A collection of tools based on eBPF (Extended Berkeley Packet Filter) for forensics, security control, and various other applications.
eBPF is a powerful technology that allows programs to run inside the Linux kernel safely and efficiently, making it a useful mechanism for a wide range of security, monitoring, and forensic tasks. This repository provides tools that leverage eBPF to aid in:
- Forensics: Gathering detailed runtime information from the system to support incident response and analysis.
- Security Control: Enforcing security policies, monitoring system activity, and detecting anomalies.
- Monitoring and Observability: Providing in-depth visibility into system behavior and network activity.
The project is hosted on GitHub: eBPF Forensics Tools
Clone the repository using:
git clone https://github.com/FHNW-Security-Lab/eBPF-ToolsA eBPF to monitor the file system access for a specific tool. Helpful for forensics and to find data left on the disk by programs
A eBPF to control the file system access for a specific tool. Helpful to enforce file system rules on processes.
- Linux kernel version 4.18 or newer (eBPF support required).
bccorlibbpflibrary installed for eBPF interaction.- Requies eBPF to be enabled for LSM (
/etc/default/grup, addbpftoGRUB_CMDLINE_LINUX, e.g.GRUB_CMDLINE_LINUX="lsm=landlock,bpf")
Install the required dependencies using:
sudo apt-get install bpfcc-tools linux-headers-$(uname -r) python3-bpfccThis project is licensed under BSD 3-Clause Licence.
Contributions are welcome! If you have suggestions for improvements or new features, feel free to open an issue or submit a pull request.
For any questions or issues, please contact us.