an experimental, BPF-powered Linux EDR. Ships syscall info into a TCP socket for central collection and data crunching.
In order to work on machines with the future, read-only kernel_lockdown mode enabled, kprobes are forbidden for features that hope for wide adoption.
based on: /arch/x86/entry/syscalls/syscall_64.tbl
- For building, Go 1.11+ because of go modules
- Linux kernel 4.7+ for kernel tracepoint support
- kernel lockdown mode disabled
bcc-devel(Fedora) for JIT filter compliation.
Starting the thing
bedr/agent $ sudo -E go run main.go
If not a real service,
Ctrl+C or pkill it.
About the license
This repo is covered under GNU AGPLv3 so it's harder for bad-natured folk to make security vendor money directly off anything inside of this repository.
Feel free to
fight ask me about separately licensing it.