Introduction
Bombini is an eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks. At its core, Bombini employs modular components called Detectors, each responsible for monitoring and reporting specific types of system events.
Detectors are organized by event class and kernel subsystem:
- ProcMon: Tracks process creation and termination, as well as privilege escalation events.
- FileMon: Monitors file system activity and file-related operations.
- NetMon: Observes TCP connection establishment and teardown.
- KernelMon: Detects interaction with eBPF kernel subsystem.
- IOUringMon: Inspects io_uring submission queue activity.
- SysEnumMon (experimental): Detects system enumeration by correlating distinct watch-list observations within a sliding time window.
All Detectors perform in-kernel event filtering directly within eBPF programs, minimizing overhead and reducing the volume of data sent to userspace.
Bombini rule engine enables the detection of advanced threats, such as the disclosure of GTFOBins, which involves the execution of privileged shells through the abuse of eligible binaries.
Additionally, ProcMon, FileMon and NetMon can optionally enforce sandboxing policies, allowing fine-grained control over process execution, file access and ip connections based on configurable rules.
By combining the safety of Rust, the power of eBPF, and the flexibility of LSM hooks, Bombini provides a lightweight, high-performance, and extensible runtime security monitoring solution for Linux systems.
Getting Started
Before moving further, please, check the compatibility page.
Container
Download Bombini container image:
docker pull ghcr.io/bombinisecurity/bombini:v1.0.0
Run
You can easily run Bombini with this command:
docker run --pid=host --rm -it --privileged -v /sys/fs/bpf:/sys/fs/bpf bombini
By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting
process execs and exits. To customize your Bombini setup, please, follow the Configuration chapter
and mount config directory to the container:
docker run --pid=host --rm -it --privileged -v <your-config-dir>:/usr/local/lib/bombini/config:ro -v /sys/fs/bpf:/sys/fs/bpf bombini
You can save event logs to the file:
docker run --pid=host --rm -it --privileged -v /tmp/bombini.log:/log/bombini.log -v /sys/fs/bpf:/sys/fs/bpf bombini --event-log /log/bombini.log
Or send them via unix socket:
docker run --pid=host --rm -it --privileged -v /tmp/bombini.sock:/log/bombini.sock -v /sys/fs/bpf:/sys/fs/bpf bombini --event-socket /log/bombini.sock
Bombini uses env_logger crate. To see agent logs pass --env "RUST_LOG=info|debug"to docker run.
Kubernetes
First pull bombini image:
docker pull ghcr.io/bombinisecurity/bombini:v1.0.0
bombini.yaml manifest has bombini ConfigMap with all configuration setup. By default, only ProcMon
detector is loaded. To customize your Bombini setup, please, follow the Configuration chapter.
To start bombini DaemonSet run:
kubectl apply -f ./bombini.yaml
Events can be found in bombini k8s log.
Kind Example
Pull bombini image:
docker pull ghcr.io/bombinisecurity/bombini:v1.0.0
Install kind.
If your cwd is repo root change it to ./install/k8s
cd ./install/k8s
Create kind cluster:
kind create cluster --config ./kind-config.yaml --name bombini-test-cluster
Load bombini image in kind cluster:
kind load docker-image bombini:latest --name bombini-test-cluster
Start bombini:
kubectl apply -f ./bombini.yaml
Check events:
kubectl get pods | grep "^bombini" | awk '{print $1}' | xargs kubectl logs -f
Tarball
You can get a tarball with installation scripts for bombini systemd service:
wget https://github.com/bombinisecurity/bombini/releases/download/v1.0.0/bombini-v1.0.0.tar.gz
Install / Uninstall
Unpack bombini tarball:
tar -xvf ./target/bombini.tar.gz -C ./target
If you need config customization then update detector configs in target/bombini/usr/local/lib/bombini/config.
Then run install script:
sudo ./target/bombini/install.sh
Check events:
tail -f /var/log/bombini/bombini.log
Uninstall with uninstall.sh:
sudo ./target/bombini/uninstall.sh
Build
First, install build dependencies:
- Install Rust.
- Install
clangandlibbpf-dev. Ubuntu:apt install clang libbpf-dev. - Prepare environment for Aya.
Release build:
cargo xtask build --release
Run
sudo ./target/release/bombini --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config
Or using cargo:
cargo xtask run --release -- --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config
By default Bombini starts only ProcMon detector intercepting process execs and exits. To customize your Bombini setup, please, follow the Configuration.
Bombini uses env_logger crate. To see agent logs set RUST_LOG=info|debug environment variable.
Configuration
This chapter describes the way Bombini can be configured. Configuration is done by YAML config files.
Config files are stored in separate directory ./config for example. In this directory config.yaml
file must exist. This file provides a global Bombini agent configuration, which can be overrided by cli arguments.
To load detectors in config directory detector config yaml’s must be provided (e.g. procmon.yaml).
Configuration of detectors is considered in the next chapters.
Protobuf specification for detectors configs located in reference chapter.
Bombini Config
Bombini agent configuration is stored in config.yaml. The example of config.yaml provided bellow:
# Global parameters for bombini agent.
# All paths must be full canonical or
# relative to this config file.
---
# Directory with bpf detector object files
bpf_objs: /usr/local/lib/bombini/bpf
# Path to pin bpf maps.
maps_pin_path: /sys/fs/bpf/bombini
# Event map size (ring buffer size in bytes)
event_map_size: 65536
# Raw event channel size (number of event messages)
event_channel_size: 64
# Procmon process map size
procmon_proc_map_size: 8192
# Retain Transmuters caches every <gc_period> sec
gc_period: 30
# Transmit events to log file
log_file: /var/log/bombini/bombini.log
# Log file size in MB
log_file_size: 10
# Number of log file rotations
log_file_rotations: 5
# Enable log file compression
log_file_compression: false
# Prometheus metric server port. This option enables metric server
metric_server_port: 9100
# List of the detectors to load
detectors:
- procmon
#- filemon
#- netmon
# -kernelmon
#- io_uringmon
#- sysenummon
To enable detectors loading you must put the detector name in config detectors section.
NOTE: YAML file with the same name plus “.yaml” suffix must exist in
the same directory with config.yaml.
Bombini CLI Arguments
Ebpf-based agent for observability and security monitoring
Usage: bombini [OPTIONS]
Options:
--bpf-objs <FILE> Directory with bpf detector object files
--maps-pin-path <FILE> Path to pin bpf maps
--event-map-size <VALUE> Event map size (ring buffer size in bytes)
--event-channel-size <VALUE> Raw event channel size (number of event messages)
--procmon-proc-map-size <VALUE> Procmon process map size
-D, --detector <NAME> Detector to load. Can be specified multiple times. Overrides the config
--gc-period <SEC> GC period for user mode caches in seconds
--config-dir <DIR> YAML config dir with global config and detector configs [default: /usr/local/lib/bombini/config]
--log-file <FILE> File path to save events
--log-file-rotations <VALUE> Number of rotated files to keep
--log-file-size <VALUE> Max size of rotated file in mb
--log-file-compression Enable compression for rotated files
--event-socket <FILE> Unix socket path to send events
--metric-server-port <PORT> Prometheus exporter port
-h, --help Print help
-V, --version Print version
--bpf-objs, --maps-pin-path, --event-map-size, --event-channel-size, detector options can override corresponding config options.
--log-file, --event-socket can override default stdout json serialized events output.
Rules
Bombini agent implements a powerful event filtering mechanism that operates entirely within the eBPF layer. This approach ensures minimal overhead and maximum performance by filtering events at the kernel level before they reach user space.
Configuration Structure
Rules are defined in YAML format and organized by hook or hook group. The basic structure follows this pattern:
<hook_name>:
enabled: <boolean>
rules:
- rule: <rule_name>
scope: <boolean_predicate>
event: <boolean_predicate>
Example Configuration
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
scope: binary_path in ["/usr/bin/cat", "/usr/bin/tail"]
event: path_prefix == "/etc" AND name in ["passwd", "shadow", "sudoers"]
Rule Components
Scope Predicate. The scope predicate defines the subject to which the rule applies. This typically describes executable or host. To capture all events corresponding to the entire host, just keep scope predicate empty (or remove it from the rule). Executable context can be configured using the following attribute maps:
- binary_path: Full absolute path to executable
- binary_name: Executable name
- binary_prefix: Absolute path prefix for the executable (up to 255 bytes)
The same attributes are also available for the direct parent process (supported by the procmon and filemon detectors only):
- parent_binary_path: Full absolute path to the parent executable
- parent_binary_name: Parent executable name
- parent_binary_prefix: Absolute path prefix for the parent executable (up to 255 bytes)
Event Predicate. The event predicate defines the event characteristics that should trigger the rule. Attribute maps for event filtering are specific for hook associated with the rule. Attribute description can be found in detectors configuration chapters.
Predicate Combination. The scope and event predicates are combined using logical AND. This means both conditions must be satisfied for the rule. It’s is possible to use only scope or event predicate. For this purpose just remove it from rule.
Boolean Predicate Syntax
| Operation | Syntax | Description | Example |
|---|---|---|---|
| AND | AND | Logical conjunction | path_prefix == "/etc" AND name == "passwd" |
| OR | OR | Logical disjunction | binary_path == "/usr/bin/cat" OR binary_path == "/usr/bin/tail" |
| NOT | NOT | Logical negation | NOT uid in [2000, 1000] |
| Grouping | ( ) | Control evaluation precedence | (A OR B) AND C |
| Membership | in | Check value existence in list | name in ["passwd", "shadow", "sudoers"] |
| Equality | == | Shorthand for single-element membership check | binary_path == "/usr/bin/cat" |
Operator Precedence
The following precedence order applies (from highest to lowest):
- Parentheses (), in, ==
- NOT
- AND
- OR
In Operator
The in operator is used to check if a value exists in a list. It can be used with both string and integer lists.
Integers can be specified in decimal or hexadecimal format. There is a difference how strings are handled. For example,
for path attribute map strings are considered as path strings. For ipv4/ivp6 address strings are considered as CIDRs,
for example: "2000::/3" is a CIDR for IPv6. And last but not least, some attribute maps consider strings as bit flags,
for example, for ecaps attribute map, ["CAP_SYS_ADMIN", "CAP_SYS_PTRACE"] will check if any of this flags (capabilities) are set.
Technical Limitations
- Maximum rules per hook: 32
- Maximum operations per rule: 16
- Maximum in operations per attribute in rule: 8
The last two constraints are applied to optimized rule.
Rule Optimizations
Bombini agent applies several optimizations to rules to improve performance:
- fold_not
- fold_or
- fold_and
Fold_or Optimization
The fold_or optimization combines multiple OR operations with underling “in” containing the same attribute map into a single “in” operation.
Example
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path == "/etc" OR path == "/var" OR path in ["/etc", "/tmp", "/opt"]
This rule will be optimized to:
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path in ["/etc", "/tmp", "/opt", "/var"]
Fold_and Optimization
The fold_and optimization combines multiple AND operations with underling “in” containing the same attribute map into a single “in” operation.
