Introduction
Bombini is an eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks. At its core, Bombini employs modular components called Detectors, each responsible for monitoring and reporting specific types of system events.
Detectors are organized by event class and kernel subsystem:
- ProcMon: Tracks process creation and termination, as well as privilege escalation events.
- FileMon: Monitors file system activity and file-related operations.
- NetMon: Observes TCP connection establishment and teardown.
- IOUringMon: Inspects io_uring submission queue activity.
All Detectors perform in-kernel event filtering directly within eBPF programs, minimizing overhead and reducing the volume of data sent to userspace.
For advanced threat detection, Bombini also supports specialized Detectors, such as:
- GTFOBins: Detects attempts to spawn a privileged shell through abuse of GTFOBins-eligible binaries.
By combining the safety of Rust, the power of eBPF, and the flexibility of LSM hooks, Bombini provides a lightweight, high-performance, and extensible runtime security monitoring solution for Linux systems.
Getting Started
Before moving further, please, check the compatibility page.
Container
Clone Bombini:
git clone https://github.com/bombinisecurity/bombini.git
Build container with Bombini:
cd ./bombini && \
docker build -t bombini .
Run
You can easily run Bombini with this command:
docker run --pid=host --rm -it --privileged -v /sys/fs/bpf:/sys/fs/bpf bombini
By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting
process execs and exits. To customize your Bombini setup, please, follow the Configuration chapter
and mount config directory to the container:
docker run --pid=host --rm -it --privileged -v <your-config-dir>:/usr/local/lib/bombini/config:ro -v /sys/fs/bpf:/sys/fs/bpf bombini
You can save event logs to the file:
docker run --pid=host --rm -it --privileged -v /tmp/bombini.log:/log/bombini.log -v /sys/fs/bpf:/sys/fs/bpf bombini --event-log /log/bombini.log
Or send them via unix socket:
docker run --pid=host --rm -it --privileged -v /tmp/bombini.sock:/log/bombini.sock -v /sys/fs/bpf:/sys/fs/bpf bombini --event-socket /log/bombini.sock
Bombini uses env_logger crate. To see agent logs pass --env "RUST_LOG=info|debug"to docker run.
Kubernetes
First build bombini-builder container and push it to you container registry:
cd ./install/k8s/ && docker build -t bombini-builder .
This container has all deps for building bombini on the node with no need of internet.
bombini.yaml manifest has bombini ConfigMap with all configuration setup. By default, only ProcMon
detector is loaded. To customize your Bombini setup, please, follow the Configuration chapter.
To start bombini DaemonSet run:
kubectl apply -f ./bombini.yaml
Events can be found in bombini k8s log.
Kind Example
Install kind.
If your cwd is repo root change it to ./install/k8s
cd ./install/k8s
Create kind cluster:
kind create cluster --config ./kind-config.yaml --name bombini-test-cluster
Build bombini-builder:
docker build -t bombini-builder .
Load bombini-builder image in kind cluster:
kind load docker-image bombini-builder:latest --name bombini-test-cluster
Start bombini:
kubectl apply -f ./bombini.yaml
Build
First, install build dependencies:
Generate vmlinux.rs or skip this step if your kernel version is 6.8.0-86-generic
(use uname -a to check kernel version).
cargo xtask vmlinux-gen
Release build:
cargo xtask build --release
Run
sudo ./target/release/bombini --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config
Or using cargo:
cargo xtask run --release -- --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config
By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting
process execs and exits. To customize your Bombini setup, please, follow the Configuration.
Bombini uses env_logger crate. To see agent logs set RUST_LOG=info|debug environment variable.
Tarball
You can generate a tarball with installation scripts for bombini systemd service.
If you need config customization than update detector configs in ./config directory and execute:
cargo xtask tarball --release
Release tarball will be located at target/bombini.tar.gz
Install / Uninstall
Install bombini systemd service:
tar -xvf ./target/bombini.tar.gz -C ./target && \
sudo ./target/bombini/install.sh
Check events:
tail -f /var/log/bombini/bombini.log
Uninstall with uninstall.sh:
sudo ./target/bombini/uninstall.sh
Configuration
This chapter describes the way Bombini can be configured. Configuration is done by YAML config files.
Config files are stored in separate directory ./config for example. In this directory config.yaml
file must exist. This file provides a global Bombini agent configuration, which can be overrided by cli arguments.
To load detectors in config directory detector config yaml’s must be provided (e.g. procmon.yaml).
Configuration of detectors is considered in the next chapters.
Protobuf specification for detectors configs located in reference chapter.
Bombini Config
Bombini agent configuration is stored in config.yaml. The example of config.yaml provided bellow:
# Global parameters for bombini agent.
# All paths must be full canonical or
# relative to this config file.
---
# Directory with bpf detector object files
bpf_objs: /usr/local/lib/bombini/bpf
# Path to pin bpf maps.
maps_pin_path: /sys/fs/bpf/bombini
# Event map size (ring buffer size in bytes)
event_map_size: 65536
# Raw event channel size (number of event messages)
event_channel_size: 64
# Procmon process map size
procmon_proc_map_size: 8192
# Retain Transmuters caches every <gc_period> sec
gc_period: 30
# List of the detectors to load
detectors:
- procmon
#- filemon
#- netmon
#- io_uringmon
#- gtfobins
To enable detectors loading you must put the detector name in config detectors section.
NOTE: YAML file with the same name plus “.yaml” suffix must exist in
the same directory with config.yaml.
Bombini CLI Arguments
Ebpf-based agent for observability and security monitoring
Usage: bombini [OPTIONS]
Options:
--bpf-objs <FILE> Directory with bpf detector object files
--maps-pin-path <FILE> Path to pin bpf maps
--event-map-size <VALUE> Event map size (ring buffer size in bytes) default value: 65536
--event-channel-size <VALUE> Raw event channel size (number of event messages) default value: 64
--procmon-proc-map-size <VALUE> Procmon process map size default value: 8192
-D, --detector <NAME> Detector to load. Can be specified multiple times. Overrides the config
--config-dir <DIR> YAML config dir with global config and detector configs [default: /usr/local/lib/bombini/config]
--event-log <FILE> File path to save events
--event-socket <FILE> Unix socket path to send events
-h, --help Print help
-V, --version Print version
--bpf-objs, --maps-pin-path, --event-map-size, --event-channel-size, detector options can override corresponding config options.
