Tool for Preventing Data Exfiltration with eBPF

Overview

bouheki: Tool for Preventing Data Exfiltration with eBPF

bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted network policies to specific resources such as processes and containers.

Features and Network Restrictions

  • While firewalls such as iptables apply to the entire machine, bouheki can be restricted on a per-container or per-process basis.
  • bouheki does not restrict ingress, only egress.

Getting Started

0. Requirements

  • Linux Kernel >= 5.8.0
    • BTF(CONFIG_DEBUG_INFO_BTF) must be enabled.
    • BPF LSM(CONFIG_LSM with bpf) must be enabled. This parameter can also be changed in the boot parameter.

Linux distributions and supported kernels

Distro Name Distro Version Kernel Version
Ubuntu "Groovy Gorilla" 20.10 5.8+
Fedora 33 5.8+

1. Install

Download latest released binary from https://github.com/mrtc0/bouheki/releases

2. Configuration

Write the network restriction policy in YAML.
This policy allows access to 10.0.1.1/24 only, but does not allow access to 10.0.1.10/32.

See config directory for more configuration examples.

# block.yml
network:
  # Block or monitor the network.
  # If block is specified, communication that matches the policy will be blocked.
  mode: block # monitor or block. Default: monitor
  # Restriction to the whole host or to a container
  # If a container is specified, only the container's communication will be restricted. This is determined by the value of namespace
  target: host # host or container. Default: host
  cidr:
    allow:
      - 10.0.1.1/24
      # - 127.0.0.1/24
    # Override "allow" list with exceptions. Default: []
    deny: # []
      - 10.0.1.10/32
  # Restrictions by command name (optional).
  command:
    # Default: empty. All command will be allowed.
    allow: []
    # - curl
    # Default: empty. All command will be allowed.
    deny: []
    #  - wget
    #  - nc
  # Restrictions by UID (optional).
  uid:
    allow: []
    deny: []
  # Restrictions by GID (optional).
  gid:
    allow: []
      # - 0
    deny: []
      # 1000
log:
  # Log format(json or text). Default: json
  format: json
  # Specified log file location. Default: stdout
  # output: /var/log/bouheki.log.json
  # Maximum size to rotate (MB)
  # max_size: 100
  # Period for which logs are kept
  # max_age: 365

Run with the policy.

$ sudo bouheki --config block.yaml

3. Test

$ curl -k -I https://10.0.1.1
HTTP/1.1 200 OK

$ curl -k -I https://10.0.1.10
curl: (7) Couldn't connect to server

$ curl -k -I https://example.com
curl: (7) Couldn't connect to server

4. Inspect Logs

The log will record the blocked events.

{
  "Action": "BLOCKED",
  "Addr": "10.0.1.71",
  "Comm": "curl",
  "Hostname": "sandbox",
  "PID": 790791,
  "Port": 443,
  "level": "info",
  "msg": "Traffic is trapped in the filter.",
  "time": "2021-09-23T12:47:55Z"
}
{
  "Action": "BLOCKED",
  "Addr": "93.184.216.34",
  "Comm": "curl",
  "Hostname": "sandbox",
  "PID": 790823,
  "Port": 443,
  "level": "info",
  "msg": "Traffic is trapped in the filter.",
  "time": "2021-09-23T12:49:29Z"
}

Development

TBD

Test

$ make test
Issues
  • chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.11.1

    chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.11.1

    Bumps github.com/urfave/cli/v2 from 2.3.0 to 2.11.1.

    Release notes

    Sourced from github.com/urfave/cli/v2's releases.

    v2.11.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.11.0...v2.11.1

    v2.11.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.3...v2.11.0

    v2.10.3

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.2...v2.10.3

    v2.10.2

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.1...v2.10.2

    v2.10.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.0...v2.10.1

    v2.10.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.9.0...v2.10.0

    ... (truncated)

    Commits
    • c8147a4 Merge pull request #1439 from hmiyado/fix-timestamp-getvalue
    • 6d67b2d Fix for TimestampFlag.GetValue to return empty string without value
    • a91950f Merge pull request #1436 from urfave/revert-1435-merging-main-to-v3-dev-main
    • 25116be Revert "Merging main to v3 dev main"
    • f8124ae Merge pull request #1435 from urfave/merging-main-to-v3-dev-main
    • a82c9b1 Merge remote-tracking branch 'origin/main' into merging-main-to-v3-dev-main
    • 8d46d37 Approve v2 addition of timestamp/timezone/location
    • 8b41988 Merge pull request #1426 from urfave/default-command-doc
    • 2e71cb8 Merge pull request #1432 from julian7/timezoned-timestamp
    • 1335a70 accept timezone for timestamps
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.11.0

    chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.11.0

    Bumps github.com/urfave/cli/v2 from 2.3.0 to 2.11.0.

