Introduction
Bombini is an eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks. At its core, Bombini employs modular components called Detectors, each responsible for monitoring and reporting specific types of system events.
Detectors are organized by event class and kernel subsystem:
- ProcMon: Tracks process creation and termination, as well as privilege escalation events.
- FileMon: Monitors file system activity and file-related operations.
- NetMon: Observes TCP connection establishment and teardown.
- IOUringMon: Inspects io_uring submission queue activity.
All Detectors perform in-kernel event filtering directly within eBPF programs, minimizing overhead and reducing the volume of data sent to userspace.
For advanced threat detection, Bombini also supports specialized Detectors, such as:
- GTFOBins: Detects attempts to spawn a privileged shell through abuse of GTFOBins-eligible binaries.
Additionally, ProcMon and FileMon can optionally enforce sandboxing policies, allowing fine-grained control over process execution and file access based on configurable rules.
By combining the safety of Rust, the power of eBPF, and the flexibility of LSM hooks, Bombini provides a lightweight, high-performance, and extensible runtime security monitoring solution for Linux systems.
Getting Started
Before moving further, please, check the compatibility page.
Container
Clone Bombini:
git clone https://github.com/bombinisecurity/bombini.git
Build container with Bombini:
cd ./bombini && \
docker build -t bombini .
Run
You can easily run Bombini with this command:
docker run --pid=host --rm -it --privileged -v /sys/fs/bpf:/sys/fs/bpf bombini
By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting
process execs and exits. To customize your Bombini setup, please, follow the Configuration chapter
and mount config directory to the container:
docker run --pid=host --rm -it --privileged -v <your-config-dir>:/usr/local/lib/bombini/config:ro -v /sys/fs/bpf:/sys/fs/bpf bombini
You can save event logs to the file:
docker run --pid=host --rm -it --privileged -v /tmp/bombini.log:/log/bombini.log -v /sys/fs/bpf:/sys/fs/bpf bombini --event-log /log/bombini.log
Or send them via unix socket:
docker run --pid=host --rm -it --privileged -v /tmp/bombini.sock:/log/bombini.sock -v /sys/fs/bpf:/sys/fs/bpf bombini --event-socket /log/bombini.sock
Bombini uses env_logger crate. To see agent logs pass --env "RUST_LOG=info|debug"to docker run.
Kubernetes
First build bombini-builder container and push it to you container registry:
cd ./install/k8s/ && docker build -t bombini-builder .
This container has all deps for building bombini on the node with no need of internet.
bombini.yaml manifest has bombini ConfigMap with all configuration setup. By default, only ProcMon
detector is loaded. To customize your Bombini setup, please, follow the Configuration chapter.
To start bombini DaemonSet run:
kubectl apply -f ./bombini.yaml
Events can be found in bombini k8s log.
Kind Example
Install kind.
If your cwd is repo root change it to ./install/k8s
cd ./install/k8s
Create kind cluster:
kind create cluster --config ./kind-config.yaml --name bombini-test-cluster
Build bombini-builder:
docker build -t bombini-builder .
Load bombini-builder image in kind cluster:
kind load docker-image bombini-builder:latest --name bombini-test-cluster
Start bombini:
kubectl apply -f ./bombini.yaml
Build
First, install build dependencies:
You can generate vmlinux.rs manually, or you can skip this step (vmlinux.rs file will be generated during the first build).
cargo xtask vmlinux-gen
Release build:
cargo xtask build --release
Run
sudo ./target/release/bombini --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config
Or using cargo:
cargo xtask run --release -- --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config
By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting
process execs and exits. To customize your Bombini setup, please, follow the Configuration.
Bombini uses env_logger crate. To see agent logs set RUST_LOG=info|debug environment variable.
Tarball
You can generate a tarball with installation scripts for bombini systemd service.
If you need config customization than update detector configs in ./config directory and execute:
cargo xtask tarball --release
Release tarball will be located at target/bombini.tar.gz
Install / Uninstall
Install bombini systemd service:
tar -xvf ./target/bombini.tar.gz -C ./target && \
sudo ./target/bombini/install.sh
Check events:
tail -f /var/log/bombini/bombini.log
Uninstall with uninstall.sh:
sudo ./target/bombini/uninstall.sh
Configuration
This chapter describes the way Bombini can be configured. Configuration is done by YAML config files.
