tracee_velociraptor

command module
v0.0.0-...-ef8be33 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 10, 2024 License: Apache-2.0 Imports: 2 Imported by: 0

README

An EBPF plugin for Velociraptor based on Tracee

This project is a simplified version of Tracee (https://github.com/aquasecurity/tracee) for use in Velociraptor (https://github.com/Velocidex/velociraptor).

Only a subset of Tracee functionality is enabled for use in Velociraptor. Following are the main differences:

  1. The EBPF code is identical to Tracee

  2. The Go code is mostly the same except that it is adapted to use https://github.com/cilium/ebpf instead of https://github.com/aquasecurity/tracee/libbtfgo .

    The reason this is preferred is that https://github.com/cilium/ebpf does not require any CGO dependencies and therefore can be built completely portably (Even cross compiled from Windows).

    We encode the compressed EBFP object files into the Go binaries in such a way that they are only expanded into memory during the ebpf load stage. This means that binary size is kept small (adding approximately 1.5Mb) and running memory needs are not increased much when ebpf is not needed (and even then the program is only loaded into memory during the load stage).

  3. Currently Tracee's extensive rule filtering policy engine is not used in this implementation. Instead we automatically insert a match all policy for each event ID that is selected.

  4. Tracee's extensive process tracker is not used, since Velociraptor already has a generic process tracker (that also works on Windows).

  5. The event output format is much simplified and is emitted to be more useful for Velociraptor.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
bufferdecoder
Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.
 Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.
capabilities
cgroup
cmd
compat
compat/bpf
config
dnscache
ebpf
ebpf/initialization
errfmt
events
events/derive
events/parse
events/parsers
logger
mount
pcaps
probes
time
types
types/protocol
Package protocol includes the "API" of events the rule-engine can consume.
 Package protocol includes the "API" of events the rule-engine can consume.
types/trace
Package trace defines the public types exported through the EBPF code and produced outwards from tracee-ebpf
 Package trace defines the public types exported through the EBPF code and produced outwards from tracee-ebpf
utils
utils/environment
utils/set

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.