    Release notes

    Sourced from github.com/urfave/cli/v2's releases.

    v2.11.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.3...v2.11.0

    v2.10.3

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.2...v2.10.3

    v2.10.2

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.1...v2.10.2

    v2.10.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.0...v2.10.1

    v2.10.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.9.0...v2.10.0

    v2.9.0

    What's Changed

    New Contributors

    ... (truncated)

    Commits
    • 8d46d37 Approve v2 addition of timestamp/timezone/location
    • 8b41988 Merge pull request #1426 from urfave/default-command-doc
    • 2e71cb8 Merge pull request #1432 from julian7/timezoned-timestamp
    • 1335a70 accept timezone for timestamps
    • d7504f8 Approve v2 addition of App.DefaultCommand
    • d29120f Merge pull request #1388 from jalavosus/feature/default-command
    • e2a844f Merge pull request #1423 from urfave/docs-list-fix
    • 6dd82af Fix list formatting in v2 manual
    • 7d21dda Merge pull request #1421 from urfave/docs-cleanups
    • d8c93f8 app_test.go: add tests for default command + flag
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.10.3

    chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.10.3

    Bumps github.com/urfave/cli/v2 from 2.3.0 to 2.10.3.

    Release notes

    Sourced from github.com/urfave/cli/v2's releases.

    v2.10.3

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.2...v2.10.3

    v2.10.2

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.1...v2.10.2

    v2.10.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.0...v2.10.1

    v2.10.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.9.0...v2.10.0

    v2.9.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.8.1...v2.9.0

    v2.8.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.8.0...v2.8.1

    ... (truncated)

    Commits
    • e2a844f Merge pull request #1423 from urfave/docs-list-fix
    • 6dd82af Fix list formatting in v2 manual
    • 7d21dda Merge pull request #1421 from urfave/docs-cleanups
    • 58ccb0b Clean up the v2 manual a bit
    • f1fc873 Merge pull request #1418 from urfave/un-workaround
    • 9f56fe7 Remove temporary go mod workaround
    • f71d1cb Merge pull request #1417 from urfave/deps-bump
    • 59ce32a Update dependencies to latest
    • 1362627 Approve usage wrapping docs changes
    • b927c6a Merge pull request #1415 from urfave/upgrade-go-yaml
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.5

    chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.5

    Bumps github.com/stretchr/testify from 1.7.0 to 1.7.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.4

    chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.4

    Bumps github.com/stretchr/testify from 1.7.0 to 1.7.4.

    Commits
    • 48391ba Fix panic in AssertExpectations for mocks without expectations (#1207)
    • 840cb80 arrays value types in a zero-initialized state are considered empty (#1126)
    • 07dc7ee Bump actions/setup-go from 3.1.0 to 3.2.0 (#1191)
    • c33fc8d Bump actions/checkout from 2 to 3 (#1163)
    • 3c33e07 Added Go 1.18.1 as a build/supported version (#1182)
    • e2b56b3 Bump github.com/stretchr/objx from 0.1.0 to 0.4.0
    • 41453c0 Update gopkg.in/yaml.v3
    • 285adcc Update go versions in build matrix
    • 6e7fab4 Bump actions/setup-go from 2 to 3.1.0
    • 106ec21 use RWMutex
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.10.2

    chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.10.2

    Bumps github.com/urfave/cli/v2 from 2.3.0 to 2.10.2.

    Release notes

    Sourced from github.com/urfave/cli/v2's releases.

    v2.10.2

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.1...v2.10.2

    v2.10.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.0...v2.10.1

    v2.10.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.9.0...v2.10.0

    v2.9.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.8.1...v2.9.0

    v2.8.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.8.0...v2.8.1

    v2.8.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.7.2...v2.8.0

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.3

    chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.3

    Bumps github.com/stretchr/testify from 1.7.0 to 1.7.3.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump actions/setup-python from 2 to 4

    chore(deps): bump actions/setup-python from 2 to 4

    Bumps actions/setup-python from 2 to 4.

    Release notes

    Sourced from actions/setup-python's releases.

    v4.0.0

    What's Changed

    • Support for python-version-file input: #336

    Example of usage:

    - uses: actions/[email protected]
      with:
        python-version-file: '.python-version' # Read python version from a file
    - run: python my_script.py
    

    There is no default python version for this setup-python major version, the action requires to specify either python-version input or python-version-file input. If the python-version input is not specified the action will try to read required version from file from python-version-file input.

    • Use pypyX.Y for PyPy python-version input: #349

    Example of usage:

    - uses: actions/[email protected]
      with:
        python-version: 'pypy3.9' # pypy-X.Y kept for backward compatibility
    - run: python my_script.py
    
    • RUNNER_TOOL_CACHE environment variable is equal AGENT_TOOLSDIRECTORY: #338

    • Bugfix: create missing pypyX.Y symlinks: #347

    • PKG_CONFIG_PATH environment variable: #400

    • Added python-path output: #405 python-path output contains Python executable path.