Example
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path == "/etc" AND path in ["/etc", "/tmp", "/opt"]
This rule will be optimized to:
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path in ["/etc"]
Also, this optimization checks if predicate is always false, and returns error:
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path == "/log" AND path in ["/etc", "/tmp", "/opt"]
Fold_not Optimization
The fold_not optimization combines multiple NOT operations into a single NOT operation using De Morgan’s laws.
Example
file_open:
enabled: true
rules:
- rule: fold_not_and
event: NOT path == "/var" AND NOT path == "/tmp"
This rule firstly will be optimized to:
file_open:
enabled: true
rules:
- rule: fold_not_and
event: NOT (path == "/var" OR path == "/tmp")
And resulting rule after fold_or optimization will be:
file_open:
enabled: true
rules:
- rule: fold_not_and
event: NOT path in ["/var", "/tmp"]
Sandbox Mode
Bombini supports sandboxing for ProcMon, FileMon and NetMon detectors, allowing to define fine-grained access control policies that are enforced directly in-kernel via eBPF LSM hooks. When enabled, sandboxing evaluates rules in enforcement mode: matching events can be allowed or denied based on the configured policy. In allow-list mode, event restrictions are tied to the scope of the event. If there is no scope restriction, the event restriction is applied to the entire host.
Sandbox configuration is added at the hook level and follows this pattern:
<hook_name>:
enabled: <boolean>
sandbox:
enabled: <boolean> # optional, default: false
deny_list: <boolean> # optional, default: false
rules:
- rule: <rule_name>
scope: <boolean_predicate>
event: <boolean_predicate>
Sandbox Parameters
- enabled: Activates sandbox enforcement for the hook. When false, rules operate in monitoring-only mode.
- deny_list: Controls policy mode:
- false (default): Allow-list mode — only events matching rules are permitted; all others are denied.
- true: Deny-list mode — events matching rules are explicitly blocked; all others are permitted.
Examples
Prevent dash, sh and bash from writing to filemon.yaml:
file_open:
enabled: true
sandbox:
enabled: true
deny_list: true
rules:
- rule: OpenTestSandBoxRule
scope: binary_name in ["dash", "sh", "bash"]
event: name == "filemon.yaml" AND access_mode == "O_WRONLY"
Allow head command to read only files from /usr/lib or read filemon.yaml:
file_open:
enabled: true
sandbox:
enabled: true
rules:
- rule: OpenTestSandBoxRule
scope: binary_name == "head"
event: path_prefix == "/usr/lib" OR name in ["filemon.yaml"]
Only binaries from the specified paths can be executed:
bprm_check:
enabled: true
sandbox:
enabled: true
rules:
- rule: BprmCheckTestRule
event: path_prefix in ["/usr", "/bin", "/sbin", "/home"]
Allow curl to connect only to 127.0.0.1 and port 8080:
socket_connect:
enabled: true
sandbox:
enabled: true
deny_list: false
rules:
- rule: SocketConnectSandboxRule
scope: binary_name == "curl"
event: ipv4_addr == "127.0.0.1" AND port == 8080
ProcMon
ProcMon is the main detector that collects information about process being spawned and detached. Information about living process is stored in shared eBPF map and in Process cache in user space. Every other detector needs ProcMon that monitors process execs and exits. This detector cannot be disabled.
Required Linux Kernel Version
6.2 or greater
Config Description
It is possible to enable IMA hashes of executed binary in process information. To enable put this to config (false by default):
ima_hash: true
It is possible to set garbage collection period in seconds for PROCMON_PROC_MAP (process info in eBPF).
Default value is 30 sec.
gc_period: 30
Process Hooks
ProcMon helps to monitor privilege escalation during process execution. It uses LSM hooks for this:
- security_task_fix_setuid (config name: setuid)
- security_task_fix_setgid (config name: setgid)
- security_capset (config name: capset)
- security_task_prctl (config name: prctl)
- security_create_user_ns (config name: create_user_ns)
- security_ptrace_access_check (config name: ptrace_access_check)
- security_bprm_check (config name: bprm_check)
Also there is a tracepoint hook only for sandbox mode: sched_process_exec. It allows to block execs by sending SIGKILL to the process.
To enable hook:
<hook>:
enabled: true
Event Filtering
All hooks support scope filtering. In addition to the binary_* attributes, ProcMon scope
filtering supports matching the direct parent process binary via the parent_binary_path,
parent_binary_name and parent_binary_prefix attributes (see Rules).
The following list of hooks support event filtering by rules and sandbox mode:
- security_task_fix_setuid
- security_task_fix_setgid
- security_capset
- security_create_user_ns
- security_bprm_check
- sched_process_exec
security_task_fix_setuid
setuid supports the following filtering attributes:
uid- new uideuid- new euid
Example
setuid:
enabled: true
rules:
- rule: UidTestRule
event: uid == 1000 AND euid == 0
security_task_fix_setgid
setgid supports the following filtering attributes:
gid- new gidegid- new egid
Example
setgid:
enabled: true
rules:
- rule: GidTestRule
event: gid == 1000 AND egid == 0
security_capset
capset supports the following filtering attributes:
ecaps- new effective capabilitiespcaps- new permitted capabilities
List of capabilities can be found in capabilities(7).
we support a placeholder ANY_CAPS that matches all capabilities. Expression ecaps in ["ANY_CAPS"] or ecaps == "ANY_CAPS" checks if any capability is set.
Example
setcaps:
enabled: true
rules:
- rule: CapsTestRule
event: ecaps == "CAP_SYS_ADMIN"
security_create_user_ns
create_user_ns supports the following filtering attributes:
ecaps- effective capabilitieseuid- effective uid
Example
create_user_ns:
enabled: true
rules:
- rule: UnprivNsTestRule
event: NOT ecaps == "CAP_SYS_ADMIN"
security_bprm_check
bprm_check supports the following filtering attributes:
path- absolute path of executed binary via execname- name of executed binary via execpath_prefix- absolute path prefix of executed binary via execeuid- euid of executed binary via execegid- egid of executed binary via exececaps- effective capabilities of executed binary via exec
Example
bprm_check:
enabled: true
rules:
- rule: TestBprmCheck
event: path_prefix == "/tmp" AND name == "ls"
sched_process_exec
sched_process_exec supports the following filtering attributes:
arg0-arg31- arguments of executed binary. The index at the end of the argument allows to distinguish between arguments. It is NOT the index of the argument inargvarray.
This hook is only available in sandbox mode, which is always enabled. It is used to block execs by sending SIGKILL to the process.
Example
sched_process_exec:
enabled: true
rules:
- rule: ExecveSandboxTestRule
scope: binary_name == "rm"
event: arg0 in ["-r", "-rf"] AND arg1 in ["/etc/passwd"]
In this example, we block all execs of rm binary if one of the arguments is -r or -rf and another is /etc/passwd.
GTFObins
The BprmCheck hook can be used to detect the execution of GTFOBins. It checks if privileged shell is executed and returns process information about GTFOBins binary that is spawning the shell.
Config Description
Scope predicate represents the list of GTFOBins filenames. Event predicate represents the list of possible shell filenames and checks if the executing process is running as root.
bprm_check:
enabled: true
sandbox:
enabled: true
deny_list: true
rules:
- rule: GTFOBins # https://gtfobins.github.io/#+shell%20+SUID%20+Sudo
scope: binary_name in
[
"aa-exec",
"awk",
"busctl",
"busybox",
...
]
event: name in ["sh", "bash", "dash", "zsh"] AND euid == 0
When sandbox deny_list mode is set true execution of GTFOBins is blocked.
FileMon
Detector provides events related to file / filesystem operations. Supported LSM hooks:
file_openhook provides info about file owner/permissions + permissions with process accessed the file.mmap_filehook provides info about mmaped file: path, protection flags.path_truncatehook provides info about path truncated by truncate syscall.path_unlinkprovides info about path being deleted.path_symlinkprovides info about symlink creation.path_chmodprovides info about changing file permissions.path_chownprovides info about changing file owner.sb_mountprovides info about mounted devices.file_ioctlprovides info about ioctl commands.
Required Linux Kernel Version
file_open: 6.2 or greatermmap_file: 6.2 or greatersb_mount: 6.2 or greaterfile_ioctl: 6.2 or greaterpath_truncate: 6.8 or greaterpath_unlink: 6.8 or greaterpath_symlink: 6.8 or greaterpath_chmod: 6.8 or greaterpath_chown: 6.8 or greater
Config Description
Config represents a dictionary with supported LSM BPF file hooks:
- file_open
- mmap_file
- path_truncate
- path_unlink
- path_symlink
- path_chmod
- path_chown
- sb_mount
- file_ioctl
For each file hook the following options are supported:
enabledenables detection for current hook. False by default.
Event Filtering
All hooks support scope filtering. In addition to the binary_* attributes, FileMon scope
filtering supports matching the direct parent process binary via the parent_binary_path,
parent_binary_name and parent_binary_prefix attributes (see Rules).
The following list of hooks support event filtering by rules and sandbox mode:
- file_open
- path_truncate
- path_unlink
- path_symlink
- path_chmod
- path_chown
- mmap_file
- file_ioctl
file_open
file_open supports the following filtering attributes:
path- the absolute path of opening file.path_prefix- the absolute path prefix of opening file.name- the name of opening file.access_mode- the access mode of opening file. It is treated as an enum value and can have only one value at a runtime (e.g., O_RDONLY, O_WRONLY, O_RDWR). See man.creation_flags- the creation flags of opening file. It is treated as mask and can have multiple values at a runtime (e.g., O_CREAT, O_EXCL, O_TRUNC simultaneously). See man.
Example
file_open:
enabled: true
rules:
- rule: OpenTestRule
scope: binary_name in ["ls", "tail"]
event: path in ["/etc"] OR name == "filemon.yaml"
path_truncate
file_truncate supports the following filtering attributes:
path- the absolute path of truncating file.path_prefix- the absolute path prefix of truncating file.name- the name of truncating file.
Example
path_truncate:
enabled: true
rules:
- rule: TruncateTestRule
event: path_prefix == "/tmp/bombini-test-"
path_unlink
path_unlink supports the following filtering attributes:
path- the absolute path of deleting file.path_prefix- the absolute path prefix of deleting file.name- the name of deleting file.
Example
path_unlink:
enabled: true
rules:
- rule: UnlinkTestRule
event: path_prefix == "/tmp" AND name == "test.json"
path_symlink
path_symlink supports the following filtering attributes:
path- the path of target file (maybe relative).path_prefix- the path prefix of target file (maybe relative).
Example
path_symlink:
enabled: true
rules:
- rule: SymlinkTestRule
event: path_prefix == "../"
path_chmod
path_chmod supports the following filtering attributes:
path- the absolute path of changing permissions file.path_prefix- the absolute path prefix of changing permissions file.name- the name of changing permissions file.mode- the new file’s permissions. See man for details.
Example
path_chmod:
enabled: true
rules:
- rule: ChmodTestRule
event: name == "filemon.yaml" AND mode in ["S_IWOTH","S_IWGRP","S_IWUSR"]
path_chown
path_chown supports the following filtering attributes:
path- the absolute path of changing owner file.path_prefix- the absolute path prefix of changing owner file.name- the name of changing owner file.uid- the new file’s owner UID.gid- the new file’s owner GID.
