English | 中文
An open-source, enterprise-grade host and container security management platform. Covers security baselines, asset management, vulnerability scanning, antivirus, runtime detection, and compliance auditing — providing a unified management view for security operations teams.
MxSec Platform Community Edition includes the complete platform framework and all core security capabilities, sharing the same architecture as the internal version. The Community Edition is fully free with no license required. Currently open-sourced capabilities include:
- Full on-device capabilities: Agent data collection, asset fingerprinting, eBPF runtime probes, baseline check plugins, etc.
- Full backend capabilities: AgentCenter, Manager, Consumer, service discovery — all horizontally scalable.
- Complete management console: Security overview, asset center, alert management, baseline checks, vulnerability management, container security, and more.
- Built-in detection rules: 212 CIS baseline rules, 80 container baseline rules, CEL runtime detection policy samples.
To build a more comprehensive security operations system, we recommend extending policies via the built-in CEL rule engine and integrating threat intelligence for secondary processing.
| Feature | Community Edition | Enterprise Edition |
|---|---|---|
| Linux data collection (eBPF) | ✅ | ✅ |
| Agent control plane (upgrade/config/task dispatch) | ✅ | ✅ |
| Host status and details | ✅ | ✅ |
| Asset collection (11 types) | ✅ | ✅ |
| Asset fingerprint (global view) | ✅ | ✅ |
| K8s cluster asset collection | ✅ | ✅ |
| Host/container intrusion detection | built-in samples |
✅ |
| Runtime detection (eBPF + CEL) | built-in samples |
✅ |
| K8s Audit intrusion detection | built-in samples |
✅ |
| Behavioral sequence detection | ❌ | ✅ |
| Alert whitelist | ✅ | ✅ |
| Alert aggregation and tracing | ✅ | ✅ |
| Threat response (kill/quarantine/network block) | ✅ | ✅ |
| File quarantine | ✅ | ✅ |
| Vulnerability detection (OSV.dev + CVSS) | ✅ | ✅ |
| Vulnerability intelligence hot-update | ❌ | ✅ |
| Baseline check (CIS Benchmark) | ✅ | ✅ |
| Baseline auto-remediation | ✅ | ✅ |
| Virus scanning (ClamAV + YARA-X) | ✅ | ✅ |
| File integrity monitoring (FIM) | ✅ | ✅ |
| Threat intelligence (MISP IOC) | ✅ | ✅ |
| Container CIS baseline (80 rules) | ✅ | ✅ |
| Audit log | ✅ | ✅ |
| Component management and plugin distribution | ✅ | ✅ |
| System monitoring (Prometheus) | ✅ | ✅ |
| Ops inspection and report export | ✅ | ✅ |
| Memory threat detection (memfd_exec / process hollowing / shellcode / LSASS dump) | ✅ | ✅ |
| AD / LDAP domain controller audit (7 rules: DCSync / Kerberoasting / brute force / etc.) | ✅ | ✅ |
| DKOM rootkit detection (hidden PID / kernel module / port / LD_PRELOAD) | ✅ | ✅ |
| Honeypot sensors (SSH / HTTP decoys + file decoy policy) | ✅ | ✅ |
| VEX vulnerability statement export (CycloneDX 1.5 / CSAF 2.0) | ✅ | ✅ |
| YARA-X malware signature library (73 rules / 50 families) | ✅ | ✅ |
| Threat hunting (SPL-like DSL → SQL transpiler) | ✅ | ✅ |
| Attack storyline (ATT&CK kill-chain timeline) | ✅ | ✅ |
| Behavior baseline detection (ML anomaly scoring) | ✅ | ✅ |
| Windows support | ❌ | 🚧 |
| Active defense (NPatch eBPF hot-patching) | built-in samples |
✅ |
| Cloud antivirus | ❌ | 🚧 |
✅ Supported
built-in samplesincludes sample rules ❌ Not supported 🚧 Planned
| Module | Description |
|---|---|
| Security Baseline | 9 checkers, 212 rules covering CIS Benchmark core items, single-host and batch auto-remediation |
| Asset Center | 11 asset types (processes, ports, users, packages, containers, etc.), relationship mapping and export |
| Vulnerability Management | Package PURL collection + OSV.dev matching + CVSS v3.1 scoring + SBOM export |
| Antivirus | ClamAV + YARA-X dual-engine scanning, task management + quarantine |
| File Integrity | AIDE-based FIM checks with full-cycle policy, event, and task management |
| Runtime Detection | Tetragon/eBPF event collection + CEL rule engine + MITRE ATT&CK mapping |
| Container Security | K8s cluster management, container CIS baseline (80 rules), Audit Webhook integration |
| Alert Center | Alert aggregation, whitelisting, auto-response (kill/quarantine), tracing timeline |