--event-log, --event-socket can override default stdout json serialized events output.
Filtering
In this chapter various filters for event are described. This filters are applied in eBPF side.
Process Filter
Filter is defined by process_filter keyword.
Events that DO satisfy the following conditions will be send to userspace.
deny_list is set false by default. It inverts the defined condition:
events that DO NOT satisfy the following conditions will be
send to userspace.
Conditions: uid, eud, auid, binary are combined with logical “AND”.
The values in each section are represented as arrays, and are combined with
logical “OR”. binary represents a path_filterFields name, prefix, path in the binary section are combined with logical “OR”.
Process filter is global for detector and applied to all events in this detector. Process filter combined with AND operation to other filters.
Filter explanation with boolean logic:
NOT process_filter // deny_list logic
uid && euid && auid && binary // all filter logic
uid && euid && auid && (name || prefix || path)
Example:
process_filter:
deny_list: false
uid:
- 0
euid:
- 0
auid:
- 1000
binary:
name:
- tail
- curl
prefix:
- /usr/local/bin/
path:
- /usr/bin/uname
Path Filter
Filter represents an allow list of paths using name, prefix, or full path. If path has corresponding name, prefix or equals the provided full path event will be send.
Filter explanation with boolean logic:
name || prefix || path // all items united with OR operator
Example:
path_filter:
name:
- .history
- .bash_history
prefix:
- /boot
path:
- /etc/passwd
IP Filter
IP filters can act as allow list or deny list and they are united with OR operator. In this filters there are source ip lists, and destination ip lists. Filters for ipv4 and ipv6 are separate.
Filter explanation with boolean logic:
ipv4_filter || ipv6_filter // ipv4/ipv6 filter united with OR
NOT ipv4_filter // ipv4 filter deny_list
NOT ipv6_filter // ipv6 filter deny_list
dest_ip || src_ip // dest and src lists are united with OR
Example:
ipv4_filter:
deny_list: true
dst_ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.1
- 0.0.0.0
ipv6_filter:
dst_ip:
- 2000::/3
Cred Filter
cred_filter supports filtering by euid and effective capabilities. They are combined with OR logic operator.
cap_filter supports deny_list that acts like NOT operator. cap_filter supports ANY key word that equal
the check if any capability is set (not equal 0).
Filter explanation with boolean logic:
cap_filter || uid_filter // filters united with OR condition
NOT cap_filter // deny_list
euid || effective // cap_filter has only effective caps, uid_filter only euid
Example:
cred_filter:
uid_filter:
euid:
- 0
cap_filter:
effective:
- "CAP_SYS_ADMIN"
deny_list: true
ProcMon
ProcMon is the main detector that collects information about process being spawned and detached. Information about living process is stored in shared eBPF map and in Process cache in user space. Every other detector needs ProcMon that monitors process execs and exits. This detector can not be disabled.
Required Linux Kernel Version
6.2 or greater
Config Description
It is possible to enable IMA hashes of executed binary in process information. To enable put this to config (false by default):
ima_hash: true
It is possible to set garbage collection period in seconds for PROCMON_PROC_MAP (process info in eBPF).
Default value is 30 sec.
gc_period: 30
Process Hooks
ProcMon helps to monitor privilege escalation during process execution. It uses LSM hooks for this:
- security_task_fix_setuid
- security_capset
- security_task_prctl
- security_create_user_ns
To enable setuid events put this to config:
setuid:
enabled: true
Enabling capset events:
capset:
enabled: true
Enabling prctl events:
prctl:
enabled: true
Enabling create_user_ns events:
create_user_ns:
enabled: true
Enabling ptrace_access_check events:
ptrace_access_check:
enabled: true
ProcMon supports process filtering.
Cred filter can be applied to these hooks:
- security_task_fix_setuid
- security_capset
- security_create_user_ns
Config example:
setuid:
enabled: true
cred_filter:
uid_filter:
euid:
- 0
capset:
enabled: true
cred_filter:
cap_filter:
effective:
- "ANY"
create_user_ns:
enabled: true
cred_filter:
cap_filter:
effective:
- "CAP_SYS_ADMIN"
deny_list: true
process_filter:
uid:
- 0
euid:
- 0
auid:
- 1000
binary:
prefix:
- /usr/bin/
- /usr/sbin/
FileMon
Detector provides events related to file / filesystem operations. Supported LSM hooks:
file_openhook provides info about file owner/permissions + permissions with process accessed the file.mmap_filehook provides info about mmaped file: path, protection flags.path_truncatehook provides info about path truncated by truncate syscall.path_unlinkprovides info about path being deleted.path_chmodprovides info about changing file permissions.path_chownprovides info about changing file owner.sb_mountprovides info about mounted devices.file_ioctlprovides info about ioctl commands.
Required Linux Kernel Version
file_open: 6.2 or greatermmap_file: 6.2 or greatersb_mount: 6.2 or greaterfile_ioctl: 6.2 or greaterpath_truncate: 6.8 or greaterpath_unlink: 6.8 or greaterpath_chmod: 6.8 or greaterpath_chown: 6.8 or greater
Config Description
Config represents a dictionary with supported LSM BPF file hooks:
- file_open
- mmap_file
- path_truncate
- path_unlink
- path_chmod
- path_chown
- sb_mount
- file_ioctl
For each file hook the following options are supported:
enabledenables detection for current hook. False by default.
Event filtering
FileMon detector supports process filtering.