Example
path_chown:
enabled: true
rules:
- rule: ChownTestRule
event: name == "filemon.yaml" AND uid == 0 AND gid == 0
mmap_file
mmap_file supports the following filtering attributes:
path- the absolute path of mmaped file.path_prefix- the absolute path prefix of mmaped file.name- the name of mmaped file.prot_mode- the memory protection of mmaped file. It is treated as mask and can have multiple values at a runtime (PROT_READ, PROT_WRITE, PROT_EXEC). See man for details.flags- the flags of mmaped file. It is treated as mask and can have multiple values at a runtime (e.g., MAP_PRIVATE, MAP_SHARED, MAP_ANON). See man for details.
Example
mmap_file:
enabled: true
rules:
- rule: MmapTestRule
event: name == "filemon.yaml"
file_ioctl
file_ioctl supports the following filtering attributes:
path- the absolute path of device file.path_prefix- the absolute path prefix of device file.name- the name of device file.cmd- ioctl command.
Example
file_ioctl:
enabled: true
rules:
- rule: IoctlTestRule
event: path_prefix == "/dev" AND cmd in [4712, 2147766906, 769]
NetMon
NetMon detector provides information about ingress/egress TCP connections based on IPv4/IPv6. It also provides information about socket events.
Hooks:
tcp_v4_connect: collect egress TCP IPv4 connection requeststcp_v6_connect: collect egress TCP IPv6 connection requeststcp_close: collect connection close eventsinet_csk_accept: collect TCP v4/v6 ingress connectionssocket_create: collect socket creation eventssocket_create: collect socket connect events
Required Linux Kernel Version
6.2 or greater
Config Description
Config represents a dictionary with supported hooks for ingress/egress tcp connections and socket events:
ingressegresssocket_createsocket_connect
Event Filtering
All hooks support scope and event filtering. Hooks for socket events support sandbox mode. Hooks for tcp connections does not.
Tcp Connections
NetMon supports attributes filtering for ingress/egress tcp connection events.
ipv4_dst- destination IPv4 address of ingress/egress tcp connectionipv4_src- source IPv4 address of ingress/egress tcp connectionipv6_dst- destination IPv6 address of ingress/egress tcp connectionipv6_src- source IPv6 address of ingress/egress tcp connectionport_src- source port of ingress/egress tcp connectionport_dst- destination port of ingress/egress tcp connection
Examples
egress:
enabled: true
rules:
- rule: tcp-connections-out-of-cluster
event: >
NOT ipv4_dst in [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"127.0.0.1",
"0.0.0.0"
] OR ipv6_dst == "2000::/3"
egress:
enabled: true
rules:
- rule: tcp-connections-to-api-server
event: ipv4_dst == "10.96.0.1" AND port_dst == 443
Socket Creation
NetMon supports attributes filtering for socket creation events.
family- socket address family (AF_INET, AF_INET6, AF_UNIX, …).type- socket type (SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, …).flags- socket flags. This attribute is treated as mask and can have multiple values at a runtime (e.g., SOCK_NONBLOCK and SOCK_CLOEXEC simultaneously).protocol- socket protocol.
Examples
socket_create:
enabled: true
rules:
- rule: socket-creation
event: (family == "AF_INET6" OR family == "AF_INET")AND type == "SOCK_STREAM"
For more information about socket attributes see man.
Socket Connect
NetMon supports attributes filtering for socket connect events.
ipv4_dst- destination IPv4 address of egress connectionipv6_dst- destination IPv6 address of egress connectionport_dst- destination port of egress connection
Examples
socket_connect:
enabled: true
rules:
- rule: socket-connect
event: ipv4_dst == "10.96.0.1" AND port_dst == 443 OR ipv6_dst == "2000::/3"
For more information about socket attributes see man. We only support 2 socket address families: AF_INET and AF_INET6. This hook can be used for NetMon connections enforcement.
KernelMon
Detector provides events related to kernel modification/intergration. Supported LSM hooks:
bpf_map_createhook is used to detect BPF map creation.bpf_maphook provides information about BPF map access by userspace. Hook is triggered when userspace tries to get eBPF map descriptor. Descriptor could be used to read/write data from/to the map, pin it to the filesystem, inspect kernel metadata.bpf_prog_loadhook is used to detect BPF program loading.bpf_proghook provides information about BPF program access by userspace. Hook is triggered when userspace tries to get eBPF program descriptor. Descriptor could be used to attach/detach program to/from the hook, pin it to the filesystem or inspect kernel metadata.
Required Linux Kernel Version
6.2 or greater
Config Description
Config represents a dictionary with supported LSM BPF file hooks:
- bpf_map_create
- bpf_map
- bpf_prog_load
- bpf_prog
For each file hook the following options are supported:
enabledenables detection for current hook. False by default.
Event Filtering
All hooks support event filtering and do not provide sandboxing for now.
bpf_map_create
bpf_map_create supports the following filtering attributes:
name- name of BPF map (16 bytes).prefix- prefix of BPF map name (first 16 bytes).type- type of BPF map. See linux kernel for the list of supported types.
Example
bpf_map_create:
enabled: true
rules:
- rule: "BpfMapCreateTest"
event: type == "BPF_MAP_TYPE_HASH" AND name == "AT_exec_count"
bpf_map
bpf_map supports the following filtering attributes:
id- id of BPF map.name- name of BPF map (16 bytes).prefix- prefix of BPF map name (first 16 bytes).type- type of BPF map. See linux kernel for the list of supported types.
Example
bpf_map:
enabled: true
rules:
- rule: "KernelMonBpfMapTest"
event: type == "BPF_MAP_TYPE_HASH" AND prefix == "AT_exec"
bpf_prog_load
bpf_prog_load supports the following filtering attributes:
name- name of BPF program (16 bytes).prefix- prefix of BPF program name (first 16 bytes).type- type of BPF program. See linux kernel for the list of supported types.
Example
bpf_prog_load:
enabled: true
rules:
- rule: "KernelMonBpfProgLoadTest"
event: type == "BPF_PROG_TYPE_TRACING" AND prefix == "rawtracepoint"
bpf_prog
bpf_prog supports the following filtering attributes:
id- id of BPF program.name- name of BPF program (16 bytes).prefix- prefix of BPF program name (first 16 bytes).type- type of BPF program. See linux kernel for the list of supported types.
Example
bpf_prog:
enabled: true
rules:
- rule: "KernelMonBpfProgTest"
event: type == "BPF_PROG_TYPE_TRACING" AND name == "rawtracepoint_v"
IOUringMon
IOUring detector tracks SQE submitting using io_uring_submit_req tracepoint.
Inspired by:
- curing example and post.
- RingReaper example and post.
Required Linux Kernel Version
6.8 or greater
Config Description
IOUringMon doesn’t provide rule-based filtering.
SysEnumMon
Experimental. This detector differs from the others: it correlates observations across a process tree rather than reporting single events. Correlation is currently tied to the direct parent, so processes spawned indirectly (
find -exec,bash -c) may evade it, and the shared correlation state is read under RCU with time checks, so simultaneous hits on multiple CPUs can race. The behaviour and configuration may change once it gathers real-world feedback.
Detector correlates system enumeration (reconnaissance) activity. Automated privilege
escalation scanners (PEASS-ng: LinPEAS, LinEnum, pspy and similar) perform many small
enumeration steps in a short time: they execute information gathering binaries (id,
whoami, uname, netstat and so on) and read sensitive files (/etc/shadow,
/etc/ssh/* and so on). A single step is legitimate on its own, so an alert is raised only
when several distinct observations from the watch list accumulate inside one process tree
within a sliding time window.
Supported LSM hooks:
bprm_check_securityhook observes executed binary names onexecve.file_openhook observes opened file paths.
Both hooks are always loaded, there is no per-hook enable switch. SysEnumMon depends on ProcMon.
Required Linux Kernel Version
6.2 or greater
Config Description
SysEnumMon does not provide rule-based filtering or sandbox mode. It is configured by a watch list and two correlation parameters:
chain_size- thresholdK: number of distinct observations from the watch list that must occur within the window to raise an alert.Kmust not exceed 7, the per-process chain capacity.window_size_sec- sliding window lengthWin seconds. Only observations seen within the lastWseconds are kept in a process tree’s chain: as new observations arrive, any leading observation older thanWseconds is dropped from the chain. An alert is raised whenKdistinct observations fall inside the sameW-second window.bprm_check.name- list of binary names matched onexecve.file_open.path- list of exact file paths matched onfile_open.file_open.path_prefix- list of path prefixes matched onfile_open(longest prefix match).
Observations are de-duplicated, so repeating the same entry does not advance the counter:
a script that calls id in a loop does not raise an alert. The total number of unique watch
list entries (names + paths + prefixes) must not exceed 256.
Example
chain_size: 3
window_size_sec: 10
bprm_check:
name:
- id
- whoami
- uname
- netstat
- ss
- getcap
file_open:
path:
- /etc/shadow
path_prefix:
- /etc/ssh
Protocol Documentation
Table of Contents
proto/config.proto
FileMonConfig
Configuration file for FileMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| file_open | HookConfig | security_file_open config. | |
| path_truncate | HookConfig | security_path_truncate config. | |
| path_unlink | HookConfig | security_path_unlink config. | |
| path_symlink | HookConfig | security_path_symlink config. | |
| path_chmod | HookConfig | security_path_chmod config. | |
| path_chown | HookConfig | security_path_chown config. | |
| sb_mount | HookConfig | security_sb_mount config. | |
| mmap_file | HookConfig | security_mmap_file config. | |
| file_ioctl | HookConfig | security_file_ioctl config. |
HookConfig
Hook or group of hooks configuration
| Field | Type | Label | Description |
|---|---|---|---|
| enabled | bool | Load eBPF programs | |
| sandbox | SandboxMode | Sandbox capabilities. | |
| rules | Rule | repeated | Filtering rules |
KernelMonConfig
Configuration file for KernelMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| bpf_map | HookConfig | Getting access to bpf map | |
| bpf_map_create | HookConfig | Creating bpf map | |
| bpf_prog | HookConfig | Getting access to bpf program | |
| bpf_prog_load | HookConfig | Creating to bpf program |
NetMonConfig
Configuration file for NetMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| ingress | HookConfig | Ingress traffic connections | |
| egress | HookConfig | Egress traffic connections | |
| socket_create | HookConfig | Socket creation | |
| socket_connect | HookConfig | Connect over socket |
ProcMonConfig
Configuration file for ProcMon detector
| Field | Type | Label | Description |
|---|---|---|---|
| setuid | HookConfig | setuid hook config. | |
| capset | HookConfig | capset hook config. | |
| prctl | HookConfig | prctl hook config. | |
| create_user_ns | HookConfig | create_user_ns hook config. | |
| ptrace_access_check | HookConfig | ptrace_attach hook config. | |
| setgid | HookConfig | setgid hook config. | |
| bprm_check | HookConfig | bprm_check hook config. | |
| sched_process_exec | HookConfig | sched_process_exec sandbox hook config. | |
| ima_hash | bool | optional | Collect IMA hashes for executed binaries. |
| gc_period | uint64 | optional | GC period for PROCMON_PROC_MAP default 30 sec. |
Rule
Rule definition. Scope and event predicates are used as logical conjunction.
| Field | Type | Label | Description |
|---|---|---|---|
| name | string | Name of the rule. | |
| scope | string | Logical predicate describes scope this rule will be applied, e.g. process, container. | |
| event | string | Logical predicate for describes event rule will be applied |
SandboxMode
Sandbox parameters.
