slack, email, or even run arbitrary code so you can kill a container, pause a container, or checkpoint a container to restore it elsewhere without even having to login to a computer.

• Installation
  • Binaries
  • Via Go
• Usage

Installation

To build, you need to have libbcc installed SEE INSTRUCTIONS HERE

Binaries

For installation instructions from binaries please visit the Releases Page.

Via Go

$ go get github.com/jessfraz/bpfd

Usage

$ bpfd -h
bpfd -  Framework for running BPF programs with rules on Linux as a daemon.

Usage: bpfd <command>

Flags:

  -d  enable debug logging (default: false)

Commands:

  create   Create one or more rules.
  daemon   Start the daemon.
  ls       List rules.
  rm       Remove one or more rules.
  version  Show the version information.