    • Updated zeit/ncc to vercel/ncc package: #393

    • Bugfix: fixed output for prerelease version of poetry: #409

    • Made pythonLocation environment variable consistent for Python and PyPy: #418

    • Bugfix for 3.x-dev syntax: #417

    • Other improvements: #318 #396 #384 #387 #388

    Update actions/cache version to 2.0.2

    In scope of this release we updated actions/cache package as the new version contains fixes related to GHES 3.5 (actions/setup-python#382)

    Add "cache-hit" output and fix "python-version" output for PyPy

    This release introduces new output cache-hit (actions/setup-python#373) and fix python-version output for PyPy (actions/setup-python#365)

    The cache-hit output contains boolean value indicating that an exact match was found for the key. It shows that the action uses already existing cache or not. The output is available only if cache is enabled.

    ... (truncated)

    Commits
    • d09bd5e fix: 3.x-dev can install a 3.y version (#417)
    • f72db17 Made env.var pythonLocation consistent for Python and PyPy (#418)
    • 53e1529 add support for python-version-file (#336)
    • 3f82819 Fix output for prerelease version of poetry (#409)
    • 397252c Update zeit/ncc to vercel/ncc (#393)
    • de977ad Merge pull request #412 from vsafonkin/v-vsafonkin/fix-poetry-cache-test
    • 22c6af9 Change PyPy version to rebuild cache
    • 081a3cf Merge pull request #405 from mayeut/interpreter-path
    • ff70656 feature: add a python-path output
    • fff15a2 Use pypyX.Y for PyPy python-version input (#349)
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.2

    chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.7.2

    Bumps github.com/stretchr/testify from 1.7.0 to 1.7.2.

    Commits
    • 41453c0 Update gopkg.in/yaml.v3
    • 285adcc Update go versions in build matrix
    • 6e7fab4 Bump actions/setup-go from 2 to 3.1.0
    • 106ec21 use RWMutex
    • a409ccf fix data race in the suit
    • 3586478 assert: fix typo
    • 7797738 Update versions supported to include go 1.16
    • 083ff1c Fixed didPanic to now detect panic(nil).
    • 1e36bfe Use cross Go version compatible build tag syntax
    • e798dc2 Add docs on 1.17 build tags
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • github.com/go-yaml/yaml-v2.4.0: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

    github.com/go-yaml/yaml-v2.4.0: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

    Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

    YAML support for the Go language.

    Vulnerabilities

    | CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available | | ------------- | ------------- | ----- | ----- | ----- | --- | --- | | CVE-2022-28948 | Medium | 5.5 | github.com/go-yaml/yaml-v2.4.0 | Direct | v3.0.0 | ❌ |

    Details

    CVE-2022-28948

    Vulnerable Library - github.com/go-yaml/yaml-v2.4.0

    YAML support for the Go language.

    Dependency Hierarchy:

    • :x: github.com/go-yaml/yaml-v2.4.0 (Vulnerable Library)

    Found in base branch: master

    Vulnerability Details

    An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

    Publish Date: 2022-05-19

    URL: CVE-2022-28948

    CVSS 3 Score Details (5.5)

    Base Score Metrics:

    • Exploitability Metrics:
      • Attack Vector: Local
      • Attack Complexity: Low
      • Privileges Required: None
      • User Interaction: Required
      • Scope: Unchanged
    • Impact Metrics:
      • Confidentiality Impact: None
      • Integrity Impact: None
      • Availability Impact: High

    For more information on CVSS3 Scores, click here.

    Suggested Fix

    Type: Upgrade version

    Origin: https://github.com/advisories/GHSA-fm53-mpmp-7qw2

    Release Date: 2022-05-19

    Fix Resolution: v3.0.0

    Step up your Open Source Security Game with Mend here

    security vulnerability 
    opened by mend-bolt-for-github[bot] 1
  • chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.8.1

    chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.8.1

    Bumps github.com/urfave/cli/v2 from 2.3.0 to 2.8.1.

    Release notes

    Sourced from github.com/urfave/cli/v2's releases.

    v2.8.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.8.0...v2.8.1

    v2.8.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.7.2...v2.8.0

    v2.7.2

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.7.1...v2.7.2

    v2.7.1

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.7.0...v2.7.1

    v2.7.0

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.6.0...v2.7.0

    v2.6.0

    What's Changed

    ... (truncated)

    Commits
    • 5ff4e2a Merge pull request #1405 from AkihiroSuda/remove-gpl2-dependency
    • 3e31c9b CI: workaround for golang.org/x/tools error
    • a14bd76 Remove GPL2 dependency introduced in v2.7.0
    • 595cabc Merge pull request #1403 from urfave/gfmrun-current
    • 8f47e6d Set absolute bash path
    • 5edc1b9 Run docs tests against current work tree
    • 2419700 Merge pull request #1399 from urfave/docs-pointer
    • 9de0cd3 Merge pull request #1396 from urfave/suggestion-pluggability
    • 9e65b4d Merge pull request #1368 from urfave/michaeljs1990-add-flag-category-support
    • 4bca72c Merge remote-tracking branch 'origin/main' into michaeljs1990-add-flag-catego...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 1
  • chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.11.2

    chore(deps): bump github.com/urfave/cli/v2 from 2.3.0 to 2.11.2

    Bumps github.com/urfave/cli/v2 from 2.3.0 to 2.11.2.