Scalar Value Types
Events
In this chapter all types of events produced by Bombini are described. Events are grouped by corresponding detectors. In event descriptions you also find JSON examples.
Each event has a process information related to this event.
JSON schema for all events located in reference chapter
ProcMon
ProcessExec
ProcessExec event represents a new executed binary (execve).
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQxMjQ6ODY5NDYyNTkwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84124,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:42:47.608Z",
"tid": 84124,
"uid": 0
},
"process": {
"args": "-l",
"auid": 1000,
"binary_path": "/usr/sbin/fdisk",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQxNDU6ODY5NDYzNTk4MDM5Mzcy",
"filename": "fdisk",
"gid": 0,
"parent_exec_id": "ODQxMjQ6ODY5NDYyNTkwMDAwMDAw",
"pid": 84145,
"ppid": 84124,
"secureexec": "",
"start_time": "2026-04-30T11:42:48.616Z",
"tid": 84145,
"uid": 0
},
"timestamp": "2026-04-30T11:42:48.616Z",
"type": "ProcessExec"
}
IMA Binary Hash
Process information can be enriched with binary hashes collected from IMA.
{
"parent": {
"args": "/home/fedotoff/.vscode/extensions/google.geminicodeassist-2.75.0/agent/a2a-server.mjs",
"auid": 1000,
"binary_path": "/usr/share/code/code",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"exec_id": "ODQ3NDk6ODY5NTExOTkwMDAwMDAw",
"filename": "code",
"gid": 1000,
"parent_exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
"pid": 84749,
"ppid": 15166,
"secureexec": "",
"start_time": "2026-04-30T11:43:37.008Z",
"tid": 84749,
"uid": 1000
},
"process": {
"args": "--version",
"auid": 1000,
"binary_ima_hash": "sha256:2a8c18fbf43da9f692d75474c72bea9dfd796c260b0f3dfe456376abc3bbd668",
"binary_path": "/usr/bin/git",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"exec_id": "ODQ3ODM6ODY5NTEyNjI5ODAyMzQ5",
"filename": "git",
"gid": 1000,
"parent_exec_id": "ODQ3NDk6ODY5NTExOTkwMDAwMDAw",
"pid": 84783,
"ppid": 84749,
"secureexec": "",
"start_time": "2026-04-30T11:43:37.648Z",
"tid": 84783,
"uid": 1000
},
"timestamp": "2026-04-30T11:43:37.648Z",
"type": "ProcessExec"
}
Fileless Execution
Event has information if no file used for process execution (memfd_create).
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"filename": "procmon-ffa17fc59f5de4b8",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84662,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:32.788Z",
"tid": 84662,
"uid": 0
},
"process": {
"args": "fileless-exec-test",
"auid": 1000,
"binary_path": "/memfd:fileless-exec-test (deleted)",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ3NDY6ODY5NTExNjgyNTg4OTc4",
"filename": "memfd:fileless-exec-test",
"gid": 0,
"parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"pid": 84746,
"ppid": 84662,
"secureexec": "FILELESS_EXEC",
"start_time": "2026-04-30T11:43:36.701Z",
"tid": 84746,
"uid": 0
},
"timestamp": "2026-04-30T11:43:36.701Z",
"type": "ProcessExec"
}
ProcessClone
ProcessClone represents a process creation with fork() or clone() syscall types.
{
"parent": {
"args": "",
"auid": 1000,
"binary_path": "/usr/share/code/code",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
"filename": "code",
"gid": 1000,
"parent_exec_id": "MTQ5NzM6ODYwNzY4NDkwMDAwMDAw",
"pid": 15166,
"ppid": 14973,
"secureexec": "",
"start_time": "2026-04-30T09:17:58.278Z",
"tid": 15166,
"uid": 1000
},
"process": {
"args": "",
"auid": 0,
"binary_path": "/usr/share/code/code",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": true,
"egid": 1000,
"euid": 1000,
"exec_id": "ODQ3NDg6ODY5NTExOTU5NjkyMTA5",
"filename": "code",
"gid": 1000,
"parent_exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
"pid": 84748,
"ppid": 15166,
"secureexec": "",
"start_time": "2026-04-30T11:43:36.978Z",
"tid": 84748,
"uid": 1000
},
"timestamp": "2026-04-30T11:43:36.978Z",
"type": "ProcessClone"
}
ProcessExit
ProcessExit event represents an exited process.
{
"parent": {
"args": "",
"auid": 1000,
"binary_path": "/usr/share/code/code",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
"filename": "code",
"gid": 1000,
"parent_exec_id": "MTQ5NzM6ODYwNzY4NDkwMDAwMDAw",
"pid": 15166,
"ppid": 14973,
"secureexec": "",
"start_time": "2026-04-30T09:17:58.278Z",
"tid": 15166,
"uid": 1000
},
"process": {
"args": "/home/fedotoff/.vscode/extensions/google.geminicodeassist-2.75.0/agent/a2a-server.mjs",
"auid": 1000,
"binary_path": "/usr/share/code/code",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"exec_id": "ODQ2ODk6ODY5NTA4NDIwMDAwMDAw",
"filename": "code",
"gid": 1000,
"parent_exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
"pid": 84689,
"ppid": 15166,
"secureexec": "",
"start_time": "2026-04-30T11:43:33.438Z",
"tid": 84689,
"uid": 1000
},
"timestamp": "2026-04-30T11:43:36.961Z",
"type": "ProcessExit"
}
ProcessEvents
ProcessEvents represent a collection of events somehow related to privilege escalation
Setuid
{
"blocked": false,
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"filename": "procmon-ffa17fc59f5de4b8",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84662,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:32.788Z",
"tid": 84662,
"uid": 0
},
"process": {
"args": "-u nobody true",
"auid": 1000,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ5MTA6ODY5NTIwMTc5ODU0ODA5",
"filename": "sudo",
"gid": 0,
"parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"pid": 84910,
"ppid": 84662,
"secureexec": "",
"start_time": "2026-04-30T11:43:45.198Z",
"tid": 84910,
"uid": 0
},
"process_event": {
"euid": 0,
"flags": "LSM_SETID_RES",
"fsuid": 0,
"type": "Setuid",
"uid": 0
},
"rule": "ProcMonSetuid",
"timestamp": "2026-04-30T11:43:45.201Z",
"type": "ProcessEvent"
}
Setgid
{
"blocked": false,
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"filename": "procmon-ffa17fc59f5de4b8",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84662,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:32.788Z",
"tid": 84662,
"uid": 0
},
"process": {
"args": "-u nobody true",
"auid": 1000,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ4ODM6ODY5NTE4NTE2MDAyMDk5",
"filename": "sudo",
"gid": 0,
"parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"pid": 84883,
"ppid": 84662,
"secureexec": "",
"start_time": "2026-04-30T11:43:43.534Z",
"tid": 84883,
"uid": 0
},
"process_event": {
"egid": 0,
"flags": "LSM_SETID_RES",
"fsgid": 0,
"gid": 0,
"type": "Setgid"
},
"rule": "ProcMonSetgid",
"timestamp": "2026-04-30T11:43:43.539Z",
"type": "ProcessEvent"
}
Setcaps
{
"blocked": false,
"parent": {
"args": "capsh --caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
"auid": 0,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": true,
"egid": 0,
"euid": 0,
"exec_id": "ODQ4NjA6ODY5NTE2NjM0MzkyMTcw",
"filename": "sudo",
"gid": 0,
"parent_exec_id": "ODQ4NTk6ODY5NTE2NjI2Nzc5Mzg1",
"pid": 84860,
"ppid": 84859,
"secureexec": "",
"start_time": "2026-04-30T11:43:41.652Z",
"tid": 84860,
"uid": 0
},
"process": {
"args": "--caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
"auid": 1000,
"binary_path": "/usr/sbin/capsh",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ4NjE6ODY5NTE2NjM1NzgwNzAx",
"filename": "capsh",
"gid": 0,
"parent_exec_id": "ODQ4NjA6ODY5NTE2NjM0MzkyMTcw",
"pid": 84861,
"ppid": 84860,
"secureexec": "",
"start_time": "2026-04-30T11:43:41.654Z",
"tid": 84861,
"uid": 0
},
"process_event": {
"effective": "CAP_NET_RAW | CAP_SYS_ADMIN",
"inheritable": "",
"permitted": "CAP_NET_RAW | CAP_SYS_ADMIN",
"type": "Setcaps"
},
"rule": "ProcMonSetcaps",
"timestamp": "2026-04-30T11:43:41.654Z",
"type": "ProcessEvent"
}
Prctl
{
"blocked": false,
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"filename": "procmon-ffa17fc59f5de4b8",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84662,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:32.788Z",
"tid": 84662,
"uid": 0
},
"process": {
"args": "--keep=1 -- -c echo KEEPCAPS enabled",
"auid": 1000,
"binary_path": "/usr/sbin/capsh",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ4MTg6ODY5NTE0OTczMjgxMTk1",
"filename": "capsh",
"gid": 0,
"parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"pid": 84818,
"ppid": 84662,
"secureexec": "",
"start_time": "2026-04-30T11:43:39.991Z",
"tid": 84818,
"uid": 0
},
"process_event": {
"cmd": {
"PrSetKeepCaps": 1
},
"type": "Prctl"
},
"rule": "ProcMonPrctl",
"timestamp": "2026-04-30T11:43:39.992Z",
"type": "ProcessEvent"
}
CreateUserNs
{
"blocked": false,
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"filename": "procmon-ffa17fc59f5de4b8",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84662,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:32.788Z",
"tid": 84662,
"uid": 0
},
"process": {
"args": "-U",
"auid": 1000,
"binary_path": "/usr/bin/unshare",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ3MjQ6ODY5NTEwNDE4NzgyMjAx",
"filename": "unshare",
"gid": 0,
"parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"pid": 84724,
"ppid": 84662,
"secureexec": "",
"start_time": "2026-04-30T11:43:35.437Z",
"tid": 84724,
"uid": 0
},
"process_event": {
"type": "CreateUserNs"
},
"rule": "ProcMonCreateUserNs",
"timestamp": "2026-04-30T11:43:35.437Z",
"type": "ProcessEvent"
}
PtraceAccessCheck
{
"type": "ProcessEvent",
"process": {
"start_time": "2025-12-11T12:07:20.621Z",
"cloned": false,
"pid": 26539,
"tid": 26539,
"ppid": 72885,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "gdb",
"binary_path": "/usr/bin/gdb",
"exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"args": "attach -p 26029"
},
"parent": {
"start_time": "2025-11-26T17:42:04.042Z",
"cloned": false,
"pid": 72885,
"tid": 72885,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"exec_id": "ODUwMDA6ODY5NTI0OTM4NjAzNzMz",
"parent_exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
"args": ""
},
"process_event": {
"type": "PtraceAccessCheck",
"child": {
"start_time": "2025-12-11T12:06:49.791Z",
"cloned": false,
"pid": 26029,
"tid": 26029,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "vim.basic",
"binary_path": "/usr/bin/vim.basic",
"exec_id": "ODQ3MjQ6ODY5NTEwNDE4NzgyMjAx",
"parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
"args": "./evets.log"
},
"mode": "PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS"
},
"blocked": false,
"timestamp": "2025-12-11T12:07:20.712Z"
}
BprmCheck
{
"blocked": true,
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/sandbox-b2a60a831c22e140",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
"filename": "sandbox-b2a60a831c22e140",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84930,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:46.078Z",
"tid": 84930,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 0,
"binary_path": "/home/fedotoff/bombini/target/release/deps/sandbox-b2a60a831c22e140",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": true,
"egid": 0,
"euid": 0,
"exec_id": "ODUwMDA6ODY5NTI0OTM4NjAzNzMz",
"filename": "sandbox-b2a60a831c22e140",
"gid": 0,
"parent_exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
"pid": 85000,
"ppid": 84930,
"secureexec": "",
"start_time": "2026-04-30T11:43:49.957Z",
"tid": 85000,
"uid": 0
},
"process_event": {
"binary": "/tmp/bombini-test-qvhme/ls",
"type": "BprmCheck"
},
"rule": "BprmCheckTestRule",
"timestamp": "2026-04-30T11:43:49.957Z",
"type": "ProcessEvent"
}
ExecveSandbox
{
"blocked": true,
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_procmon_execve_sandbox",
"auid": 535357931,
"binary_path": "/home/lima.linux/bombini/target/release/deps/procmon-48b2b61de1b256a2",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MTIzNjU6ODU5MTk4MDAwMDAwMA",
"filename": "procmon-48b2b61de1b256a2",
"gid": 0,
"parent_exec_id": "MTIyMDM6ODUzODIxMDAwMDAwMA",
"pid": 12365,
"ppid": 12203,
"secureexec": "",
"start_time": "2026-07-06T13:30:27.923Z",
"tid": 12365,
"uid": 0
},
"process": {
"args": "-la -h",
"auid": 535357931,
"binary_path": "/usr/bin/ls",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MTIzNzk6ODU5MzAyOTczMzIyMA",
"filename": "ls",
"gid": 0,
"parent_exec_id": "MTIzNjU6ODU5MTk4MDAwMDAwMA",
"pid": 12379,
"ppid": 12365,
"secureexec": "",
"start_time": "2026-07-06T13:30:28.972Z",
"tid": 12379,
"uid": 0
},
"process_event": {
"type": "ExecveSandbox"
},
"rule": "ExecveSandboxTestRule",
"timestamp": "2026-07-06T13:30:28.972Z",
"type": "ProcessEvent"
}
FileMon
FileEvent represent a collection of events related to file / filesystem operations.