Config files are stored in separate directory ./config for example. In this directory config.yaml
file must exist. This file provides a global Bombini agent configuration, which can be overrided by cli arguments.
To load detectors in config directory detector config yaml’s must be provided (e.g. procmon.yaml).
Configuration of detectors is considered in the next chapters.
Protobuf specification for detectors configs located in reference chapter.
Bombini Config
Bombini agent configuration is stored in config.yaml. The example of config.yaml provided bellow:
# Global parameters for bombini agent.
# All paths must be full canonical or
# relative to this config file.
---
# Directory with bpf detector object files
bpf_objs: /usr/local/lib/bombini/bpf
# Path to pin bpf maps.
maps_pin_path: /sys/fs/bpf/bombini
# Event map size (ring buffer size in bytes)
event_map_size: 65536
# Raw event channel size (number of event messages)
event_channel_size: 64
# Procmon process map size
procmon_proc_map_size: 8192
# Retain Transmuters caches every <gc_period> sec
gc_period: 30
# Transmit events to log file
log_file: /var/log/bombini/bombini.log
# Log file size in MB
log_file_size: 10
# Number of log file rotations
log_file_rotations: 5
# Enable log file compression
log_file_compression: false
# List of the detectors to load
detectors:
- procmon
#- filemon
#- netmon
#- io_uringmon
#- gtfobins
To enable detectors loading you must put the detector name in config detectors section.
NOTE: YAML file with the same name plus “.yaml” suffix must exist in
the same directory with config.yaml.
Bombini CLI Arguments
Ebpf-based agent for observability and security monitoring
Usage: bombini [OPTIONS]
Options:
--bpf-objs <FILE> Directory with bpf detector object files
--maps-pin-path <FILE> Path to pin bpf maps
--event-map-size <VALUE> Event map size (ring buffer size in bytes) [default: 65536]
--event-channel-size <VALUE> Raw event channel size (number of event messages) [default: 64]
--procmon-proc-map-size <VALUE> Procmon process map size [default: 8192]
-D, --detector <NAME> Detector to load. Can be specified multiple times. Overrides the config
--gc-period <SEC> GC period for user mode caches in seconds
--config-dir <DIR> YAML config dir with global config and detector configs [default: /usr/local/lib/bombini/config]
--log-file <FILE> File path to save events
--log-file-rotations <VALUE> Number of rotated files to keep [default: 5]
--log-file-size <VALUE> Max size of rotated file in mb [default: 10]
--log-file-compression Enable compression for rotated files
--event-socket <FILE> Unix socket path to send events
-h, --help Print help
-V, --version Print version
--bpf-objs, --maps-pin-path, --event-map-size, --event-channel-size, detector options can override corresponding config options.
--log-file, --event-socket can override default stdout json serialized events output.
Rules
Bombini agent implements a powerful event filtering mechanism that operates entirely within the eBPF layer. This approach ensures minimal overhead and maximum performance by filtering events at the kernel level before they reach user space.
Configuration Structure
Rules are defined in YAML format and organized by hook or hook group. The basic structure follows this pattern:
<hook_name>:
enabled: <boolean>
rules:
- rule: <rule_name>
scope: <boolean_predicate>
event: <boolean_predicate>
Example Configuration
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
scope: binary_path in ["/usr/bin/cat", "/usr/bin/tail"]
event: path_prefix == "/etc" AND name in ["passwd", "shadow", "sudoers"]
Rule Components
Scope Predicate. The scope predicate defines the subject to which the rule applies. This typically describes executable or host. To capture all events corresponding to the entire host, just keep scope predicate empty (or remove it from the rule). Executable context can be configured using the following attribute maps:
- binary_path: Full absolute path to executable
- binary_name: Executable name
- binary_prefix: Absolute path prefix for the executable (up to 255 bytes)
Event Predicate. The event predicate defines the event characteristics that should trigger the rule. Attribute maps for event filtering are specific for hook associated with the rule. Attribute description can be found in detectors configuration chapters.