    Release notes

    Sourced from github.com/urfave/cli/v2's releases.

    v2.11.2

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.11.1...v2.11.2

    v2.11.1

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.11.0...v2.11.1

    v2.11.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.3...v2.11.0

    v2.10.3

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.2...v2.10.3

    v2.10.2

    What's Changed

    Full Changelog: https://github.com/urfave/cli/compare/v2.10.1...v2.10.2

    v2.10.1

    What's Changed

    ... (truncated)

    Commits
    • e3ee4fb Merge pull request #1444 from Dokiys/fix/add_after_before_help_check
    • 0c9527f Merge pull request #1445 from Dokiys/fix/hidehelp_with_none_args
    • 1a1b9cd Fix HideHelp
    • a1c26d5 Fix After not run
    • c8147a4 Merge pull request #1439 from hmiyado/fix-timestamp-getvalue
    • 6d67b2d Fix for TimestampFlag.GetValue to return empty string without value
    • a91950f Merge pull request #1436 from urfave/revert-1435-merging-main-to-v3-dev-main
    • 25116be Revert "Merging main to v3 dev main"
    • f8124ae Merge pull request #1435 from urfave/merging-main-to-v3-dev-main
    • a82c9b1 Merge remote-tracking branch 'origin/main' into merging-main-to-v3-dev-main
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0

    chore(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0

    Bumps github.com/sirupsen/logrus from 1.8.1 to 1.9.0.

    Commits
    • f8bf765 Merge pull request #1343 from sirupsen/dbd-upd-dep
    • ebc9029 update dependencies
    • 56c843c Merge pull request #1337 from izhakmo/fix-cve
    • 41b4ee6 update gopkg.in/yaml.v3 to v3.0.1
    • f98ed3e Merge pull request #1333 from nathanejohnson/bumpxsys
    • 2b8f60a bump version of golangci-lint
    • 0db10ef bump version of golang.org/x/sys dependency
    • 85981c0 Merge pull request #1263 from rubensayshi/fix-race
    • 79c5ab6 Merge pull request #1283 from sirupsen/dbd-log-doc
    • 5f8c666 Improve Log methods documentation
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • chore(deps): bump actions/setup-python from 2 to 4.1.0

    chore(deps): bump actions/setup-python from 2 to 4.1.0

    Bumps actions/setup-python from 2 to 4.1.0.

    Release notes

    Sourced from actions/setup-python's releases.

    v4.1.0

    In scope of this pull request we updated actions/cache package as the new version contains fixes for caching error handling. Moreover, we added a new input update-environment. This option allows to specify if the action shall update environment variables (default) or not.

    Update-environment input

        - name: setup-python 3.9
          uses: actions/[email protected]
          with:
            python-version: 3.9
            update-environment: false
    

    Besides, we added such changes as:

    v4.0.0

    What's Changed

    • Support for python-version-file input: #336

    Example of usage:

    - uses: actions/[email protected]
      with:
        python-version-file: '.python-version' # Read python version from a file
    - run: python my_script.py
    

    There is no default python version for this setup-python major version, the action requires to specify either python-version input or python-version-file input. If the python-version input is not specified the action will try to read required version from file from python-version-file input.

    • Use pypyX.Y for PyPy python-version input: #349

    Example of usage:

    - uses: actions/[email protected]
      with:
        python-version: 'pypy3.9' # pypy-X.Y kept for backward compatibility
    - run: python my_script.py
    
    • RUNNER_TOOL_CACHE environment variable is equal AGENT_TOOLSDIRECTORY: #338

    • Bugfix: create missing pypyX.Y symlinks: #347

    • PKG_CONFIG_PATH environment variable: #400

    • Added python-path output: #405

    ... (truncated)

    Commits
    • c4e89fa Improve readme for 3.x and 3.11-dev style python-version (#441)
    • 0ad0f6a Merge pull request #452 from mayeut/fix-env
    • f0bcf8b Merge pull request #456 from akx/patch-1
    • af97157 doc: Add multiple wildcards example to readme
    • 364e819 Merge pull request #394 from akv-platform/v-sedoli/set-env-by-default
    • 782f81b Merge pull request #450 from IvanZosimov/ResolveVersionFix
    • 2c9de4e Remove duplicate code introduced in #440
    • 412091c Fix tests for update-environment==false
    • 78a2330 Merge pull request #451 from dmitry-shibanov/fx-pipenv-python-version
    • 96f494e trigger checks
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies github_actions 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/aquasecurity/libbpfgo from 0.2.4-libbpf-0.6.1 to 0.3.0-libbpf-0.8.0

    chore(deps): bump github.com/aquasecurity/libbpfgo from 0.2.4-libbpf-0.6.1 to 0.3.0-libbpf-0.8.0

    Bumps github.com/aquasecurity/libbpfgo from 0.2.4-libbpf-0.6.1 to 0.3.0-libbpf-0.8.0.