FileMon also supports path filtering for hooks:
- file_open
- path_truncate
- path_unlink
- path_chmod
- path_chown
- mmap_file
- file_ioctl
Config example:
file_open:
enabled: true
path_filter:
name:
- .history
- .bash_history
prefix:
- /boot
path:
- /etc/passwd
mmap_file:
enabled: true
path_truncate:
enabled: false
path_unlink:
enabled: false
path_chmod:
enabled: false
path_chown:
enabled: false
sb_mount:
enabled: false
process_filter:
binary:
name:
- tail
path:
- /usr/bin/cat
NetMon
NetMon detector provides information about ingress/egress TCP connections based on IPv4/IPv6
Hooks:
tcp_v4_connect: collect egress TCP IPv4 connection requeststcp_v6_connect: collect egress TCP IPv6 connection requeststcp_close: collect connection close eventsinet_csk_accept: collect TCP v4/v6 ingress connections
Required Linux Kernel Version
6.2 or greater
Config Description
First you need to enable monitoring for ingress/egress tcp connections or both:
ingress:
enabled: true
egress:
enabled: true
NetMon supports filtering by IP. You can have separate filters for ingress/egress traffic.
egress:
enabled: true
ipv4_filter:
deny_list: true
dst_ip:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.1
- 0.0.0.0
ipv6_filter:
dst_ip:
- 2000::/3
The example above shows NetMon config that can detect outgoing connections from cluster network.
NetMon detector supports process filtering.
IOUringMon
IOUring detector tracks SQE submitting using io_uring_submit_req tracepoint.
Inspired by:
- curing example and post.
- RingReaper example and post.
Required Linux Kernel Version
6.8 or greater
Config Description
IOUringMon detector supports process filtering.
Config example:
process_fiter:
uid:
- 0
euid:
- 0
binary:
name:
- nslookup
GTFObins
GTFOBins detector detects GTFOBins execution. It checks if privileged shell is executed and returns process information about GTFOBins binary that is spawning the shell.
Required Linux Kernel Version
6.8 or greater
Config Description
Config represents the list of GTFOBins filenames.
enforce: true
gtfobins: # https://gtfobins.github.io/#+shell%20+SUID%20+Sudo
- aa-exec
- awk
- busctl
- busybox
- cabal
...
When enforce flag is set true execution of GTFOBins is blocked. False is by default.
Protocol Documentation
Table of Contents
proto/config.proto
CapFilter
Capabilities filter
| Field | Type | Label | Description |
|---|---|---|---|
| effective | string | repeated | List of effective Capabilities. Special name ANY means if any cap is in effective cap set. |
| deny_list | bool | optional | if true acts like deny list |
ConnectionsControl
Connections control
| Field | Type | Label | Description |
|---|---|---|---|
| enabled | bool | Load eBPF programs | |
| ipv4_filter | IpFilter | Ipv4 filter connections | |
| ipv6_filter | IpFilter | Ipv6 filter connections |
CredFilter
Filter Events using Cred information. Pattern uid_filter || cap_filter.
| Field | Type | Label | Description |
|---|---|---|---|
| uid_filter | UidFilter | Filter by uids (euid, TODO: uid, fsuid). | |
| cap_filter | CapFilter | Filter by caps (effective, TODO: permited, inheritable). |
FileHookConfig
FileMon hook configuration
| Field | Type | Label | Description |
|---|---|---|---|
| enabled | bool | Load eBPF programs | |
| path_filter | PathFilter | optional | Filter event by Path |
FileMonConfig
Configuration file for FileMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| file_open | FileHookConfig | security_file_open config. | |
| path_truncate | FileHookConfig | security_path_truncate config. | |
| path_unlink | FileHookConfig | security_path_unlink config. | |
| path_chmod | FileHookConfig | security_path_chmod config. | |
| path_chown | FileHookConfig | security_path_chown config. | |
| sb_mount | FileHookConfig | security_sb_mount config. | |
| mmap_file | FileHookConfig | security_mmap_file config. | |
| file_ioctl | FileHookConfig | security_file_ioctl config. | |
| process_filter | ProcessFilter | Filter File events by Process information. |
GTFOBinsConfig
Configuration file for GTFOBinsDetector.
| Field | Type | Label | Description |
|---|---|---|---|
| enforce | bool | Block execution of GTFOBins binaries. | |
| gtfobins | string | repeated | GTFOBins executables names. |
IOUringMonConfig
Configuration file for IOUringMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| process_filter | ProcessFilter | Filter io_uring events by Process information. |
IpFilter
IP filter configuration
| Field | Type | Label | Description |
|---|---|---|---|
| src_ip | string | repeated | Source IP list |
| dst_ip | string | repeated | Destination IP list |
| deny_list | bool | deny_list |
NetMonConfig
Configuration file for NetMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| process_filter | ProcessFilter | Filter Network events by Process information. | |
| ingress | ConnectionsControl | Ingress traffic connections | |
| egress | ConnectionsControl | Egress traffic connections |
PathFilter
Path filtering args
| Field | Type | Label | Description |
|---|---|---|---|
| name | string | repeated | List of executables names to filter. |
| path | string | repeated | List of full executable paths to filter. |
| prefix | string | repeated | List of executable path prefixes to filter. |
ProcHookConfig
ProcMon hook configuration
| Field | Type | Label | Description |
|---|---|---|---|
| enabled | bool | Load eBPF programs | |
| cred_filter | CredFilter | Filter by Cred |
ProcMonConfig
Configuration file for ProcMon detector
| Field | Type | Label | Description |
|---|---|---|---|
| setuid | ProcHookConfig | setuid hook config. | |
| capset | ProcHookConfig | capset hook config. | |
| prctl | ProcHookConfig | prctl hook config. | |
| create_user_ns | ProcHookConfig | create_user_ns hook config. | |
| ptrace_access_check | ProcHookConfig | ptrace_attach hook config. | |
| process_filter | ProcessFilter | Process Filter Configuration. | |
| ima_hash | bool | optional | Collect IMA hashes for executed binaries. |
| gc_period | uint64 | optional | GC period for PROCMON_PROC_MAP default 30 sec. |
ProcessFilter
Filter Events using process information. Filtering is based on pattern: uid AND euid AND auid AND (binary.name OR binary.prefix OR binary.path). All variables in the pattern are optional. if deny_list is true filter acts as a deny list, otherwise it is an allow list.
| Field | Type | Label | Description |
|---|---|---|---|
| uid | uint32 | repeated | List of UID's to filter. |
| euid | uint32 | repeated | List of EUID's to filter. |
| auid | uint32 | repeated | List of AUID's (login uid) to filter. |
| binary | PathFilter | Binary filter args | |
| deny_list | bool | if true acts like deny list |
UidFilter
UID filter
| Field | Type | Label | Description |
|---|---|---|---|
| euid | uint32 | repeated | effective UID |
Scalar Value Types
Events
In this chapter all types of events produced by Bombini are described. Events are grouped by corresponding detectors. In event descriptions you also find JSON examples.