Predicate Combination. The scope and event predicates are combined using logical AND. This means both conditions must be satisfied for the rule. It’s is possible to use only scope or event predicate. For this purpose just remove it from rule.
Boolean Predicate Syntax
| Operation | Syntax | Description | Example |
|---|---|---|---|
| AND | AND | Logical conjunction | path_prefix == "/etc" AND name == "passwd" |
| OR | OR | Logical disjunction | binary_path == "/usr/bin/cat" OR binary_path == "/usr/bin/tail" |
| NOT | NOT | Logical negation | NOT uid in [2000, 1000] |
| Grouping | ( ) | Control evaluation precedence | (A OR B) AND C |
| Membership | in | Check value existence in list | name in ["passwd", "shadow", "sudoers"] |
| Equality | == | Shorthand for single-element membership check | binary_path == "/usr/bin/cat" |
Operator Precedence
The following precedence order applies (from highest to lowest):
- Parentheses (), in, ==
- NOT
- AND
- OR
In Operator
The in operator is used to check if a value exists in a list. It can be used with both string and integer lists.
Integers can be specified in decimal or hexadecimal format. There is a difference how strings are handled. For example,
for path attribute map strings are considered as path strings. For ipv4/ivp6 address strings are considered as CIDRs,
for example: "2000::/3" is a CIDR for IPv6. And last but not least, some attribute maps consider strings as bit flags,
for example, for ecaps attribute map, ["CAP_SYS_ADMIN", "CAP_SYS_PTRACE"] will check if any of this flags (capabilities) are set.
Technical Limitations
- Maximum rules per hook: 32
- Maximum operations per rule: 16
- Maximum in operations per attribute in rule: 8
The last two constraints are applied to optimized rule.
Rule Optimizations
Bombini agent applies several optimizations to rules to improve performance:
- fold_not
- fold_or
- fold_and
Fold_or Optimization
The fold_or optimization combines multiple OR operations with underling “in” containing the same attribute map into a single “in” operation.
Example
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path == "/etc" OR path == "/var" OR path in ["/etc", "/tmp", "/opt"]
This rule will be optimized to:
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path in ["/etc", "/tmp", "/opt", "/var"]
Fold_and Optimization
The fold_and optimization combines multiple AND operations with underling “in” containing the same attribute map into a single “in” operation.
Example
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path == "/etc" AND path in ["/etc", "/tmp", "/opt"]
This rule will be optimized to:
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path in ["/etc"]
Also, this optimization checks if predicate is always false, and returns error:
file_open:
enabled: true
rules:
- rule: monitor_sensitive_files
event: path == "/log" AND path in ["/etc", "/tmp", "/opt"]
Fold_not Optimization
The fold_not optimization combines multiple NOT operations into a single NOT operation using De Morgan’s laws.
Example
file_open:
enabled: true
rules:
- rule: fold_not_and
event: NOT path == "/var" AND NOT path == "/tmp"
This rule firstly will be optimized to:
file_open:
enabled: true
rules:
- rule: fold_not_and
event: NOT (path == "/var" OR path == "/tmp")
And resulting rule after fold_or optimization will be:
file_open:
enabled: true
rules:
- rule: fold_not_and
event: NOT path in ["/var", "/tmp"]
Sandbox Mode
Bombini supports sandboxing for ProcMon and FileMon detectors, allowing to define fine-grained access control policies that are enforced directly in-kernel via eBPF LSM hooks. When enabled, sandboxing evaluates rules in enforcement mode: matching events can be allowed or denied based on the configured policy.
Sandbox configuration is added at the hook level and follows this pattern:
<hook_name>:
enabled: <boolean>
sandbox:
enabled: <boolean> # optional, default: false
deny_list: <boolean> # optional, default: false
rules:
- rule: <rule_name>
scope: <boolean_predicate>
event: <boolean_predicate>
Sandbox Parameters
- enabled: Activates sandbox enforcement for the hook. When false, rules operate in monitoring-only mode.
- deny_list: Controls policy mode:
- false (default): Allow-list mode — only events matching rules are permitted; all others are denied.