    Release notes

    Sourced from github.com/aquasecurity/libbpfgo's releases.

    v0.3.0-libbpf-0.8.0

    This release of libbpfgo now provides official support for statically/dynamically linking libbpf v0.8.0!!!

    Breaking Changes

    • ListProgramNames API was removed
    • GetUnsafePointer helper was removed

    New APIs

    • BPFMap.SetValueSize() (calls libbpf bpf_map__set_value_size) #156
    • BPFMap.GetValueReadInto() (calls libbpf bpf_map__lookup_elem) #156
      • This enables the use per-cpu arrays, hashmaps, and storage!
    • BPFObjectIterator! #166
      • Allows for iterating over each map and program in a BPF object
      • Uses libbpf bpf_object__next_program and bpf_object__next_map
    • GetSectionName (calls libbpf bpf_program__section_name) #166
    • GetValueFlags()/UpdateValueFlags() #154
      • The enables passing a MapFlag argument to the bpf helper functions bpf_map_update_elem and bpf_map_lookup_elem_flags
    • BPFProg.AttachXDP() (calls libbpf bpf_program__attach_xdp) #170
    • BPFProg.GetSectionName() (calls libbpf bpf_program_-section_name) #164
    • BPFMapTypeIsSupported()/BPFProgramTypeIsSupported() #164
    • SetStrictMode() (calls libbpf_set_strict_mode) #160
    • BPFLink.Pin()/BPFLink.Unpin() (calls libbpf bpf_link__pin/unpin) #144
    • BPFProg.AttachGeneric() (calls libbpf bpf_program__attach) #144
      • Allows for autodetection of bpf program and attach types! This is useful for tracing programs
    • BPFProg.SetAttachTarget()/BPFProg.SetAttachType/BPFProg.SetProgramType #144

    New Helpers

    • You can now use a range of new helpers for parsing options passed to socket syscalls such as setsockopt and getsockopt #181
    • CreateMap() (calls bpf_map_create) #138
    • BPFMap.Name()/BPFMap.Type (calls libbpf bpf_map__name/bpf_map__type) #138
    • BPFMap.SetType() (calls libbpf bpf_map__set_type) #138

    New Selftests/examples

    • Fentry BPF_PROG_TYPE_TRACING sample #144
    • Fentry set attach target selftest #144
    • New tc selftest
    • New XDP selftest
    • Removed the faulty tcpconnect selftest
    • VersionString selftest

    Notable Fixes

    • Kernel symbol helpers will no longer have errant square brackets #153
    • Support for arm64 fixes #158
    • A lot of error handling fixes #163 #157, #152, #146, #142

    v0.2.5-libbpf-0.7.0 contains various new helpers, APIs, and code improvements as well as official support for libbpf v0.7.0!

    What's Changed

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.8.0

    chore(deps): bump github.com/stretchr/testify from 1.7.0 to 1.8.0

    Bumps github.com/stretchr/testify from 1.7.0 to 1.8.0.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
  • chore(deps): bump github.com/miekg/dns from 1.1.47 to 1.1.50

    chore(deps): bump github.com/miekg/dns from 1.1.47 to 1.1.50

    Bumps github.com/miekg/dns from 1.1.47 to 1.1.50.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies go 
    opened by dependabot[bot] 0
Releases(v0.0.10)
  • v0.0.10(Apr 21, 2022)

  • v0.0.9(Apr 20, 2022)

    Changelog

    • 32e735a Merge pull request #24 from mrtc0/dnsproxy
    • 8cc77f8 Merge pull request #25 from mrtc0/not-use-resolvconf
    • 1a3d0e5 chore: add dns_proxy configuration to sample config
    • 7c00480 chore: add launch message
    • 99b4686 chore: bump up
    • ca3ccb9 chore: change sample
    • a337260 feat: Remove the responsibility to modify resolv.conf
    • f510972 feat: [WIP] add DNS Proxy
    • bccbef7 feat: [WIP] overwrite resolv.conf
    • 7a2dd31 feat: impl dns cache and log
    • c60fb3d feat: refactor
    • 0d727fd feat: validate config
    • 8df7930 fix: Iterate all DNS servers in case name resolution fails
    • 23ea6fa fix: error handling
    • 734e6a1 fix: error handling
    • 33186bd fix: if DNS Proxy fails to start, terminated
    • bb61b37 refactor: move name resolution methods
    • 625a8ec refactor: remove debug log
    Source code(tar.gz)
    Source code(zip)
    bouheki_0.0.9_Linux_x86_64.tar.gz(3.26 MB)
    checksums.txt(100 bytes)
  • v0.0.8(Mar 29, 2022)

  • v0.0.7(Mar 27, 2022)

    [0.0.7] 2022-03-27

    Added

    Support for labels in log

    Logs can contain arbitrary labels in key/value format. For example:

    log:
      labels:
        environment: produdction
        role: app
    
    {
      "Action": "BLOCKED",
      "Addr": "52.219.1.53",
      "Comm": "curl",
      ...
      "environment": "production",
      "role": "app",
      "time": "2022-03-27T13:33:17Z"
    }
    

    Fix

    TTL-based name resolution instead of periodically #18

    Workarounds for #17.