Each event has a process information related to this event.
JSON schema for all events located in reference chapter
ProcMon
ProcessExec
ProcessExec event represents a new executed binary (execve).
{
"parent": {
"args": "-u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell",
"auid": 1000,
"binary_path": "/usr/bin/tmux",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "tmux",
"gid": 1000,
"pid": 72741,
"ppid": 2219,
"secureexec": "",
"start_time": "2025-11-26T17:42:02.112Z",
"tid": 72741,
"uid": 1000
},
"process": {
"args": "-c byobu-status tmux_left",
"auid": 1000,
"binary_path": "/usr/bin/dash",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "dash",
"gid": 1000,
"pid": 6700,
"ppid": 72741,
"secureexec": "",
"start_time": "2025-12-11T11:45:47.773Z",
"tid": 6700,
"uid": 1000
},
"timestamp": "2025-12-11T11:45:47.773Z",
"type": "ProcessExec"
}
IMA Binary Hash
Process information can be enriched with binary hashes collected from IMA.
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "-lah",
"auid": 1000,
"binary_ima_hash": "sha256:0148f5ab3062a905281d8deb9645363da5131011c9e7b6dcaa38b504e41b68ea",
"binary_path": "/usr/bin/ls",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "ls",
"gid": 0,
"pid": 7259,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:12.653Z",
"tid": 7259,
"uid": 0
},
"timestamp": "2025-12-11T11:46:12.653Z",
"type": "ProcessExec"
}
Fileless Execution
Event has information if no file used for process execution (memfd_create).
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "fileless-exec-test",
"auid": 1000,
"binary_path": "/memfd:fileless-exec-test (deleted)",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "memfd:fileless-exec-test",
"gid": 0,
"pid": 7206,
"ppid": 6576,
"secureexec": "FILELESS_EXEC",
"start_time": "2025-12-11T11:46:10.107Z",
"tid": 7206,
"uid": 0
},
"timestamp": "2025-12-11T11:46:10.107Z",
"type": "ProcessExec"
}
ProcessClone
ProcessClone represents a process creation with fork() or clone() syscall types.
{
"parent": {
"args": "-u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell",
"auid": 1000,
"binary_path": "/usr/bin/tmux",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "tmux",
"gid": 1000,
"pid": 72741,
"ppid": 2219,
"secureexec": "",
"start_time": "2025-11-26T17:42:02.112Z",
"tid": 72741,
"uid": 1000
},
"process": {
"args": "-u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell",
"auid": 0,
"binary_path": "/usr/bin/tmux",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": true,
"egid": 1000,
"euid": 1000,
"filename": "tmux",
"gid": 1000,
"pid": 7243,
"ppid": 72741,
"secureexec": "",
"start_time": "2025-12-11T11:46:11.813Z",
"tid": 7243,
"uid": 1000
},
"timestamp": "2025-12-11T11:46:11.813Z",
"type": "ProcessClone"
}
ProcessExit
ProcessExit event represents an exited process.
{
"parent": {
"args": "/usr/bin/byobu-status tmux_right",
"auid": 1000,
"binary_ima_hash": "sha256:86d31f6fb799e91fa21bad341484564510ca287703a16e9e46c53338776f4f42",
"binary_path": "/usr/bin/dash",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "dash",
"gid": 1000,
"pid": 7248,
"ppid": 7243,
"secureexec": "",
"start_time": "2025-12-11T11:46:11.845Z",
"tid": 7248,
"uid": 1000
},
"process": {
"args": "/usr/bin/byobu-status tmux_right",
"auid": 0,
"binary_path": "/usr/bin/dash",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": true,
"egid": 1000,
"euid": 1000,
"filename": "dash",
"gid": 1000,
"pid": 7250,
"ppid": 7248,
"secureexec": "",
"start_time": "2025-12-11T11:46:11.849Z",
"tid": 7250,
"uid": 1000
},
"timestamp": "2025-12-11T11:46:11.850Z",
"type": "ProcessExit"
}
ProcessEvents
ProcessEvents represent a collection of events somehow related to privilege escalation
Setuid
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "-u nobody true",
"auid": 1000,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "sudo",
"gid": 0,
"pid": 7425,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:20.687Z",
"tid": 7425,
"uid": 0
},
"process_event": {
"euid": 0,
"flags": "LSM_SETID_RES",
"fsuid": 0,
"type": "Setuid",
"uid": 0
},
"timestamp": "2025-12-11T11:46:20.693Z",
"type": "ProcessEvent"
}
Setcaps
{
"parent": {
"args": "capsh --caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
"auid": 0,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": true,
"egid": 0,
"euid": 0,
"filename": "sudo",
"gid": 0,
"pid": 7381,
"ppid": 7380,
"secureexec": "",
"start_time": "2025-12-11T11:46:18.013Z",
"tid": 7381,
"uid": 0
},
"process": {
"args": "--caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
"auid": 1000,
"binary_path": "/usr/sbin/capsh",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "capsh",
"gid": 0,
"pid": 7382,
"ppid": 7381,
"secureexec": "",
