The cbsensor-linux-bpf project currently provides a BCC compatibile BPF C source code for general process, file and network events.
Run the example script on your favorite Linux distro with BCC. Just run with root-like privileges, or whatever privileges you need to load a BPF program.
sudo ./examples/bcc_sample.py ./src/bcc_sensor.c
- Works on 4.4 kernels and newer!
- bcc or libbpf for Ubuntu distros
- More bleeding edge kernels might require a newer version of BCC than your distro provides
- Endianness on ports for network events are not all host aligned yet
- 4.4 kernels may experience some event data integrity issues
- Filepaths have a hard limit on path components returned
- Basic packet dropping via
tc
BPF interface - Inode Delete Events
- Retrieve files open for exec recursively
A potential goal for this project is to eventually create a path to a libbpf + CO-RE BPF based project.
The cbsensor-linux-bpf project team welcomes contributions from the community. Before you start working with cbsensor-linux-bpf, please read our Developer Certificate of Origin. All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch. For more detailed information, refer to CONTRIBUTING.md. CONTRIBUTING.md
The cbsensor-linux-bpf licenses the BPF kernel space source code under GNU GPL v2.0. The example usage source code is licensed under BSD 2.