PathTruncate
Event is triggered when file is truncated by truncate syscall.
{
"blocked": false,
"hook": {
"path": "/tmp/bombini-test-ouG0p/bombini-test-truncate",
"type": "PathTruncate"
},
"parent": {
"args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"filename": "cargo",
"gid": 0,
"parent_exec_id": "Mjk1NTc6ODYxMTYwMTYwMDAwMDAw",
"pid": 29558,
"ppid": 29557,
"secureexec": "",
"start_time": "2026-04-30T09:24:25.178Z",
"tid": 29558,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"rule": "TruncateTestRule",
"timestamp": "2026-04-30T09:25:40.554Z",
"type": "FileEvent"
}
PathUnlink
Event is triggered when file is deleted.
{
"blocked": false,
"hook": {
"path": "/tmp/bombini-test-QCS8G/bombini-test-unlink",
"type": "PathUnlink"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"process": {
"args": "/tmp/bombini-test-QCS8G/bombini-test-unlink",
"auid": 1000,
"binary_path": "/usr/bin/rm",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzA0NTU6ODYxMjM3OTAxMTk2NDY0",
"filename": "rm",
"gid": 0,
"parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"pid": 30455,
"ppid": 30195,
"secureexec": "",
"start_time": "2026-04-30T09:25:42.919Z",
"tid": 30455,
"uid": 0
},
"rule": "UnlinkTestRule",
"timestamp": "2026-04-30T09:25:42.920Z",
"type": "FileEvent"
}
PathSymlink
Event is triggered when symbolic link is created.
{
"blocked": false,
"hook": {
"link_path": "/tmp/bombini-test-LcAq6/bombini_test_symlink_1",
"old_path": "/tmp/bombini-test-symlink-F7rij",
"type": "PathSymlink"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"process": {
"args": "-s /tmp/bombini-test-symlink-F7rij /tmp/bombini-test-LcAq6/bombini_test_symlink_1",
"auid": 1000,
"binary_path": "/usr/bin/ln",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAzOTA6ODYxMjMzMjc4Mzg5MjUy",
"filename": "ln",
"gid": 0,
"parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"pid": 30390,
"ppid": 30195,
"secureexec": "",
"start_time": "2026-04-30T09:25:38.296Z",
"tid": 30390,
"uid": 0
},
"rule": "SymlinkTestRule",
"timestamp": "2026-04-30T09:25:38.297Z",
"type": "FileEvent"
}
FileOpen
{
"blocked": true,
"hook": {
"access_mode": "O_WRONLY",
"creation_flags": "O_CREAT | O_TRUNC | O_LARGEFILE",
"gid": 0,
"i_mode": "-rw-r--r--",
"path": "/tmp/bombini-test-lJKrO/config/filemon.yaml",
"type": "FileOpen",
"uid": 0
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/sandbox-b2a60a831c22e140",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzA5OTc6ODYxMjgzMjQwMDAwMDAw",
"filename": "sandbox-b2a60a831c22e140",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30997,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:26:28.258Z",
"tid": 30997,
"uid": 0
},
"process": {
"args": "-c echo 'Hello' > /tmp/bombini-test-lJKrO/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/dash",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzEwMjA6ODYxMjg0NzQ2Nzc2ODU0",
"filename": "dash",
"gid": 0,
"parent_exec_id": "MzA5OTc6ODYxMjgzMjQwMDAwMDAw",
"pid": 31020,
"ppid": 30997,
"secureexec": "",
"start_time": "2026-04-30T09:26:29.765Z",
"tid": 31020,
"uid": 0
},
"rule": "OpenTestSandBoxRule",
"timestamp": "2026-04-30T09:26:29.765Z",
"type": "FileEvent"
}
PathChmod
{
"blocked": false,
"hook": {
"i_mode": "?rw-r--r--",
"path": "/tmp/bombini-test-E7eJb/config/filemon.yaml",
"type": "PathChmod"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"process": {
"args": "+w /tmp/bombini-test-E7eJb/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/chmod",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAzMTg6ODYxMjI3NzI0MzU5NjIy",
"filename": "chmod",
"gid": 0,
"parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"pid": 30318,
"ppid": 30195,
"secureexec": "",
"start_time": "2026-04-30T09:25:32.742Z",
"tid": 30318,
"uid": 0
},
"rule": "ChmodTestRule",
"timestamp": "2026-04-30T09:25:32.744Z",
"type": "FileEvent"
}
PathChown
{
"blocked": false,
"hook": {
"gid": 0,
"path": "/tmp/bombini-test-JbqTN/config/filemon.yaml",
"type": "PathChown",
"uid": 0
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"process": {
"args": "0:0 /tmp/bombini-test-JbqTN/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/chown",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAzNTk6ODYxMjMwODg5NzM5NDcz",
"filename": "chown",
"gid": 0,
"parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"pid": 30359,
"ppid": 30195,
"secureexec": "",
"start_time": "2026-04-30T09:25:35.908Z",
"tid": 30359,
"uid": 0
},
"rule": "ChownTestRule",
"timestamp": "2026-04-30T09:25:35.910Z",
"type": "FileEvent"
}
SbMount
Event is triggered when block device is mounted.
{
"type": "FileEvent",
"process": {
"start_time": "2025-12-11T13:07:53.637Z",
"cloned": false,
"pid": 83289,
"tid": 83289,
"ppid": 83119,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 4294967295,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "busybox",
"binary_path": "/bin/busybox",
"args": "/dev/sda1 /mnt",
"exec_id": "MzAzNTk6ODYxMjMwODg5NzM5NDcz",
"parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"container_id": "161287b604973779d82648fbbf6a418"
},
"parent": {
"start_time": "2025-12-11T13:07:46.743Z",
"cloned": false,
"pid": 83119,
"tid": 83119,
"ppid": 83097,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 4294967295,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "busybox",
"binary_path": "/bin/busybox",
"args": "",
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"container_id": "161287b604973779d82648fbbf6a418"
},
"hook": {
"type": "SbMount",
"dev": "/dev/sda1",
"mnt": "/mnt",
"flags": 1306860944
},
"blocked": false,
"timestamp": "2025-12-11T13:07:53.637Z"
}
MmapFile
{
"blocked": false,
"hook": {
"flags": "MAP_SHARED",
"path": "/tmp/bombini-test-VB2Ri/config/filemon.yaml",
"prot": "PROT_READ | PROT_WRITE",
"type": "MmapFile"
},
"parent": {
"args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"filename": "cargo",
"gid": 0,
"parent_exec_id": "Mjk1NTc6ODYxMTYwMTYwMDAwMDAw",
"pid": 29558,
"ppid": 29557,
"secureexec": "",
"start_time": "2026-04-30T09:24:25.178Z",
"tid": 29558,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"rule": "MmapFileTestRule",
"timestamp": "2026-04-30T09:25:27.599Z",
"type": "FileEvent"
}
FileIoctl
{
"blocked": false,
"hook": {
"cmd": 4712,
"i_mode": "brw-rw----",
"path": "/dev/loop0",
"type": "FileIoctl"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"filename": "filemon-39a009b56d273b88",
"gid": 0,
"parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
"pid": 30195,
"ppid": 29558,
"secureexec": "",
"start_time": "2026-04-30T09:25:24.928Z",
"tid": 30195,
"uid": 0
},
"process": {
"args": "-l",
"auid": 1000,
"binary_path": "/usr/sbin/fdisk",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "MzAyMTk6ODYxMjIwOTE5NzQxMzc5",
"filename": "fdisk",
"gid": 0,
"parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
"pid": 30219,
"ppid": 30195,
"secureexec": "",
"start_time": "2026-04-30T09:25:25.938Z",
"tid": 30219,
"uid": 0
},
"rule": "IoctlTestRule",
"timestamp": "2026-04-30T09:25:25.941Z",
"type": "FileEvent"
}
NetMon
NetworkEvent represents a collection of events which describe ingress/egress TCP connections over ipv4/v6.