"start_time": "2025-12-11T11:46:18.016Z",
"tid": 7382,
"uid": 0
},
"process_event": {
"effective": "CAP_NET_RAW | CAP_SYS_ADMIN",
"inheritable": "",
"permitted": "CAP_NET_RAW | CAP_SYS_ADMIN",
"type": "Setcaps"
},
"timestamp": "2025-12-11T11:46:18.016Z",
"type": "ProcessEvent"
}
Prctl
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 217149,
"ppid": 216910,
"secureexec": "",
"start_time": "2025-12-14T11:16:03.806Z",
"tid": 217149,
"uid": 0
},
"process": {
"args": "--keep=1 -- -c echo KEEPCAPS enabled",
"auid": 1000,
"binary_path": "/usr/sbin/capsh",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "capsh",
"gid": 0,
"pid": 217438,
"ppid": 217149,
"secureexec": "",
"start_time": "2025-12-14T11:16:36.901Z",
"tid": 217438,
"uid": 0
},
"process_event": {
"cmd": {
"PrSetKeepCaps": 1
},
"type": "Prctl"
},
"timestamp": "2025-12-14T11:16:36.903Z",
"type": "ProcessEvent"
}
CreateUserNs
{
"parent": null,
"process": {
"args": "-U",
"auid": 1000,
"binary_path": "/usr/bin/unshare",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "unshare",
"gid": 0,
"pid": 217376,
"ppid": 217149,
"secureexec": "",
"start_time": "2025-12-14T11:16:29.111Z",
"tid": 217376,
"uid": 0
},
"process_event": {
"type": "CreateUserNs"
},
"timestamp": "2025-12-14T11:16:29.113Z",
"type": "ProcessEvent"
}
PtraceAccessCheck
{
"type": "ProcessEvent",
"process": {
"start_time": "2025-12-11T12:07:20.621Z",
"cloned": false,
"pid": 26539,
"tid": 26539,
"ppid": 72885,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "gdb",
"binary_path": "/usr/bin/gdb",
"args": "attach -p 26029"
},
"parent": {
"start_time": "2025-11-26T17:42:04.042Z",
"cloned": false,
"pid": 72885,
"tid": 72885,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"process_event": {
"type": "PtraceAccessCheck",
"child": {
"start_time": "2025-12-11T12:06:49.791Z",
"cloned": false,
"pid": 26029,
"tid": 26029,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "vim.basic",
"binary_path": "/usr/bin/vim.basic",
"args": "./evets.log"
},
"mode": "PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS"
},
"timestamp": "2025-12-11T12:07:20.712Z"
}
FileMon
FileEvent represent a collection of events related to file / filesystem operations.
PathTruncate
Event is triggered when file is truncated by truncate syscall.
{
"hook": {
"path": "/tmp/bombini-test-U28D8",
"type": "PathTruncate"
},
"parent": {
"args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "cargo",
"gid": 0,
"pid": 5914,
"ppid": 5913,
"secureexec": "",
"start_time": "2025-12-11T11:45:09.002Z",
"tid": 5914,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"timestamp": "2025-12-11T11:46:28.965Z",
"type": "FileEvent"
}
PathUnlink
Event is triggered when file is deleted.
{
"hook": {
"path": "/tmp/bombini-test-5R3Uq",
"type": "PathUnlink"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "/tmp/bombini-test-5R3Uq",
"auid": 1000,
"binary_path": "/usr/bin/rm",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "rm",
"gid": 0,
"pid": 7656,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:31.741Z",
"tid": 7656,
"uid": 0
},
"timestamp": "2025-12-11T11:46:31.742Z",
"type": "FileEvent"
}
FileOpen
{
"hook": {
"access_mode": "O_RDONLY",
"creation_flags": "O_NONBLOCK | O_LARGEFILE | O_DIRECTORY",
"gid": 0,
"i_mode": "drwxr-xr-x",
"path": "/etc",
"type": "FileOpen",
"uid": 0
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "-lah /etc",
"auid": 1000,
"binary_path": "/usr/bin/ls",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "ls",
"gid": 0,
"pid": 6897,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:45:57.090Z",
"tid": 6897,
"uid": 0
},
"timestamp": "2025-12-11T11:45:57.094Z",
"type": "FileEvent"
}
PathChmod
{
"hook": {
"i_mode": "?rw-r--r--",
"path": "/tmp/bombini-test-S6lD9/config/filemon.yaml",
"type": "PathChmod"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "+w /tmp/bombini-test-S6lD9/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/chmod",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "chmod",
"gid": 0,
"pid": 7491,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:23.486Z",
"tid": 7491,
"uid": 0
},
"timestamp": "2025-12-11T11:46:23.488Z",
"type": "FileEvent"
}
PathChown
{
"hook": {
"gid": 0,
"path": "/tmp/bombini-test-49KFg/config/filemon.yaml",
"type": "PathChown",
"uid": 0
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "0:0 /tmp/bombini-test-49KFg/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/chown",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "chown",
"gid": 0,
"pid": 7552,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:26.188Z",
"tid": 7552,
"uid": 0
},
"timestamp": "2025-12-11T11:46:26.190Z",
"type": "FileEvent"
}
SbMount
Event is triggered when block device is mounted.