- true: Deny-list mode — events matching rules are explicitly blocked; all others are permitted.
Examples
file_open:
enabled: true
sandbox:
enabled: true
deny_list: true
rules:
- rule: OpenTestSandBoxRule
scope: binary_name in ["dash", "sh", "bash"]
event: name == "filemon.yaml" AND access_mode == "O_WRONLY"
bprm_check:
enabled: true
sandbox:
enabled: true
rules:
- rule: BprmCheckTestRule
event: path_prefix in ["/usr", "/bin", "/sbin", "/home"]
ProcMon
ProcMon is the main detector that collects information about process being spawned and detached. Information about living process is stored in shared eBPF map and in Process cache in user space. Every other detector needs ProcMon that monitors process execs and exits. This detector cannot be disabled.
Required Linux Kernel Version
6.2 or greater
Config Description
It is possible to enable IMA hashes of executed binary in process information. To enable put this to config (false by default):
ima_hash: true
It is possible to set garbage collection period in seconds for PROCMON_PROC_MAP (process info in eBPF).
Default value is 30 sec.
gc_period: 30
Process Hooks
ProcMon helps to monitor privilege escalation during process execution. It uses LSM hooks for this:
- security_task_fix_setuid (config name: setuid)
- security_task_fix_setgid (config name: setgid)
- security_capset (config name: capset)
- security_task_prctl (config name: prctl)
- security_create_user_ns (config name: create_user_ns)
- security_ptrace_access_check (config name: ptrace_access_check)
- security_bprm_check (config name: bprm_check)
To enable hook:
<hook>:
enabled: true
Event Filtering
All hooks support scope filtering.
The following list of hooks support event filtering by rules and sandbox mode:
- security_task_fix_setuid
- security_task_fix_setgid
- security_capset
- security_create_user_ns
- security_bprm_check
security_task_fix_setuid
setuid supports the following filtering attributes:
uid- new uideuid- new euid
Example
setuid:
enabled: true
rules:
- rule: UidTestRule
event: uid == 1000 AND euid == 0
security_task_fix_setgid
setgid supports the following filtering attributes:
gid- new gidegid- new egid
Example
setgid:
enabled: true
rules:
- rule: GidTestRule
event: gid == 1000 AND egid == 0
security_capset
capset supports the following filtering attributes:
ecaps- new effective capabilitiespcaps- new permitted capabilities
List of capabilities can be found in capabilities(7).
we support a placeholder ANY_CAPS that matches all capabilities. Expression ecaps in ["ANY_CAPS"] or ecaps == "ANY_CAPS" checks if any capability is set.
Example
setcaps:
enabled: true
rules:
- rule: CapsTestRule
event: ecaps == "CAP_SYS_ADMIN"
security_create_user_ns
create_user_ns supports the following filtering attributes:
ecaps- effective capabilitieseuid- effective uid
Example
create_user_ns:
enabled: true
rules:
- rule: UnprivNsTestRule
event: NOT ecaps == "CAP_SYS_ADMIN"
security_bprm_check
bprm_check supports the following filtering attributes:
path- absolute path of executed binary via execname- name of executed binary via execpath_prefix- absolute path prefix of executed binary via exec
Example
bprm_check:
enabled: true
rules:
- rule: TestBprmCheck
event: path_prefix == "/tmp" AND name == "ls"
FileMon
Detector provides events related to file / filesystem operations. Supported LSM hooks:
file_openhook provides info about file owner/permissions + permissions with process accessed the file.mmap_filehook provides info about mmaped file: path, protection flags.path_truncatehook provides info about path truncated by truncate syscall.path_unlinkprovides info about path being deleted.path_symlinkprovides info about symlink creation.path_chmodprovides info about changing file permissions.path_chownprovides info about changing file owner.sb_mountprovides info about mounted devices.file_ioctlprovides info about ioctl commands.
Required Linux Kernel Version
file_open: 6.2 or greatermmap_file: 6.2 or greatersb_mount: 6.2 or greaterfile_ioctl: 6.2 or greaterpath_truncate: 6.8 or greaterpath_unlink: 6.8 or greaterpath_symlink: 6.8 or greaterpath_chmod: 6.8 or greaterpath_chown: 6.8 or greater
Config Description
Config represents a dictionary with supported LSM BPF file hooks:
- file_open
- mmap_file
- path_truncate
- path_unlink
- path_symlink
- path_chmod
- path_chown
- sb_mount
- file_ioctl
For each file hook the following options are supported:
enabledenables detection for current hook. False by default.