    Context logger

    Log context was not set correctly.

    Changelog

    • ddf0774 Merge pull request #18 from mrtc0/ttl-based-dns-resolver
    • 6938b0d chore: bump up v0.0.7
    • 192fe22 feat: TTL-based name resolution instead of periodic cycles
    • 7c6a84e fix: context log
    • 113dada fix: deprecated annotation
    • d3e6ace fix: remove debug code
    Source code(tar.gz)
    Source code(zip)
    bouheki_0.0.7_Linux_x86_64.tar.gz(3.18 MB)
    checksums.txt(100 bytes)
  • v0.0.6(Mar 23, 2022)

  • v0.0.5(Mar 18, 2022)

    [0.0.5] 2022-03-18

    Added

    Support for mount restrictions #10

    Added new restriction for mount event. This prevents file mounts such as /var/run/docker.sock.

    mount:
      mode: block
      target: host
      deny:
        - /var/run/docker.sock
    

    Added option to disable restrictions

    network:
      enable: true
      ...
    files:
      enable: false # File access restrictions do not apply
    

    Changelog

    • 872bab4 Merge pull request #10 from mrtc0/restrict-mount
    • e58b90d chore(CI): add dependabot config
    • 3129dff chore(CI): add scorecard-action
    • 5303056 chore(CI): set permissions
    • 1e2082e chore(CI): update permissions
    • fec3499 chore(CI): update permissions
    • c9f65a8 chore(config): update sample
    • 3c63e25 chore: bump up v0.0.5
    • 429bfdc chore: fix comment
    • 4551fe8 chore: fix sample config
    • cb4b5fa chore: update CHANGELOG
    • fa1a11c chore: update TODO
    • 2510d37 docs(mount): update
    • 0510ce0 docs(mount): update
    • 61028cf feat(config): Added option to disable restrictions
    • 66fbb5a feat(mount): add mode and target config
    • ecd236a feat(mount): add mode and target filter in ebpf program
    • 3218bd8 feat(mount): audit mount
    • fcbf33a feat(mount): mount event output to perf buffer
    • a7f7c4e feat(mount): restrict mount worked
    • d70ad29 fix(mount): remove redeclare variable
    • c110548 test(fileaccess): fix
    • 8addfa8 test(mount): restrict mount test
    • d6e9124 test(mount): test for audit
    Source code(tar.gz)
    Source code(zip)
    bouheki_0.0.5_Linux_x86_64.tar.gz(1.81 MB)
    checksums.txt(100 bytes)
  • v0.0.4(Mar 12, 2022)

    Added

    Support for restrictions by domain name #5

    Restrictions by domain name are now possible.
    Since it is difficult to hook domain name resolution in eBPF, we will resolve it in the userspace program.
    Periodically perform name resolution in the userspace programs to update the eBPF Map.

    This will support the following settings:

    network:
      mode: block
      target: host
      cidr:
        allow:
          - 0.0.0.0/0
        deny: []
      domain:
        deny:
          # Connection to example.com will be blocked
          - example.com
    

    This is an initiative by GMO Pepabo, Inc. through its internship program for students. Thanks @n01e0

    Support for file access restrictions #6

    File open can now be restricted by attaching lsm/open.
    For example, Access to /etc/passwd and /etc/test can be disabled with the following configuration:

    network:
      mode: block
      target: host
      cidr:
        allow:
          - 0.0.0.0/0
    files:
      mode: block
      target: container
      allow:
        - '/'
      deny:
        - '/etc/passwd'
        - '/etc/test'
    log:
      format: json
    

    Changed

    update libbpfgo and static link #9

    libbpfgo updated to v0.2.4-libbpf-0.6.1. With this change, libbpf is managed a a submodule.
    Also, libbpf is now statically linked.

    $ ldd bouheki
            linux-vdso.so.1 (0x00007fff9a8ae000)
            libelf.so.1 => /lib/x86_64-linux-gnu/libelf.so.1 (0x00007fc5e2761000)
            libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc5e2745000)
            libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc5e251d000)
            /lib64/ld-linux-x86-64.so.2 (0x00007fc5e2788000)
    

