/bpfink

BPF based FIM solution

Primary LanguageGoApache License 2.0Apache-2.0

bpfink (BPF based FIM solution) Build Status Go Report Card

This program aim to track select files in order to detect changes and log the difference between the old and new version. The creation of this program is motivated by the desire to have near real time file monitoring on linux systems.

Documentation

Most of the documentation can be found in the docs directory.

Technical overview

Main dependencies:

  • eBPF to handle kernel write events.
  • boltdb for state persistence.
  • graphite optional to tracking installation, and number of events processed
                                 +--------------------+
                                 |                    |
                                 |    File System     |
                                 |                    |
                                 +---------+----------+
                                           |
                                           v
                                    +------+-------+
                                    |              |
                                    |     eBPF     |
                                    |              |
                                    +------+-------+
                                           |
                +------------+-------------+--------------------------+
                |                          |                          |
                v                          v                          v
     +----------+---------+     +----------+---------+     +----------+---------+
     |                    |     |                    |     |                    |
     |       Consumer     |     |      Consumer      |     |     Consumer       |
     |                    |     |                    |     |                    |
     | /etc/access.conf   |     |   /etc/password    |     |      Generic       |
     |                    |     |   /etc/shadow      |     |      any file      |
     |                    |     |                    |     |      or dir        |
     +----------+---------+     +----------+---------+     +----------+---------+
                |                          |                          |
                v                          v                          v
+---------------+-----------+ +------------+--------------+ +---------+------------+
|                           | |                           | |                      |
|           parser          | |          parser           | |        parser        |
|                           | |                           | |                      |
+--------------+------------+ +--------------+------------+ +--------------+-------+
               |                             |                             |
               +-----------------------------+-----------------------------+
                                             |
                       +--------------+      |    +---------------------+
                       |              |      |    |                     |
                       |    BoltDB    +<-----+--->+        STDOUT       |
                       |              |           |                     |
                       +--------------+           +---------------------+

bpfink Is a set of consumers connected to file system watcher. We are currently using eBPF to watch vfs_write syscalls in the kernel. When an event is fired the associated consumer is called, we have currently two different consumers for four different use cases:

  • User consumer, watch for the /passwd, /shadow file to detect password changes (password hash is not logged to avoid offline brute force on leaked logs), it also watches for user home directory to detect ssh key injection.
  • Access consumer, just watch /access.conf
  • Generic consumer, watches for any existing or new files/directories for any given parent directory
  • Generic diff consumer, same as generic consumer, but provides diff of content instead of hashes

All consumers hold their own states to keep track of changes and diffing. If a difference is spotted, the diff is logged to our stdout in json format. In parallel consumers are persisting their state in a key value store (currently BoltDB).

Current status

This project is actively being developed, and is currently in a beta status. It is functional but things will be changing. We will be working on coming up with tasks, so that other can contribute to the project.

Contributions

We welcome all contributions, and hope to build a great product with a community of backers. Please read our Contributions guide for expectations when contributing to this repo.

ACKNOWLEDGMENT

This software was originally developed at Booking.com. With an approval from Booking.com, this software was released as Open Source, for which the authors would like to express their gratitude.