Event Filtering
The following list of hooks support event filtering by rules and sandbox mode:
- file_open
- path_truncate
- path_unlink
- path_symlink
- path_chmod
- path_chown
- mmap_file
- file_ioctl
file_open
file_open supports the following filtering attributes:
path- the absolute path of opening file.path_prefix- the absolute path prefix of opening file.name- the name of opening file.access_mode- the access mode of opening file. It is treated as an enum value and can have only one value at a runtime (e.g., O_RDONLY, O_WRONLY, O_RDWR). See man.creation_flags- the creation flags of opening file. It is treated as mask and can have multiple values at a runtime (e.g., O_CREAT, O_EXCL, O_TRUNC simultaneously). See man.
Example
file_open:
enabled: true
rules:
- rule: OpenTestRule
scope: binary_name in ["ls", "tail"]
event: path in ["/etc"] OR name == "filemon.yaml"
path_truncate
file_truncate supports the following filtering attributes:
path- the absolute path of truncating file.path_prefix- the absolute path prefix of truncating file.name- the name of truncating file.
Example
path_truncate:
enabled: true
rules:
- rule: TruncateTestRule
event: path_prefix == "/tmp/bombini-test-"
path_unlink
path_unlink supports the following filtering attributes:
path- the absolute path of deleting file.path_prefix- the absolute path prefix of deleting file.name- the name of deleting file.
Example
path_unlink:
enabled: true
rules:
- rule: UnlinkTestRule
event: path_prefix == "/tmp" AND name == "test.json"
path_symlink
path_symlink supports the following filtering attributes:
path- the path of target file (maybe relative).path_prefix- the path prefix of target file (maybe relative).
Example
path_symlink:
enabled: true
rules:
- rule: SymlinkTestRule
event: path_prefix == "../"
path_chmod
path_chmod supports the following filtering attributes:
path- the absolute path of changing permissions file.path_prefix- the absolute path prefix of changing permissions file.name- the name of changing permissions file.mode- the new file’s permissions. See man for details.
Example
path_chmod:
enabled: true
rules:
- rule: ChmodTestRule
event: name == "filemon.yaml" AND mode in ["S_IWOTH","S_IWGRP","S_IWUSR"]
path_chown
path_chown supports the following filtering attributes:
path- the absolute path of changing owner file.path_prefix- the absolute path prefix of changing owner file.name- the name of changing owner file.uid- the new file’s owner UID.gid- the new file’s owner GID.
Example
path_chown:
enabled: true
rules:
- rule: ChownTestRule
event: name == "filemon.yaml" AND uid == 0 AND gid == 0
mmap_file
mmap_file supports the following filtering attributes:
path- the absolute path of mmaped file.path_prefix- the absolute path prefix of mmaped file.name- the name of mmaped file.prot_mode- the memory protection of mmaped file. It is treated as mask and can have multiple values at a runtime (PROT_READ, PROT_WRITE, PROT_EXEC). See man for details.flags- the flags of mmaped file. It is treated as mask and can have multiple values at a runtime (e.g., MAP_PRIVATE, MAP_SHARED, MAP_ANON). See man for details.
Example
mmap_file:
enabled: true
rules:
- rule: MmapTestRule
event: name == "filemon.yaml"
file_ioctl
file_ioctl supports the following filtering attributes:
path- the absolute path of device file.path_prefix- the absolute path prefix of device file.name- the name of device file.cmd- ioctl command.