{
"type": "FileEvent",
"process": {
"start_time": "2025-12-11T13:07:53.637Z",
"cloned": false,
"pid": 83289,
"tid": 83289,
"ppid": 83119,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 4294967295,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "busybox",
"binary_path": "/bin/busybox",
"args": "/dev/sda1 /mnt",
"container_id": "161287b604973779d82648fbbf6a418"
},
"parent": {
"start_time": "2025-12-11T13:07:46.743Z",
"cloned": false,
"pid": 83119,
"tid": 83119,
"ppid": 83097,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 4294967295,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "busybox",
"binary_path": "/bin/busybox",
"args": "",
"container_id": "161287b604973779d82648fbbf6a418"
},
"hook": {
"type": "SbMount",
"dev": "/dev/sda1",
"mnt": "/mnt",
"flags": 1306860944
},
"timestamp": "2025-12-11T13:07:53.637Z"
}
MmapFile
{
"hook": {
"flags": "MAP_SHARED | MAP_PRIVATE",
"path": "/tmp/bombini-test-kpUpE/config/filemon.yaml",
"prot": "PROT_READ | PROT_WRITE",
"type": "MmapFile"
},
"parent": {
"args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "cargo",
"gid": 0,
"pid": 5914,
"ppid": 5913,
"secureexec": "",
"start_time": "2025-12-11T11:45:09.002Z",
"tid": 5914,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"timestamp": "2025-12-11T11:45:52.856Z",
"type": "FileEvent"
}
FileIoctl
{
"hook": {
"cmd": 3221775552,
"i_mode": "crw-rw----",
"path": "/dev/dri/card1",
"type": "FileIoctl"
},
"parent": {
"args": "--user",
"auid": 1000,
"binary_path": "/usr/lib/systemd/systemd",
"cap_effective": "CAP_WAKE_ALARM",
"cap_inheritable": "CAP_WAKE_ALARM",
"cap_permitted": "CAP_WAKE_ALARM",
"cloned": false,
"container_id": "1000.slice/user@1000.service/in",
"egid": 1000,
"euid": 1000,
"filename": "systemd",
"gid": 1000,
"pid": 2219,
"ppid": 1,
"secureexec": "",
"start_time": "2025-11-26T14:28:37.112Z",
"tid": 2219,
"uid": 1000
},
"process": {
"args": "",
"auid": 1000,
"binary_path": "/usr/bin/gnome-shell",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "gnome-shell",
"gid": 1000,
"pid": 2476,
"ppid": 2219,
"secureexec": "",
"start_time": "2025-11-26T14:28:37.942Z",
"tid": 2476,
"uid": 1000
},
"timestamp": "2025-12-11T11:45:48.084Z",
"type": "FileEvent"
}
NetMon
NetworkEvent represents a collection of events which describe ingress/egress TCP connections over ipv4/v6.
TcpConnectionEstablish
Example: wget -qO- -6 google.com
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:24.089Z",
"cloned": false,
"pid": 47663,
"tid": 47663,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "wget",
"binary_path": "/usr/bin/wget",
"args": "-qO- -6 google.com"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"network_event": {
"type": "TcpConnectionEstablish",
"saddr": "2a00:1370:81a6:3f56:35f:ba59:506b:7d59",
"daddr": "2a00:1450:4001:80f::200e",
"sport": 44538,
"dport": 80,
"cookie": 63
},
"timestamp": "2025-12-11T12:31:24.105Z"
}
Example:
nc -l 7878
telnet localhost 7878
{
"network_event": {
"cookie": 49184,
"daddr": "127.0.0.1",
"dport": 7878,
"saddr": "127.0.0.1",
"sport": 49856,
"type": "TcpConnectionEstablish"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "localhost 7878",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "inetutils-telnet",
"gid": 0,
"pid": 6961,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:45:59.923Z",
"tid": 6961,
"uid": 0
},
"timestamp": "2025-12-11T11:45:59.931Z",
"type": "NetworkEvent"
}
TcpConnectionClose
Example: wget -qO- -6 google.com
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:24.089Z",
"cloned": false,
"pid": 47663,
"tid": 47663,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "wget",
"binary_path": "/usr/bin/wget",
"args": "-qO- -6 google.com"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"network_event": {
"type": "TcpConnectionClose",
"saddr": "2a00:1370:81a6:3f56:35f:ba59:506b:7d59",
"daddr": "2a00:1450:4001:80f::200e",
"sport": 44538,
"dport": 80,
"cookie": 63
},
"timestamp": "2025-12-11T12:31:24.942Z"
}
Example:
nc -l 7878
telnet localhost 7878
{
"network_event": {
"cookie": 49184,
"daddr": "127.0.0.1",
"dport": 7878,
"saddr": "127.0.0.1",
"sport": 49856,
"type": "TcpConnectionClose"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "localhost 7878",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "inetutils-telnet",
"gid": 0,
"pid": 6961,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:45:59.923Z",
"tid": 6961,
"uid": 0
},
"timestamp": "2025-12-11T11:45:59.932Z",
"type": "NetworkEvent"
}
TcpConnectionAccept
Example:
nc -l 7878
telnet localhost 7878
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:29.950Z",
"cloned": false,
"pid": 47767,
"tid": 47767,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "nc.openbsd",
"binary_path": "/usr/bin/nc.openbsd",
"args": "-l 7878"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"network_event": {
"type": "TcpConnectionAccept",
"saddr": "0.0.0.0",
"daddr": "0.0.0.0",
"sport": 7878,
"dport": 0,
"cookie": 8283
},
"timestamp": "2025-12-11T12:31:34.646Z"
}
IOUringMon
For these IORING_OP’s Bombini provides extra information:
- IORING_OP_OPENAT / IORING_OP_OPENAT2
- IORING_OP_STATX
- IORING_OP_UNLINKAT
- IORING_OP_CONNECT
- IORING_OP_ACCEPT
For other event types only opcode is provided.
IORING_OP_CONNECT
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_CONNECT",
"op_info": {
"addr": "127.0.0.1",
"port": 443
},
"timestamp": "2025-12-11T12:37:46.238Z"
}
IORING_OP_OPENAT
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_OPENAT",
"op_info": {
"path": "/etc/passwd",
"access_flags": "O_RDONLY",
"creation_flags": "O_LARGEFILE"
},
"timestamp": "2025-12-11T12:38:25.972Z"
}
IORING_OP_STATX
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_STATX",
"op_info": {
"path": "/usr/bin/."
},
"timestamp": "2025-12-11T12:38:48.557Z"
}
IORING_OP_UNLINKAT
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_UNLINKAT",
"op_info": {
"path": "/home/fedotoff/RingReaper/agent"
},
"timestamp": "2025-12-11T12:39:29.061Z"
}
GTFObins
GTFOBins event represents a process information about GTFO binary that tries to spawn privilege shell.
