Skip to content

IgorEulalio/ebpf-sample-syscalls

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
samples
samples
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
execve_exit.c
execve_exit.c
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
vmlinux.h
vmlinux.h
 
 

Repository files navigation

eBPF Execution Tracer

Monitor program executions system-wide using eBPF.

It currently only supports tracking execve syscall.

Prerequisites

# Install eBPF toolchain
sudo apt update
sudo apt install -y \
    clang \
    llvm \
    libbpf-dev \
    linux-headers-$(uname -r) \
    golang-go \
    make

Build

Preferably run this in a linux box like Lima, Vagrant, etc.

make

Run

# Monitor all executions of execve
sudo ./tracepoint_execve

# Filter by specific programs
sudo ./tracepoint_execve --filename ls,cat,grep

Testing

Open another terminal in the same VM:

ls -lha /root

Example Output

tracepoint_execve: 19:45:00 pid: 1234    comm: ls     path: /usr/bin/ls      comm_with_args: [ls -lha /tmp]
tracepoint_execve: 19:45:01 pid: 1235    comm: cat    path: /usr/bin/cat     comm_with_args: [cat /etc/hostname]
tracepoint_execve: 19:45:02 pid: 1236    comm: grep   path: /usr/bin/grep    comm_with_args: [grep -i test file.txt]

Clean

make clean

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages