deepfence/ebpfguard

Stars
281
Rank 147,023 (Top 3 %)
Language
Rust
License
Apache License 2.0
Created over 1 year ago
Updated 10 months ago

deepfence/ebpfguard

deepfence

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Rust library for writing Linux security policies using eBPF

Ebpfguard

Ebpfguard is a library for managing Linux security policies. It is based on LSM hooks, but without necessity to write any kernel modules or eBPF programs directly. It allows to write policies in Rust (or YAML) in user space.

It's based on eBPF and Aya library, but takes away the need to use them directly.

Usage example

Deny mount operation for all users.

    const BPF_MAPS_PATH: &str = "/sys/fs/bpf/example_sb_mount";

    // Create a directory where ebpfguard policy manager can store its BPF
    // objects (maps).
    std::fs::create_dir_all(BPF_MAPS_PATH)?;

    // Create a policy manager.
    let mut policy_manager = PolicyManager::new(BPF_MAPS_PATH)?;

    // Attach the policy manager to the mount LSM hook.
    let mut sb_mount = policy_manager.attach_sb_mount()?;

    // Get the receiver end of the alerts channel (for the `file_open` LSM
    // hook).
    let mut sb_mount_rx = sb_mount.alerts().await?;

    // Define policies which deny mount operations for all processes (except
    // for the specified subject, if defined).
    sb_mount
        .add_policy(SbMount {
            subject: PolicySubject::All,
            allow: false,
        })
        .await?;

    if let Some(alert) = sb_mount_rx.recv().await {
        info!(
            "sb_mount alert: pid={} subject={}",
            alert.pid, alert.subject
        );
    }

Imports and cargo file are available in example source code. For more check out examples doc.

Supported LSM hooks

LSM hooks supported by Ebpfguard are:

Prerequisites

Check prerequisites doc to set up your environment.

Development

Check development doc for compillation and testing commands.

Get in touch

Thank you for using Ebpfguard. Please feel welcome to participate in the Deepfence community.

Deepfence Community Website
Got a question, need some help? Find the Deepfence team on Slack
Got a feature request or found a bug? Raise an issue

Find out more at deepfence.io

License

Ebpfguard's userspace part is licensed under Apache License, version 2.0.

eBPF programs inside ebpfguard-ebpf directory are licensed under GNU General Public License, version 2.

ThreatMapper

Open Source Cloud Native Application Protection Platform (CNAPP)

SecretScanner

🔓 🔓 Find secrets and passwords in container images and file systems 🔓 🔓

PacketStreamer

⭐ ⭐ Distributed tcpdump for cloud native environments ⭐ ⭐

YaraHunter

🔍🔍 Malware scanner for cloud-native, as part of CI/CD and at Runtime 🔍🔍

FlowMeter

⭐ ⭐ Use ML to classify flows and packets as benign or malicious. ⭐ ⭐

community

Deepfence Community

deepfence_runtime_api

Deepfence Runtime API & code samples

vessel

Vessel is the Go based utility that autodetects underlying Container Runtime in Kubernetes

ThreatStryker-docs

ThreatStryker Documentation

package-scanner

yara-rules

DocumentationWebsite

terraform-gcp-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console

terraform-aws-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console

helm-charts

terraform-azure-cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console

CI-CD-Integrations

CI/CD plugins for image scanning, integrations with AWS ECR, Google Container Registry

secretscanner-docker-extension

⛴️ Docker extension for deepfence/SecretScanner 🔐

yarahunter-docker-extension

⛴️Docker extension for deepfence/YaraHunter🔎

terraform-aws-threatmapper

ThreatMapper Terraform module for AWS

agent-plugins-grpc

Agent plugins' gRPC definitions

pcap-tools

compliance

Compliance Scripts Handler

apache-struts

This repository contains sample attacks that can be used to exploit vulnerabilities in the Jakarta Multipart Parser of Apache Struts

.github

sock-app-canary

golang_deepfence_sdk

Golang deepfence SDK

kubernetes-scanner

Kubernetes Security Posture Management

cloud-scanner

Deepfence Cloud Scanner runs in your cloud environment, gathering inventory and compliance information for the assets deployed in that environment. It submits that information to your Deepfence ThreatMapper or ThreatStryker Management Console.

ThreatMapperWorkshop

CNAPP Security Workshop using ThreatMapper

open-tracer

Open tracer that uses eBPF kernel features

threatmapper-python-client

ThreatMapper python client

ebpfguard-blog-example

Sample of eBPFGuard capabilities for upcoming blogpost.

deepfence-playground

Deepfence's Sandbox on killercoda Platform

terraform-provider-deepfence

Deepfence Terraform provider

CommunityThreatIntel

Threat Intelligence by and for the community

http2viewer

HTTP2 message viewer

match-scanner