TcpConnectionEstablish
Example:
nc -l 7878
telnet -6 localhost 7878
{
"network_event": {
"cookie": 32771,
"daddr": "::1",
"dport": 7879,
"saddr": "::1",
"sport": 59986,
"type": "TcpConnectionEstablish"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"filename": "netmon-8844df73ce6a95b2",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84537,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:19.288Z",
"tid": 84537,
"uid": 0
},
"process": {
"args": "-6 localhost 7879",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjA6ODY5NTA2ODg5NjExMjM4",
"filename": "inetutils-telnet",
"gid": 0,
"parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"pid": 84660,
"ppid": 84537,
"secureexec": "",
"start_time": "2026-04-30T11:43:31.908Z",
"tid": 84660,
"uid": 0
},
"rule": "NetMonIpv6Test",
"timestamp": "2026-04-30T11:43:31.910Z",
"type": "NetworkEvent"
}
Example:
nc -l 7878
telnet localhost 7878
{
"network_event": {
"cookie": 4099,
"daddr": "127.0.0.1",
"dport": 7878,
"saddr": "127.0.0.1",
"sport": 53484,
"type": "TcpConnectionEstablish"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"filename": "netmon-8844df73ce6a95b2",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84537,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:19.288Z",
"tid": 84537,
"uid": 0
},
"process": {
"args": "localhost 7878",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2MDY6ODY5NTAwMjc2MTA1NTEz",
"filename": "inetutils-telnet",
"gid": 0,
"parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"pid": 84606,
"ppid": 84537,
"secureexec": "",
"start_time": "2026-04-30T11:43:25.294Z",
"tid": 84606,
"uid": 0
},
"rule": "NetMonIpv4Test",
"timestamp": "2026-04-30T11:43:25.295Z",
"type": "NetworkEvent"
}
TcpConnectionClose
Example:
nc -l 7878
telnet -6 localhost 7878
{
"network_event": {
"cookie": 32771,
"daddr": "::1",
"dport": 7879,
"saddr": "::1",
"sport": 59986,
"type": "TcpConnectionClose"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"filename": "netmon-8844df73ce6a95b2",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84537,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:19.288Z",
"tid": 84537,
"uid": 0
},
"process": {
"args": "-6 localhost 7879",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2NjA6ODY5NTA2ODg5NjExMjM4",
"filename": "inetutils-telnet",
"gid": 0,
"parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"pid": 84660,
"ppid": 84537,
"secureexec": "",
"start_time": "2026-04-30T11:43:31.908Z",
"tid": 84660,
"uid": 0
},
"timestamp": "2026-04-30T11:43:31.910Z",
"type": "NetworkEvent"
}
Example:
nc -l 7878
telnet localhost 7878
{
"network_event": {
"cookie": 4099,
"daddr": "127.0.0.1",
"dport": 7878,
"saddr": "127.0.0.1",
"sport": 53484,
"type": "TcpConnectionClose"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"filename": "netmon-8844df73ce6a95b2",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84537,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:19.288Z",
"tid": 84537,
"uid": 0
},
"process": {
"args": "localhost 7878",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ2MDY6ODY5NTAwMjc2MTA1NTEz",
"filename": "inetutils-telnet",
"gid": 0,
"parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"pid": 84606,
"ppid": 84537,
"secureexec": "",
"start_time": "2026-04-30T11:43:25.294Z",
"tid": 84606,
"uid": 0
},
"timestamp": "2026-04-30T11:43:25.296Z",
"type": "NetworkEvent"
}
TcpConnectionAccept
Example:
nc -l 7878
telnet localhost 7878
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:29.950Z",
"cloned": false,
"pid": 47767,
"tid": 47767,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "nc.openbsd",
"binary_path": "/usr/bin/nc.openbsd",
"exec_id": "ODQ1ODY6ODY5NDk4Nzc1Njg0MTEx",
"parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"args": "-l 7878"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"args": ""
},
"network_event": {
"type": "TcpConnectionAccept",
"saddr": "0.0.0.0",
"daddr": "0.0.0.0",
"sport": 7878,
"dport": 0,
"cookie": 8283
},
"timestamp": "2025-12-11T12:31:34.646Z"
}
SocketCreate
Example:
nc -l 7878
{
"type": "NetworkEvent",
"process": {
"start_time": "2026-05-28T15:45:13.131Z",
"cloned": false,
"pid": 3445,
"tid": 3445,
"ppid": 1778,
"uid": 535357931,
"euid": 535357931,
"gid": 1000,
"egid": 1000,
"auid": 535357931,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "nc.openbsd",
"binary_path": "/usr/bin/nc.openbsd",
"args": "-l 7878",
"exec_id": "MzQ0NToxMTUwMDI0MjcxNTAxNA",
"parent_exec_id": "MTc3ODoxMjc2MDAwMDAwMA"
},
"parent": {
"start_time": "2026-05-28T12:33:45.648Z",
"cloned": false,
"pid": 1778,
"tid": 1778,
"ppid": 1700,
"uid": 535357931,
"euid": 535357931,
"gid": 1000,
"egid": 1000,
"auid": 535357931,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "bash",
"binary_path": "/usr/bin/bash",
"args": "--login",
"exec_id": "MTc3ODoxMjc2MDAwMDAwMA",
"parent_exec_id": "MTcwMDo5NjEwMDAwMDAw"
},
"blocked": false,
"network_event": {
"type": "SocketCreate",
"family": "AF_INET",
"sock_type": "SOCK_STREAM",
"flags": "",
"protocol": 6
},
"timestamp": "2026-05-28T15:45:13.133Z"
}
SocketConnect
Example:
nc -l 7871
telnet localhost 7871
{
"type": "NetworkEvent",
"process": {
"start_time": "2026-05-31T13:56:01.177Z",
"cloned": false,
"pid": 17649,
"tid": 17649,
"ppid": 1830,
"uid": 535357931,
"euid": 535357931,
"gid": 1000,
"egid": 1000,
"auid": 535357931,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "inetutils-telnet",
"binary_path": "/usr/bin/inetutils-telnet",
"args": "-4 localhost 7871",
"exec_id": "MTc2NDk6ODg1Njg1ODQ4OTg0MQ",
"parent_exec_id": "MTgzMDoyMTUxMDAwMDAwMA"
},
"parent": {
"start_time": "2026-05-31T11:28:45.829Z",
"cloned": false,
"pid": 1830,
"tid": 1830,
"ppid": 1753,
"uid": 535357931,
"euid": 535357931,
"gid": 1000,
"egid": 1000,
"auid": 535357931,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "bash",
"binary_path": "/usr/bin/bash",
"args": "--login",
"exec_id": "MTgzMDoyMTUxMDAwMDAwMA",
"parent_exec_id": "MTc1MzoxNTIyMDAwMDAwMA"
},
"blocked": false,
"network_event": {
"type": "SocketConnect",
"family": "AF_INET",
"sock_type": "SOCK_STREAM",
"protocol": 6,
"daddr": "127.0.0.1",
"dport": 7871
},
"timestamp": "2026-05-31T13:56:01.181Z",
"rule": "SocketConnecttestRule"
}
KernelMon
KernelEvent represent a collection of events related to kernel modification/intergration.
BpfMapCreate
Event is triggered when BPF map is created.
{
"blocked": false,
"kernel_event": {
"key_size": 1024,
"map_type": "BPF_MAP_TYPE_HASH",
"max_entries": 4096,
"name": "AT_exec_count",
"type": "BpfMapCreate",
"value_size": 8
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"filename": "kernelmon-f8c2496bd03fa01a",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84403,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:04.228Z",
"tid": 84403,
"uid": 0
},
"process": {
"args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
"auid": 1000,
"binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
"filename": "bpftrace",
"gid": 0,
"parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"pid": 84477,
"ppid": 84403,
"secureexec": "",
"start_time": "2026-04-30T11:43:11.264Z",
"tid": 84477,
"uid": 0
},
"rule": "KernelMonBpfMapCreateTest",
"timestamp": "2026-04-30T11:43:17.578Z",
"type": "KernelEvent"
}
BpfMapAccess
Event is triggered when BPF map is accessed by userspace.
{
"blocked": false,
"kernel_event": {
"access_mode": "O_RDWR",
"id": 11702,
"map_type": "BPF_MAP_TYPE_HASH",
"name": "AT_exec_count",
"type": "BpfMapAccess"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"filename": "kernelmon-f8c2496bd03fa01a",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84403,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:04.228Z",
"tid": 84403,
"uid": 0
},
"process": {
"args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
"auid": 1000,
"binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
"filename": "bpftrace",
"gid": 0,
"parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"pid": 84477,
"ppid": 84403,
"secureexec": "",
"start_time": "2026-04-30T11:43:11.264Z",
"tid": 84477,
"uid": 0
},
"rule": "KernelMonBpfMapTest",
"timestamp": "2026-04-30T11:43:17.578Z",
"type": "KernelEvent"
}
BpfProgLoad
Event is triggered when BPF program is loaded into the kernel.
{
"blocked": false,
"kernel_event": {
"name": "rawtracepoint_v",
"prog_type": "BPF_PROG_TYPE_TRACING",
"type": "BpfProgLoad"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"filename": "kernelmon-f8c2496bd03fa01a",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84403,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:04.228Z",
"tid": 84403,
"uid": 0
},
"process": {
"args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
"auid": 1000,
"binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
"filename": "bpftrace",
"gid": 0,
"parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"pid": 84477,
"ppid": 84403,
"secureexec": "",
"start_time": "2026-04-30T11:43:11.264Z",
"tid": 84477,
"uid": 0
},
"rule": "KernelMonBpfProgLoadTest",
"timestamp": "2026-04-30T11:43:17.578Z",
"type": "KernelEvent"
}
BpfProgAccess
Event is triggered when BPF program is accessed by userspace.
{
"blocked": false,
"kernel_event": {
"hook": "sched_process_exec",
"id": 1657,
"name": "rawtracepoint_v",
"prog_type": "BPF_PROG_TYPE_TRACING",
"type": "BpfProgAccess"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"filename": "kernelmon-f8c2496bd03fa01a",
"gid": 0,
"parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
"pid": 84403,
"ppid": 84105,
"secureexec": "",
"start_time": "2026-04-30T11:43:04.228Z",
"tid": 84403,
"uid": 0
},
"process": {
"args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
"auid": 1000,
"binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
"filename": "bpftrace",
"gid": 0,
"parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
"pid": 84477,
"ppid": 84403,
"secureexec": "",
"start_time": "2026-04-30T11:43:11.264Z",
"tid": 84477,
"uid": 0
},
"rule": "KernelMonBpfProgTest",
"timestamp": "2026-04-30T11:43:17.579Z",
"type": "KernelEvent"
}
Note: hook field is available for specific BPF program types. For example, for BPF_PROG_TYPE_TRACING, BPF_PROG_TYPE_LSM and some others.
IOUringMon
For these IORING_OP’s Bombini provides extra information:
- IORING_OP_OPENAT / IORING_OP_OPENAT2
- IORING_OP_STATX
- IORING_OP_UNLINKAT
- IORING_OP_CONNECT
- IORING_OP_ACCEPT
For other event types only opcode is provided.