{
"process": {
"args": "-a /dev/null sh",
"auid": 1000,
"binary_path": "/usr/bin/xargs",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "xargs",
"gid": 0,
"pid": 2159624,
"ppid": 2159623,
"secureexec": "",
"start_time": "2025-12-03T21:56:26.328Z",
"tid": 2159624,
"uid": 0
},
"timestamp": "2025-12-03T21:56:26.329Z",
"type": "GTFOBinsEvent"
}
Reference
JSON schema for all events.
FileMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "FileEvent",
"description": "File Event",
"type": "object",
"properties": {
"hook": {
"description": "LSM File hook info",
"$ref": "#/$defs/LsmFileHook"
},
"parent": {
"description": "Parent Information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process Information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"hook",
"timestamp"
],
"$defs": {
"ChmodInfo": {
"type": "object",
"properties": {
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path",
"i_mode"
]
},
"ChownInfo": {
"type": "object",
"properties": {
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"path": {
"description": "full path",
"type": "string"
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"path",
"uid",
"gid"
]
},
"FileOpenInfo": {
"type": "object",
"properties": {
"access_mode": {
"description": "access mode passed to open()",
"type": "string"
},
"creation_flags": {
"description": "creation flags passed to open()",
"type": "string"
},
"gid": {
"description": "Group owner GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
},
"uid": {
"description": "File owner UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"path",
"access_mode",
"creation_flags",
"uid",
"gid",
"i_mode"
]
},
"IoctlInfo": {
"type": "object",
"properties": {
"cmd": {
"description": "cmd",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path",
"i_mode",
"cmd"
]
},
"LsmFileHook": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "FileOpen"
}
},
"$ref": "#/$defs/FileOpenInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathTruncate"
}
},
"$ref": "#/$defs/PathInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathUnlink"
}
},
"$ref": "#/$defs/PathInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathChmod"
}
},
"$ref": "#/$defs/ChmodInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathChown"
}
},
"$ref": "#/$defs/ChownInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "SbMount"
}
},
"$ref": "#/$defs/MountInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "MmapFile"
}
},
"$ref": "#/$defs/MmapInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "FileIoctl"
}
},
"$ref": "#/$defs/IoctlInfo",
"required": [
"type"
]
}
]
},
"MmapInfo": {
"type": "object",
"properties": {
"flags": {
"description": "mmap flags",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
},
"prot": {
"description": "mmap protection",
"type": "string"
}
},
"required": [
"path",
"prot",
"flags"
]
},
"MountInfo": {
"type": "object",
"properties": {
"dev": {
"description": "device name",
"type": "string"
},
"flags": {
"description": "mount flags",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"mnt": {
"description": "mount path",
"type": "string"
}
},
"required": [
"dev",
"mnt",
"flags"
]
},
"PathInfo": {
"type": "object",
"properties": {
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path"
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
GTFOBins
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "GTFOBinsEvent",
"description": "GTFO binary event execution attempt",
"type": "object",
"properties": {
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
IOUringMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "IOUringEvent",
"description": "io_uring events",
"type": "object",
"properties": {
"op_info": {
"description": "extra info for operation",
"$ref": "#/$defs/IOUringOpInfo"
},
"opcode": {
"description": "io_uring_ops",
"type": "string"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"opcode",
"op_info",
"timestamp"
],
"$defs": {
"IOUringOpInfo": {
"anyOf": [
{
"type": "object",
"properties": {
"access_flags": {
"type": "string"
},
"creation_flags": {
"type": "string"
},
"path": {
"type": "string"
}
},
"required": [
"path",
"access_flags",
"creation_flags"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
}
},
"required": [
"path"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
}
},
"required": [
"path"
]
},
{
"type": "object",
"properties": {
"addr": {
"type": "string"
},
"port": {
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
}
},
"required": [
"addr",
"port"
]
},
{
"type": "null"
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
NetMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "NetworkEvent",
"description": "Network event",
"type": "object",
"properties": {
"network_event": {
"description": "Network event",
"$ref": "#/$defs/NetworkEventType"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"network_event",
"timestamp"
],
"$defs": {
"NetworkEventType": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionEstablish"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionClose"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionAccept"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
},
"TcpConnection": {
"description": "TCP IPv4 connection information",
"type": "object",
"properties": {
"cookie": {
"description": "socket cookie",
"type": "integer",
"format": "uint64",
"minimum": 0
},
"daddr": {
"description": "destination IP address,",
"type": "string"
},
"dport": {
"description": "destination port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
},
"saddr": {
"description": "source IP address",
"type": "string"
},
"sport": {
"description": "source port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
}
},
"required": [
"saddr",
"daddr",
"sport",
"dport",
"cookie"
]
}
}
}
ProcMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessExec",
"description": "Process exec event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessClone",
"description": "Process clone event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessExit",
"description": "Process exit event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessEvent",
"description": "Process Event",
"type": "object",
"properties": {
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"process_event": {
"description": "Process event",
"$ref": "#/$defs/ProcessEventType"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"process_event",
"timestamp"
],
"$defs": {
"PrctlCmdUser": {
"description": "Enumeration of prctl supported commands",
"oneOf": [
{
"type": "object",
"properties": {
"Opcode": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"Opcode"
]
},
{
"type": "object",
"properties": {
"PrSetDumpable": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetDumpable"
]
},
{
"type": "object",
"properties": {
"PrSetKeepCaps": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetKeepCaps"