    Changelog

    • 5be4ad5 Add CHANGELOG.md
    • 8e3642e Add compose file for test
    • fd105c5 Add doc
    • c1c9783 Add monitor test
    • 4b569ac Fix test
    • 784382e Fixed a bug v6 addresses were not being restricted.
    • c677c97 I forgot about the common.h
    • 7ec3817 Make DNS Resolver stub-able for easy testing
    • ae7ad10 Merge branch 'master' into DNS_lookup
    • f72e94d Merge branch 'master' of ssh://github.com/mrtc0/bouheki
    • ffa2f34 Merge pull request #1 from n01e0/master
    • 87295bf Merge pull request #2 from mrtc0/IPv6_support
    • c42eacc Merge pull request #3 from mrtc0/replace-bpf_core_read
    • 71cccf5 Merge pull request #4 from mrtc0/install_gotestsum
    • 0df33ef Merge pull request #5 from mrtc0/DNS_lookup
    • 2143ab3 Merge pull request #6 from mrtc0/IPv6_support
    • b438b68 Merge pull request #7 from mrtc0/restrict-open
    • fa827b4 Merge pull request #8 from mrtc0/docs
    • 6dcba40 Merge pull request #9 from mrtc0/update-libbpfgo
    • 682f994 Replaced bpf_core_read with BPF_CORE_READ_INTO to reduce register consumption
    • ce7644d Resolve the domain and update the map
    • 23ebcf0 Run the BPF test only if it has an integration tag.
    • 4d10ed6 Setup docker ipv6 environment
    • ba7d06b TestAuditWithUpdate for domain update test
    • a506cc7 Trying to test IPv6...
    • 1d116d3 repoet_ipv6_event must set hdr.type to BLOCKED_IPV6
    • 5ad37a5 add Domain in config
    • dea3755 add clang-format config
    • 29f5323 add development document
    • 94e25c1 add doc
    • 13cc411 add release task
    • 278e9ed add testcase for domain update
    • 6a119f0 assign Mask
    • aa2885a cache needs update
    • 0e783e0 chore(CHANGELOG): #7
    • 4f91d5e chore(deps): add submodule libbpf
    • 6426d8a chore(deps): adjust arguments new API
    • cf7ef27 chore(deps): update libbpfgo
    • 8f289ee chore(fileaccess): build restricted-file.bpf
    • 75a8e40 chore: Dockerize
    • 2ea95f1 chore: bump up v0.0.4
    • 379040b chore: fix release scripts
    • cd285f8 chore: install docker for test
    • f8b28de chore: setup git user
    • 7418f4e chore: update sample
    • c8bf860 chore: use domain
    • 386d356 clang-format
    • 8fccdea create IPNet
    • 251c697 create update func
    • 4334e2d define DomainCache
    • ccde5ea define in defaultConfig()
    • 091975d define interval in config
    • 12995d3 do not ignore...
    • 915b4e4 draft
    • 51ed0de exec needs run
    • 1865878 feat(fileaccess): Change behavior based on mode
    • 0c32460 feat(fileaccess): Send audit events to user-space via perf buffer
    • 4f7c11b feat(fileaccess): Support only container mode
    • 0b25c3b feat(fileaccess): impl strlen and strcmp in ebpf program
    • 7c1e116 feat(fileaccess): impl userland for hooks to lsm/open
    • 673d460 feat(fileaccess): logging event
    • 6e7a732 feat(fileaccess): restricted open files
    • 082ba3b feat(fileaccess): support block / monitor mode
    • b0295b5 feat: fix test
    • 9197575 feat: refactor
    • fb259fd feat: skip compatibility check
    • 4f9ade5 fix
    • 2209a3c fix Vagrantfile use -y option
    • 6b6b269 fix config for test
    • b0fd285 fix enum format
    • 88b6b2b fix indent
    • 56b6650 fix multi-value
    • 20de261 fix sample.yaml
    • 6de4325 fix test
    • 5910acf fix test
    • ec7cc73 fix test
    • 7c6f009 fix test cases
    • d6b3fcc fix v6 integration test
    • 404f3ce fix: In ubuntu impish, the combination of landlock and bpf will cause a kernel panic
    • e42c0c7 go fmt
    • b8d7790 gofmt
    • 5607751 gofmt in CI
    • 0829fb6 impl IPv6 event parser
    • acd0a79 insert into cache
    • e90af96 install gcc-multilib for asm/errno.h
    • a85893b install gotestsum for test
    • ccbe172 ipv(4|6)ToKeyを実装
    • e09939f key is key
    • ddfa761 need call
    • 0096ac8 rebase
    • f86f9bb refactor
    • 58c5bab refactor
    • 038185d refactor test
    • 622312e refactor(network): for easy handling of logger
    • 4aab3ff refactor(network): remove dead code
    • 704b7e5 refactor: rename commands -> audit
    • be3cba2 refactor: rename config fileds
    • dcf06fd refactor: rename fileaccess ebpf map
    • 2d300d1 refactor: rename map and attach process
    • 318f110 refactor: rename methods
    • c1e2fe6 refactor: rename methods and move some methods to helpers
    • 34f0cda refactor: rename network-restrict ebpf map
    • ed8487c refactor: rename old methods name
    • e3cb716 refactor: rename structs files
    • 20fe419 remove "Not implemented" comment
    • c40bd62 remove files
    • bf8af62 revert because the deny rule cannot block
    • 6f39b8d set default allow ::/0
    • aaa7cf6 shouldn't use ping in test
    • 892fc82 style(network): format variable define
    • 79640f3 style: add test and refactor
    • cbc5244 style: format
    • db02cc2 style: rename
    • 05bcc36 style: rename
    • 2069419 style: rename variable names and bpf map names
    • b9d2ff6 test(fileaccess): e2e test for audit
    • 030ef15 test(fileaccess): e2e test for container mode
    • 086ed58 test(fileaccess): fix param
    • c5c9da4 test(fileaccess): unit test for manager
    • f1985f9 testing block by domain
    • 3c7e8cb testing monitor by domain
    • b28af81 unionを使わない実装。とりあえずv4は動いてる
    • 89c91d1 update
    • 4a453bd update LICENSE
    • 58bb8c4 update successful
    • fb6f115 update ubuntu
    • 87daf40 use BPF_CORE_READ
    • e70b1d9 use compose for test
    • 267bd8c とりあえずCの部分をそれっぽく書いたので一旦まとめる
    • a783146 ガバガバ判定を直した
    Source code(tar.gz)
    Source code(zip)
    bouheki_0.0.4_Linux_x86_64.tar.gz(1.80 MB)
    checksums.txt(100 bytes)
  • v0.0.3(Feb 21, 2022)