IORING_OP_CONNECT
{
"type": "IOUringEvent",
"process": {
"start_time": "2026-04-30T12:14:56.094Z",
"cloned": false,
"pid": 101235,
"tid": 101235,
"ppid": 101234,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": "",
"exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
"parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
},
"parent": {
"start_time": "2026-04-30T12:14:56.080Z",
"cloned": true,
"pid": 101234,
"tid": 101234,
"ppid": 101219,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent",
"exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
"parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
},
"opcode": "IORING_OP_CONNECT",
"op_info": {
"addr": "127.0.0.1",
"port": 443
},
"timestamp": "2026-04-30T12:14:56.094Z"
}
IORING_OP_OPENAT
{
"type": "IOUringEvent",
"process": {
"start_time": "2026-04-30T12:14:56.094Z",
"cloned": false,
"pid": 101235,
"tid": 101235,
"ppid": 101234,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": "",
"exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
"parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
},
"parent": {
"start_time": "2026-04-30T12:14:56.080Z",
"cloned": true,
"pid": 101234,
"tid": 101234,
"ppid": 101219,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent",
"exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
"parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
},
"opcode": "IORING_OP_OPENAT",
"op_info": {
"path": "/etc/passwd",
"access_flags": "O_RDONLY",
"creation_flags": "O_LARGEFILE"
},
"timestamp": "2026-04-30T12:16:20.665Z"
}
IORING_OP_STATX
{
"type": "IOUringEvent",
"process": {
"start_time": "2026-04-30T12:14:56.094Z",
"cloned": false,
"pid": 101235,
"tid": 101235,
"ppid": 101234,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": "",
"exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
"parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
},
"parent": {
"start_time": "2026-04-30T12:14:56.080Z",
"cloned": true,
"pid": 101234,
"tid": 101234,
"ppid": 101219,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent",
"exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
"parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
},
"opcode": "IORING_OP_STATX",
"op_info": {
"path": "/usr/bin/python3"
},
"timestamp": "2026-04-30T12:16:43.607Z"
}
IORING_OP_UNLINKAT
{
"type": "IOUringEvent",
"process": {
"start_time": "2026-04-30T12:14:56.094Z",
"cloned": false,
"pid": 101235,
"tid": 101235,
"ppid": 101234,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": "",
"exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
"parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
},
"parent": {
"start_time": "2026-04-30T12:14:56.080Z",
"cloned": true,
"pid": 101234,
"tid": 101234,
"ppid": 101219,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cap_effective": "ANY_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent",
"exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
"parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
},
"opcode": "IORING_OP_UNLINKAT",
"op_info": {
"path": "/home/fedotoff/RingReaper/agent"
},
"timestamp": "2026-04-30T12:17:08.674Z"
}
SysEnumMon
SysEnumMonEvent
SysEnumMonEvent represents detected system enumeration activity: at least chain_size
distinct observations from the watch list were correlated inside one process tree within
the window_size_sec window.
Correlation is keyed on the parent PID, so the whole chain belongs to a single parent
process tree. That parent is reported once as the top-level process (restored from the
ProcMon Process cache). The event then carries a chain of observations, each with its
entry and a timestamp. The entry is tagged by type: Exec (from bprm_check_security,
with the executed binary) or FileOpen (from file_open, with the opened path). The
binary/path is captured in the event itself. For a path_prefix rule the path is the
actual opened file under the prefix, not the configured prefix. The reported path is
truncated to 255 bytes (MAX_FILE_PREFIX) in the output event.
{
"type": "SysEnumMonEvent",
"process": {
"start_time": "2026-06-01T11:12:05.590Z",
"cloned": false,
"pid": 18983,
"tid": 18983,
"ppid": 18904,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "CAP_WAKE_ALARM",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "bash",
"binary_path": "/usr/bin/bash",
"args": "/tmp/recon.sh",
"exec_id": "MTg5ODM6MzYzNDMzNTg0MTMwNA",
"parent_exec_id": "MTg5MDQ6MzYyOTE1MDAwMDAwMA"
},
"chain": [
{
"entry": {
"type": "Exec",
"binary": "id"
},
"timestamp": "2026-06-01T11:12:05.591Z"
},
{
"entry": {
"type": "FileOpen",
"path": "/etc/passwd"
},
"timestamp": "2026-06-01T11:12:05.592Z"
},
{
"entry": {
"type": "Exec",
"binary": "uname"
},
"timestamp": "2026-06-01T11:12:05.596Z"
}
],
"timestamp": "2026-06-01T11:12:05.596Z"
}
Reference
JSON schema for all events.
FileMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "FileEvent",
"description": "File Event",
"type": "object",
"properties": {
"blocked": {
"description": "If event is blocked by sandbox mode",
"type": "boolean"
},
"hook": {
"description": "LSM File hook info",
"$ref": "#/$defs/LsmFileHook"
},
"parent": {
"description": "Parent Information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process Information",
"$ref": "#/$defs/Process"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"blocked",
"hook",
"timestamp"
],
"$defs": {
"ChmodInfo": {
"type": "object",
"properties": {
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path",
"i_mode"
]
},
"ChownInfo": {
"type": "object",
"properties": {
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"path": {
"description": "full path",
"type": "string"
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"path",
"uid",
"gid"
]
},
"FileOpenInfo": {
"type": "object",
"properties": {
"access_mode": {
"description": "access mode passed to open()",
"type": "string"
},
"creation_flags": {
"description": "creation flags passed to open()",
"type": "string"
},
"gid": {
"description": "Group owner GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
},
"uid": {
"description": "File owner UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"path",
"access_mode",
"creation_flags",
"uid",
"gid",
"i_mode"
]
},
"IoctlInfo": {
"type": "object",
"properties": {
"cmd": {
"description": "cmd",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path",
"i_mode",
"cmd"
]
},
"LsmFileHook": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "FileOpen"
}
},
"$ref": "#/$defs/FileOpenInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathTruncate"
}
},
"$ref": "#/$defs/PathInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathUnlink"
}
},
"$ref": "#/$defs/PathInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathSymlink"
}
},
"$ref": "#/$defs/PathSymlink",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathChmod"
}
},
"$ref": "#/$defs/ChmodInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathChown"
}
},
"$ref": "#/$defs/ChownInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "SbMount"
}
},
"$ref": "#/$defs/MountInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "MmapFile"
}
},
"$ref": "#/$defs/MmapInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "FileIoctl"
}
},
"$ref": "#/$defs/IoctlInfo",
"required": [
"type"
]
}
]
},
"MmapInfo": {
"type": "object",
"properties": {
"flags": {
"description": "mmap flags",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
},
"prot": {
"description": "mmap protection",
"type": "string"
}
},
"required": [
"path",
"prot",
"flags"
]
},
"MountInfo": {
"type": "object",
"properties": {
"dev": {
"description": "device name",
"type": "string"
},
"flags": {
"description": "mount flags",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"mnt": {
"description": "mount path",
"type": "string"
}
},
"required": [
"dev",
"mnt",
"flags"
]
},
"PathInfo": {
"type": "object",
"properties": {
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path"
]
},
"PathSymlink": {
"type": "object",
"properties": {
"link_path": {
"description": "full path",
"type": "string"
},
"old_path": {
"description": "symlink target",
"type": "string"
}
},
"required": [
"link_path",
"old_path"
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
IOUringMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "IOUringEvent",
"description": "io_uring events",
"type": "object",
"properties": {
"op_info": {
"description": "extra info for operation",
"$ref": "#/$defs/IOUringOpInfo"
},
"opcode": {
"description": "io_uring_ops",
"type": "string"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"opcode",
"op_info",
"timestamp"
],
"$defs": {
"IOUringOpInfo": {
"anyOf": [
{
"type": "object",
"properties": {
"access_flags": {
"type": "string"
},
"creation_flags": {
"type": "string"
},
"path": {
"type": "string"
}
},
"required": [
"path",
"access_flags",
"creation_flags"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
}
},
"required": [
"path"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
}
},
"required": [
"path"
]
},
{
"type": "object",
"properties": {
"addr": {
"type": "string"
},
"port": {
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
}
},
"required": [
"addr",
"port"
]
},
{
"type": "null"
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
KernelMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "KernelEvent",
"description": "Kernel Event",
"type": "object",
"properties": {
"blocked": {
"description": "If event is blocked by sandbox mode",
"type": "boolean"
},
"kernel_event": {
"description": "Kernel event",
"$ref": "#/$defs/KernelEventType"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"blocked",
"kernel_event",
"timestamp"
],
"$defs": {
"BpfMapAccessInfo": {
"description": "BPF map access information",
"type": "object",
"properties": {
"access_mode": {
"description": "Access mode",
"type": "string"
},
"id": {
"description": "BPF map ID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"map_type": {
"description": "BPF map type",
"type": "string"
},
"name": {
"description": "BPF map name",
"type": "string"
}
},
"required": [
"id",
"name",
"map_type",
"access_mode"
]
},
"BpfMapCreateInfo": {
"description": "BPF map access information",
"type": "object",
"properties": {
"key_size": {
"description": "BPF map key size",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"map_type": {
"description": "BPF map type",
"type": "string"
},
"max_entries": {
"description": "BPF map max entries",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"name": {
"description": "BPF map name",
"type": "string"
},
"value_size": {
"description": "BPF map value size",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"name",
"map_type",
"key_size",
"value_size",
"max_entries"
]
},
"BpfProgAccessInfo": {
"description": "BPF program access information",
"type": "object",
"properties": {
"hook": {
"description": "hook if available",
"type": [
"string",
"null"
]
},
"id": {
"description": "BPF prog ID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"name": {
"description": "BPF prog name",
"type": "string"
},
"prog_type": {
"description": "BPF prog type",
"type": "string"
}
},
"required": [
"id",
"name",
"prog_type"
]
},
"BpfProgLoadInfo": {
"description": "BPF program loading information",
"type": "object",
"properties": {
"name": {
"description": "BPF prog name",
"type": "string"
},
"prog_type": {
"description": "BPF prog type",
"type": "string"
}
},
"required": [
"name",
"prog_type"
]
},
"KernelEventType": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "BpfMapAccess"
}
},
"$ref": "#/$defs/BpfMapAccessInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "BpfMapCreate"
}
},
"$ref": "#/$defs/BpfMapCreateInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "BpfProgAccess"
}
},
"$ref": "#/$defs/BpfProgAccessInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "BpfProgLoad"
}
},
"$ref": "#/$defs/BpfProgLoadInfo",
"required": [
"type"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
NetMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "NetworkEvent",
"description": "Network event",
"type": "object",
"properties": {
"blocked": {
"description": "If event is blocked by sandbox mode",
"type": "boolean"
},
"network_event": {
"description": "Network event",
"$ref": "#/$defs/NetworkEventType"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"blocked",
"network_event",
"timestamp"
],
"$defs": {
"NetworkEventType": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionEstablish"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionClose"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionAccept"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "SocketCreate"
}
},
"$ref": "#/$defs/SocketCreate",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "SocketConnect"
}
},
"$ref": "#/$defs/SocketConnect",
"required": [