]
},
{
"type": "object",
"properties": {
"PrSetName": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [
"name"
]
}
},
"additionalProperties": false,
"required": [
"PrSetName"
]
},
{
"type": "object",
"properties": {
"PrSetSecurebits": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetSecurebits"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
},
"ProcessCapset": {
"description": "Capset event",
"type": "object",
"properties": {
"effective": {
"type": "string"
},
"inheritable": {
"type": "string"
},
"permitted": {
"type": "string"
}
},
"required": [
"inheritable",
"permitted",
"effective"
]
},
"ProcessCreateUserNs": {
"description": "CreateUserNs event",
"type": "object"
},
"ProcessEventType": {
"description": "Process event types",
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setuid"
}
},
"$ref": "#/$defs/ProcessSetUid",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setcaps"
}
},
"$ref": "#/$defs/ProcessCapset",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Prctl"
}
},
"$ref": "#/$defs/ProcessPrctl",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "CreateUserNs"
}
},
"$ref": "#/$defs/ProcessCreateUserNs",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PtraceAccessCheck"
}
},
"$ref": "#/$defs/ProcessPtraceAccessCheck",
"required": [
"type"
]
}
]
},
"ProcessPrctl": {
"description": "Prctl event",
"type": "object",
"properties": {
"cmd": {
"$ref": "#/$defs/PrctlCmdUser"
}
},
"required": [
"cmd"
]
},
"ProcessPtraceAccessCheck": {
"description": "PtraceAttach event",
"type": "object",
"properties": {
"child": {
"$ref": "#/$defs/Process"
},
"mode": {
"type": "string"
}
},
"required": [
"child",
"mode"
]
},
"ProcessSetUid": {
"description": "Setuid event",
"type": "object",
"properties": {
"euid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"flags": {
"description": "LSM_SETID_* flag values",
"type": "string"
},
"fsuid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"euid",
"uid",
"fsuid",
"flags"
]
}
}
}
Overview
Consider the design concepts through flowcharts below:
- architecture flowchart
- event transformation flowchart
Architecture Flowchart
---
config:
layout: elk
look: handDrawn
---
flowchart TB
A["Config"] -- configure --> B["Detectors"]
B -- manage --> C["eBPF probes"]
B -- manage --> D["eBPF maps"]
A -- configure --> E["Transmuters"]
A -- configure --> F["Transmitter"]
G["Monitor"] -- use --> E
G["Monitor"] -- use --> F
G["Monitor"] -- read --> H["RingBuffer"]
E -- manage --> I["Process cache"]
C -- send --> H
A@{ shape: docs}
B@{ shape: processes}
C@{ shape: processes}
D@{ shape: cyl}
E@{ shape: processes}
H@{ shape: das}
I@{ shape: cyl}
Detector
Detector provides a common interface for loading / unloading eBPF programs, initializing maps and attaching programs to hook points. EBPF part of detectors is located here. User mode part is here. Detectors can share information between each other storing it in eBPF maps. Some parts of detectors can be reused across different detectors. Detectors submit events to user space using ring buffer. Detectors use YAML config files for initialization. Detectors are stored in Registry.
Transmuter
Transmuter provides a common interface to convert (transmute) low kernel events into serializable data structures (e.g. json). Transmuters can enrich kernel events with some user mode data and implement different types of caching. Transmuters are stored in TransmuterRegistry. One Detector can have many types of Transmuters, but usually it has only one.
Transmitter
Transmitter sends serialized events (byte arrays) to different sources (unix socket, stdout, file, etc).
Monitor
Monitor observes new low level kernel events (messages) and extracts them from ring buffer. According to event type, it fetches corresponding transmuter to convert and enrich eBPF event. Further transmuted events are send to destination with transmitter.
Config
Config provides all information about Bombini setup. It also holds options of bombini cli and config for each detector to be loaded. Detector’s configs are also provided for corresponding transmuters.
Event Transformation Flowchart
---
config:
layout: dagre
look: handDrawn
---
flowchart LR
A["Kernel Events"] -- collect & filter --> B["eBPF probes"]
B <-- store/update --> C["eBPF maps"]
B -- send --> D["RingBuffer"]
D --enrich & transform --> E["Transmuters"]
E -- serialize --> F["Transmitter"]
F -- send --> G["Collector"]
E <-- store/update --> I["Process cache"]
A@{ shape: docs}
B@{ shape: processes}
C@{ shape: cyl}
D@{ shape: das}
E@{ shape: processes}
G@{ shape: cyl}
I@{ shape: cyl}
Filters
Filters are applied to eBPF events inside eBPF probes in order to decide will be event exposed to user space or not. A detailed description of the filtering can be found directly in the description of the corresponding detector.
Process Execution Detection
eBPF
Process information (ProcInfo) is stored in PROCMON_PROC_MAP which is shared across all detectors.
Map entries are updated with tracepoints: sched_process_exec, sched_process_fork, sched_process_exit, and
security_bprm_comitting_creds LSM BPF hook. This hook is used to collect binary_path with bpf_d_path helper and IMA binary
hash collection. sched_process_fork - creates an entry and sends ProcessClone event, entries are created only for thread leaders (pid == tgid).
It means that Bombini doesn’t track thread creation, but in tracks events (e.g. file open, etc.) in threads. In this case, event will hold
process information about its thread leader.
sched_process_exec - updates entries and sends ProcessExec.
sched_process_exit - mark entry as “exited” for the garbage collector and sends ProcessExit event.
User Space
In Bombini there are three event types related to process execution: ProcessExec, ProcessClone, and ProcessExit.
These events are provided by corresponding Transmuters. Also, they maintain a ProcessCache to hold serializable Process
structures that are used in all event types. ProcessClone event creates an entry in ProcessCache. ProcessExit event marks
entry as “exited” for cache garbage collection. ProcessExec event marks as “exited” Process cache entry, related to previous
clone() or exec() calls and puts new Process entry in cache.
Compatibility
CO-RE support in Aya is not yet implemented (issue). So, for now the only way is to build Bombini on a target host (e.g. container, tarball, binary).
Bombini supports the following Linux kernel versions: 6.2, 6,8 and 6.14. However, it might work on all 6+ kernels.
Requirements
Before run, check if LSM BPF is enabled on your system.
cat /sys/kernel/security/lsm
if there is bpf in the output, than BPF LSM is enabled.
Otherwise, you have to enable it adding this line to /etc/default/grub:
GRUB_CMDLINE_LINUX="lsm=[previous lsm modules],bpf"
Update grub and reboot the system.