    Features

    Added support for IPv6. #2 It can monitor and block the communication of specified IPv6 address with the following settings:

    network:
      mode: block
      target: host
      cidr:
        allow:
          - 0.0.0.0/0
          - ::/0
        deny:
          - 2001:3984:3989::3/128
    log:
      format: json
    

    Thanks @n01e0

    Changelog

    • 8e3642e Add compose file for test
    • b67ca28 Create codeql-analysis.yml
    • ffa2f34 Merge pull request #1 from n01e0/master
    • 87295bf Merge pull request #2 from mrtc0/IPv6_support
    • 4d10ed6 Setup docker ipv6 environment
    • a506cc7 Trying to test IPv6...
    • 1d116d3 repoet_ipv6_event must set hdr.type to BLOCKED_IPV6
    • dea3755 add clang-format config
    • 29f5323 add development document
    • 13cc411 add release task
    • cd285f8 chore: install docker for test
    • c8bf860 chore: use domain
    • 386d356 clang-format
    • 12995d3 do not ignore...
    • b0295b5 feat: fix test
    • 9197575 feat: refactor
    • 4f9ade5 fix
    • 2209a3c fix Vagrantfile use -y option
    • 01389f8 fix config
    • b0fd285 fix enum format
    • 404f3ce fix: In ubuntu impish, the combination of landlock and bpf will cause a kernel panic
    • 931bfcb format
    • b8d7790 gofmt
    • 072fe80 ignore destination port 0
    • 0829fb6 impl IPv6 event parser
    • e90af96 install gcc-multilib for asm/errno.h
    • ccbe172 ipv(4|6)ToKeyを実装
    • ebd9e27 logging parent process
    • cb68380 logging protocol
    • ddfa761 need call
    • 58c5bab refactor
    • 20fe419 remove "Not implemented" comment
    • 79640f3 style: add test and refactor
    • cbc5244 style: format
    • 05bcc36 style: rename
    • db02cc2 style: rename
    • 2069419 style: rename variable names and bpf map names
    • b28af81 unionを使わない実装。とりあえずv4は動いてる
    • fb6f115 update ubuntu
    • 87daf40 use BPF_CORE_READ
    • e70b1d9 use compose for test
    • 267bd8c とりあえずCの部分をそれっぽく書いたので一旦まとめる
    • a783146 ガバガバ判定を直した
    Source code(tar.gz)
    Source code(zip)
    bouheki_0.0.3_Linux_x86_64.tar.gz(1.59 MB)
    checksums.txt(100 bytes)
  • v0.0.2(Nov 10, 2021)

  • v0.0.1(Sep 23, 2021)

    Changelog

    452a2ac Add test option c3bb568 Add testify package 9a0a61b Add tests for BPF program 011aa87 Be useful to see in the log whether the connection was actually blocked. 005ce18 Store the size of some config in the map because it cannot be checked from the bpf program. 2aab2d8 Support UID based restriction 1cabbbc Support deny command 0bde187 Support json log format and log rotation 7ac985f add goreleaser 0840e2e change config format 031a47f check user permission before runnning. 903edea create license 6231275 fix test 1a044bd gid support def3018 init 3a91cff remove dead code 49115ca rename restrict network policy function b126538 support allowed_command 57acfb2 update 136db4d update 8ec5bbc update a7cdf44 update examples

    Source code(tar.gz)
    Source code(zip)
    bouheki_0.0.1_Linux_x86_64.tar.gz(1.55 MB)
    checksums.txt(100 bytes)
Owner
mrtc0
mrtc0
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 844 Aug 7, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 108 Aug 5, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 650 Aug 3, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

Microsoft 1.5k Aug 11, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 140 Jul 16, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Aug 11, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 11 Aug 4, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 72 Aug 9, 2022
Dectect syscall hooking using eBPF

BPF-HookDetect Detect Kernel Rootkits hooking syscalls Overview Details To Build To Run Example Test Resources Overview Kernel Rootkits such as Diamor

pat_h/to/file 82 Jul 31, 2022
A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

pat_h/to/file 234 Aug 10, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 88 Aug 9, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 255 Aug 7, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 174 Aug 12, 2022