"type"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
},
"SocketConnect": {
"description": "Socket connect information",
"type": "object",
"properties": {
"daddr": {
"description": "destination IP address,",
"type": "string"
},
"dport": {
"description": "destination port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
},
"family": {
"description": "socket family",
"type": "string"
},
"protocol": {
"description": "socket protocol",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"sock_type": {
"description": "socket type",
"type": "string"
}
},
"required": [
"family",
"sock_type",
"protocol",
"daddr",
"dport"
]
},
"SocketCreate": {
"description": "Socket creation information",
"type": "object",
"properties": {
"family": {
"description": "socket family",
"type": "string"
},
"flags": {
"description": "socket flags",
"type": "string"
},
"protocol": {
"description": "socket protocol",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"sock_type": {
"description": "socket type",
"type": "string"
}
},
"required": [
"family",
"sock_type",
"flags",
"protocol"
]
},
"TcpConnection": {
"description": "TCP IPv4 connection information",
"type": "object",
"properties": {
"cookie": {
"description": "socket cookie",
"type": "integer",
"format": "uint64",
"minimum": 0
},
"daddr": {
"description": "destination IP address,",
"type": "string"
},
"dport": {
"description": "destination port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
},
"saddr": {
"description": "source IP address",
"type": "string"
},
"sport": {
"description": "source port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
}
},
"required": [
"saddr",
"daddr",
"sport",
"dport",
"cookie"
]
}
}
}
ProcMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessExec",
"description": "Process exec event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessClone",
"description": "Process clone event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessExit",
"description": "Process exit event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessEvent",
"description": "Process Event",
"type": "object",
"properties": {
"blocked": {
"description": "If event is blocked by sandbox mode",
"type": "boolean"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"process_event": {
"description": "Process event",
"$ref": "#/$defs/ProcessEventType"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"blocked",
"process_event",
"timestamp"
],
"$defs": {
"PrctlCmdUser": {
"description": "Enumeration of prctl supported commands",
"oneOf": [
{
"type": "object",
"properties": {
"Opcode": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"Opcode"
]
},
{
"type": "object",
"properties": {
"PrSetDumpable": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetDumpable"
]
},
{
"type": "object",
"properties": {
"PrSetKeepCaps": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetKeepCaps"
]
},
{
"type": "object",
"properties": {
"PrSetName": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [
"name"
]
}
},
"additionalProperties": false,
"required": [
"PrSetName"
]
},
{
"type": "object",
"properties": {
"PrSetSecurebits": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetSecurebits"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
},
"ProcessBprmCheck": {
"description": "Bprm_check event",
"type": "object",
"properties": {
"binary": {
"type": "string"
}
},
"required": [
"binary"
]
},
"ProcessCapset": {
"description": "Capset event",
"type": "object",
"properties": {
"effective": {
"type": "string"
},
"inheritable": {
"type": "string"
},
"permitted": {
"type": "string"
}
},
"required": [
"inheritable",
"permitted",
"effective"
]
},
"ProcessCreateUserNs": {
"description": "CreateUserNs event",
"type": "object"
},
"ProcessEventType": {
"description": "Process event types",
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setuid"
}
},
"$ref": "#/$defs/ProcessSetUid",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setgid"
}
},
"$ref": "#/$defs/ProcessSetGid",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setcaps"
}
},
"$ref": "#/$defs/ProcessCapset",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Prctl"
}
},
"$ref": "#/$defs/ProcessPrctl",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "CreateUserNs"
}
},
"$ref": "#/$defs/ProcessCreateUserNs",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PtraceAccessCheck"
}
},
"$ref": "#/$defs/ProcessPtraceAccessCheck",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "BprmCheck"
}
},
"$ref": "#/$defs/ProcessBprmCheck",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "ExecveSandbox"
}
},
"required": [
"type"
]
}
]
},
"ProcessPrctl": {
"description": "Prctl event",
"type": "object",
"properties": {
"cmd": {
"$ref": "#/$defs/PrctlCmdUser"
}
},
"required": [
"cmd"
]
},
"ProcessPtraceAccessCheck": {
"description": "PtraceAttach event",
"type": "object",
"properties": {
"child": {
"$ref": "#/$defs/Process"
},
"mode": {
"type": "string"
}
},
"required": [
"child",
"mode"
]
},
"ProcessSetGid": {
"description": "Setgid event",
"type": "object",
"properties": {
"egid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"flags": {
"description": "LSM_SETID_* flag values",
"type": "string"
},
"fsgid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"gid": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"egid",
"gid",
"fsgid",
"flags"
]
},
"ProcessSetUid": {
"description": "Setuid event",
"type": "object",
"properties": {
"euid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"flags": {
"description": "LSM_SETID_* flag values",
"type": "string"
},
"fsuid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"euid",
"uid",
"fsuid",
"flags"
]
}
}
}
SysEnumMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SysEnumMonEvent",
"type": "object",
"properties": {
"chain": {
"type": "array",
"items": {
"$ref": "#/$defs/ChainEntry"
}
},
"process": {
"$ref": "#/$defs/Process"
},
"timestamp": {
"type": "string"
}
},
"required": [
"process",
"chain",
"timestamp"
],
"$defs": {
"ChainEntry": {
"type": "object",
"properties": {
"entry": {
"$ref": "#/$defs/ChainEntryType"
},
"timestamp": {
"type": "string"
}
},
"required": [
"entry",
"timestamp"
]
},
"ChainEntryType": {
"oneOf": [
{
"type": "object",
"properties": {
"binary": {
"type": "string"
},
"type": {
"type": "string",
"const": "Exec"
}
},
"required": [
"type",
"binary"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
},
"type": {
"type": "string",
"const": "FileOpen"
}
},
"required": [
"type",
"path"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"exec_id": {
"description": "Execution ID (hash of the process's PID and start time)",
"type": "string"
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"parent_exec_id": {
"description": "Parent execution ID (hash of the parent's PID and start time)",
"type": "string"
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args",
"exec_id",
"parent_exec_id"
]
}
}
}
Metrics
There are 4 metrics that can be exported in OpenMetrics format. Metrics are enabled by providing metric-server-port option and exported to localhost:metric-server-port/metrics endpoint.
Events exported
- Name:
bombini_user_events_exported_total - Type: counter
- Unit: number of events
- Description: The total number of events exported by Bombini.
Errors in user space
- Name:
bombini_user_events_lost_total - Type: counter
- Unit: number of events
- Description: The total number of events lost in user space.
Errors in eBPF
- Name:
bombini_bpf_events_lost_total - Type: counter
- Unit: number of events
- Description: The total number of events lost in eBPF.
Events lost in eBPF
- Name:
bombini_bpf_events_ringbuf_lost_total - Type: counter
- Unit: number of events
- Description: The total number of events lost in eBPF due to ring buffer overflow.
Overview
Consider the design concepts through flowcharts below:
- architecture flowchart
- event transformation flowchart
Architecture Flowchart
---
config:
layout: elk
look: handDrawn
---
flowchart TB
A["Config"] -- configure --> B["Detectors"]
B -- manage --> C["eBPF probes"]
B -- manage --> D["eBPF maps"]
A -- configure --> E["Transmuters"]
A -- configure --> F["Transmitter"]
G["Monitor"] -- use --> E
G["Monitor"] -- use --> F
G["Monitor"] -- read --> H["RingBuffer"]
E -- manage --> I["Process cache"]
C -- send --> H
A@{ shape: docs}
B@{ shape: processes}
C@{ shape: processes}
D@{ shape: cyl}
E@{ shape: processes}
H@{ shape: das}
I@{ shape: cyl}
Detector
Detector provides a common interface for loading / unloading eBPF programs, initializing maps and attaching programs to hook points. EBPF part of detectors is located here. User mode part is here. Detectors can share information between each other storing it in eBPF maps. Some parts of detectors can be reused across different detectors. Detectors submit events to user space using ring buffer. Detectors use YAML config files for initialization. Detectors are stored in Registry.
Transmuter
Transmuter provides a common interface to convert (transmute) low kernel events into serializable data structures (e.g. json). Transmuters can enrich kernel events with some user mode data and implement different types of caching. Transmuters are stored in TransmuterRegistry. One Detector can have many types of Transmuters, but usually it has only one.
Transmitter
Transmitter sends serialized events (byte arrays) to different sources (unix socket, stdout, file, etc).
Monitor
Monitor observes new low level kernel events (messages) and extracts them from ring buffer. According to event type, it fetches corresponding transmuter to convert and enrich eBPF event. Further transmuted events are send to destination with transmitter.
Config
Config provides all information about Bombini setup. It also holds options of bombini cli and config for each detector to be loaded. Detector’s configs are also provided for corresponding transmuters.
Event Transformation Flowchart
---
config:
layout: dagre
look: handDrawn
---
flowchart LR
A["Kernel Events"] -- collect & apply rules --> B["eBPF probes"]
B <-- store/update --> C["eBPF maps"]
B -- send --> D["RingBuffer"]
D --enrich & transform --> E["Transmuters"]
E -- serialize --> F["Transmitter"]
F -- send --> G["Collector"]
E <-- store/update --> I["Process cache"]
A@{ shape: docs}
B@{ shape: processes}
C@{ shape: cyl}
D@{ shape: das}
E@{ shape: processes}
G@{ shape: cyl}
I@{ shape: cyl}
Rule Engine
The rule engine executes entirely within the eBPF layer using a custom Reverse Polish Notation (RPN) interpreter.
Rules are parsed using the LALRPOP framework, which generates an AST that undergoes optimization passes before being
serialized into a binary format. These serialized rules are stored in dedicated eBPF maps,
while in operations trigger lookups against attribute-specific eBPF maps (e.g., binary_path, ipv4_dst, etc.).
Process Execution Detection
eBPF
Process information (ProcInfo) is stored in PROCMON_PROC_MAP which is shared across all detectors.
Map entries are updated with tracepoints: sched_process_exec, sched_process_fork, sched_process_exit, and
security_bprm_comitting_creds LSM BPF hook. This hook is used to collect binary_path with bpf_d_path helper and IMA binary
hash collection. sched_process_fork - creates an entry and sends ProcessClone event, entries are created only for thread leaders (pid == tgid).
It means that Bombini doesn’t track thread creation, but in tracks events (e.g. file open, etc.) in threads. In this case, event will hold
process information about its thread leader.
sched_process_exec - updates entries and sends ProcessExec.
sched_process_exit - mark entry as “exited” for the garbage collector and sends ProcessExit event.
User Space
In Bombini there are three event types related to process execution: ProcessExec, ProcessClone, and ProcessExit.
These events are provided by corresponding Transmuters. Also, they maintain a ProcessCache to hold serializable Process
structures that are used in all event types. ProcessClone event creates an entry in ProcessCache. ProcessExit event marks
entry as “exited” for cache garbage collection. ProcessExec event marks as “exited” Process cache entry, related to previous
clone() or exec() calls and puts new Process entry in cache.
Compatibility
Bombini supports the following Linux kernel versions: 6.2, 6,8 and 6.14. However, it might work on all 6+ kernels.
Requirements
Before run, check if LSM BPF is enabled on your system.
cat /sys/kernel/security/lsm
if there is bpf in the output, than BPF LSM is enabled.
Otherwise, you have to enable it adding this line to /etc/default/grub:
GRUB_CMDLINE_LINUX="lsm=[previous lsm modules],bpf"
Update grub and reboot the system.
BTF information must be provided by your Linux kernel. Check if btf file exists:
ls -la /sys/kernel/btf/vmlinux