What's going on down there? Kernel sniffing using eBPF.
I want to learn how to create my own applications to simply monitor my computer. I don't know how far this will go.
I am practicing everything I learned in this book.
Table of Contents generated with mtoc
...pending to add
By the moment, clone the repo and run:
make compose-up-build
Once the containers are running, visit http://127.0.0.1:3000 or docker logs -f kernelsnoop
.
usernames/password for every tool in
docker/compose.yml
- Shell readline: read every user command for bash, zsh and sh.
- In progress: file access. Read file, access to a file, write a file.
System package dependencies are MANDATORY.
Since I'm using the framework ebpf-go
from Cilium, see the required dependencies in their official documentation.
Please, install pre-commit before push your changes
pre-commit install
# or run once
pre-commit run -a
- Generate
vmlinux.h
:
bpftool btf dump file /sys/kernel/btf/vmlinux format c > internal/headers/vmlinux.h
- Look for available tracepoints:
sudo bpftrace -l 'tracepoint:*'
- Other:
sudo cat /sys/kernel/debug/tracing/events/ext4/ext4_free_inode/format
- Stuff
curl -sL ip.guide/bulk/asns.csv
sudo bpftrace -l | grep cap_capable
{container="kernelsnoop"} |= "new connection"
| json
| latitude != 0.0
| longitude != 0.0
| line_format "{{.dst_addr}},{{.latitude}},{{.longitude}}"
- User Activity Monitor
- Network connection tracker
- Real-Time File Access Watchdog
- https://nvd.codes/post/monitor-any-command-typed-at-a-shell-with-ebpf/
- https://eunomia.dev/
- https://github.com/cilium/ebpf
- https://docs.fluentbit.io/manual/pipeline/outputs/influxdb
- https://docs.influxdata.com/influxdb/v2/install/use-docker-compose/
- https://github.com/ruanbekker/docker-promtail-loki/tree/main
- https://docs.cilium.io/en/latest/bpf/
- https://github.com/iovisor/bcc/tree/master/docs