| Threat Intelligence | MISP IOC import + Redis cache + CEL real-time matching |
| Memory Forensics | memfd_exec / process hollowing / shellcode injection / LSASS dump detection (EDR-3) |
| AD/LDAP Audit | 7 detection rules: DCSync, Kerberoasting, brute force, off-hour RDP, privilege assignment, etc. (EDR-4) |
| Honeypot Sensors | SSH/HTTP decoys + file decoys with whitelist for legitimate backup tools (C1) |
| Rootkit Detection | DKOM hidden PID / kernel module / port / LD_PRELOAD / /proc inconsistency (C2) |
| Threat Hunting | SPL-like DSL → SQL transpiler over ClickHouse event archive |
| VEX Export | CycloneDX VEX 1.5 + CSAF 2.0 for vendor vulnerability statements (B7) |
 Security Overview — Real-time security posture scoring, alert trends, risk radar |
 Vulnerability Management — CVE scanning, CVSS scoring, patch prioritization |
 Baseline Remediation — CIS Benchmark auto-fix with one-click remediation |
 Vulnerability Bulletin — CVE intelligence tracking, SLA management |
 ML Anomaly Detection — Isolation Forest behavioral anomaly scoring |
 Component Management — Plugin distribution, version control, remote push |
Browser ─→ Nginx ─→ Manager ×N ─→ MySQL / Redis / ClickHouse / Prometheus
Agent ─→ gRPC(mTLS) ─→ AgentCenter ×N ─→ Kafka ─→ Consumer ×N ─→ Storage
The control plane (Manager / AgentCenter / Consumer) is stateless and supports horizontal scaling. Kafka decouples asynchronous data writes, Redis handles service discovery and distributed locks, and ClickHouse powers time-series analysis and event archiving.
See Architecture Documentation for details.
| Layer | Technology |
|---|---|
| Backend | Go 1.25+ (Gin / gRPC / Gorm / Zap) |
| Frontend | Vue 3 + TypeScript + Pinia + Ant Design Vue 4 |
| Storage | MySQL 8.0+ / Redis 7 / ClickHouse 24 |
| Messaging | Kafka (KRaft mode, 7 Topics + DLQ) |
| Monitoring | Prometheus (sole data source for host metrics) |
| Communication | gRPC bidirectional streaming + mTLS + Protobuf |
| Deployment | Docker Compose / Systemd + Nginx |
Host OS: Rocky Linux 9/10, Oracle Linux 7/8/9, CentOS 7/8/9, Debian 10/11/12, Ubuntu 20.04/22.04
Runtime: Physical / Virtual machines, Docker container hosts, Kubernetes nodes and clusters
git clone https://github.com/imkerbos/mxsec-platform.git
cd mxsec-platform/deploy
cp .env.example .env
vim .env # Edit SERVER_IP / JWT_SECRET / database passwords
# Start control plane (HA mode)
docker compose --env-file .env up -d \
--scale manager=2 --scale agentcenter=2 --scale consumer=2Visit http://<SERVER_IP> to access the management console. Default credentials: admin / admin123.
See Deployment Documentation for detailed setup instructions.
make build-server # Build server
make build-consumer # Build consumer
make package-agent-all VERSION=1.0.0 SERVER_HOST=IP:6751 # Package agent (RPM/DEB)
make package-plugins-all VERSION=1.0.0 # Package plugins
make proto # Generate Protobuf code
make test # Run tests
make lint # Lint checkmxsec-platform/
├── cmd/ # Entry points (agent / manager / agentcenter / consumer)
├── internal/
│ ├── server/ # Server (manager / agentcenter / consumer / common)
│ └── agent/ # Agent (connection / transport / plugin / heartbeat)
├── plugins/ # Plugins (baseline / collector / fim / scanner / remediation)
├── api/proto/ # Protobuf definitions
├── ui/ # Frontend (Vue 3 + TypeScript)
├── configs/ # Config files (server.yaml / agent.yaml / rule files)
├── deploy/ # Deployment configs (Docker Compose / Nginx / systemd)
├── scripts/ # Build and deployment scripts
└── docs/ # Documentation
- Architecture - System topology, component responsibilities, data pipeline, HA design
- Deployment - Environment setup, single/cluster deployment, Agent installation, upgrades and backups
- Configuration - Server config, Agent config, environment variables
- API Reference - REST API endpoints, request/response formats, authentication
- FAQ - Common issues and troubleshooting
- Roadmap - Completed features, near-term plans, long-term direction
- Governance - Project governance model, decision process, security policy
- Contributing - Contribution guide, dev environment, code standards, submission process
See CONTRIBUTORS.md.