Example
file_ioctl:
enabled: true
rules:
- rule: IoctlTestRule
event: path_prefix == "/dev" AND cmd in [4712, 2147766906, 769]
NetMon
NetMon detector provides information about ingress/egress TCP connections based on IPv4/IPv6
Hooks:
tcp_v4_connect: collect egress TCP IPv4 connection requeststcp_v6_connect: collect egress TCP IPv6 connection requeststcp_close: collect connection close eventsinet_csk_accept: collect TCP v4/v6 ingress connections
Required Linux Kernel Version
6.2 or greater
Config Description
First you need to enable monitoring for ingress/egress tcp connections or both:
ingress:
enabled: true
egress:
enabled: true
Event Filtering
NetMon supports attributes filtering for ingress/egress tcp connection events.
ipv4_dst- destination IPv4 address of ingress/egress tcp connectionipv4_src- source IPv4 address of ingress/egress tcp connectionipv6_dst- destination IPv6 address of ingress/egress tcp connectionipv6_src- source IPv6 address of ingress/egress tcp connectionport_src- source port of ingress/egress tcp connectionport_dst- destination port of ingress/egress tcp connection
Examples
egress:
enabled: true
rules:
- rule: tcp-connections-out-of-cluster
event: >
NOT ipv4_dst in [
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"127.0.0.1",
"0.0.0.0"
] OR ipv6_dst == "2000::/3"
egress:
enabled: true
rules:
- rule: tcp-connections-to-api-server
event: ipv4_dst == "10.96.0.1" AND port_dst == 443
IOUringMon
IOUring detector tracks SQE submitting using io_uring_submit_req tracepoint.
Inspired by:
- curing example and post.
- RingReaper example and post.
Required Linux Kernel Version
6.8 or greater
Config Description
IOUringMon doesn’t provide rule-based filtering.
GTFObins
GTFOBins detector detects GTFOBins execution. It checks if privileged shell is executed and returns process information about GTFOBins binary that is spawning the shell.
Required Linux Kernel Version
6.8 or greater
Config Description
Config represents the list of GTFOBins filenames.
enforce: true
gtfobins: # https://gtfobins.github.io/#+shell%20+SUID%20+Sudo
- aa-exec
- awk
- busctl
- busybox
- cabal
...
When enforce flag is set true execution of GTFOBins is blocked. False is by default.
Protocol Documentation
Table of Contents
proto/config.proto
FileMonConfig
Configuration file for FileMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| file_open | HookConfig | security_file_open config. | |
| path_truncate | HookConfig | security_path_truncate config. | |
| path_unlink | HookConfig | security_path_unlink config. | |
| path_symlink | HookConfig | security_path_symlink config. | |
| path_chmod | HookConfig | security_path_chmod config. | |
| path_chown | HookConfig | security_path_chown config. | |
| sb_mount | HookConfig | security_sb_mount config. | |
| mmap_file | HookConfig | security_mmap_file config. | |
| file_ioctl | HookConfig | security_file_ioctl config. |
GTFOBinsConfig
Configuration file for GTFOBinsDetector.
| Field | Type | Label | Description |
|---|---|---|---|
| enforce | bool | Block execution of GTFOBins binaries. | |
| gtfobins | string | repeated | GTFOBins executables names. |
HookConfig
Hook or group of hooks configuration
| Field | Type | Label | Description |
|---|---|---|---|
| enabled | bool | Load eBPF programs | |
| sandbox | SandboxMode | Sandbox capabilities. | |
| rules | Rule | repeated | Filtering rules |
NetMonConfig
Configuration file for NetMon detector.
| Field | Type | Label | Description |
|---|---|---|---|
| ingress | HookConfig | Ingress traffic connections | |
| egress | HookConfig | Egress traffic connections |
ProcMonConfig
Configuration file for ProcMon detector
| Field | Type | Label | Description |
|---|---|---|---|
| setuid | HookConfig | setuid hook config. | |
| capset | HookConfig | capset hook config. | |
| prctl | HookConfig | prctl hook config. | |
| create_user_ns | HookConfig | create_user_ns hook config. | |
| ptrace_access_check | HookConfig | ptrace_attach hook config. | |
| setgid | HookConfig | setgid hook config. | |
| bprm_check | HookConfig | bprm_check hook config. | |
| ima_hash | bool | optional | Collect IMA hashes for executed binaries. |
| gc_period | uint64 | optional | GC period for PROCMON_PROC_MAP default 30 sec. |
Rule
Rule definition. Scope and event predicates are used as logical conjunction.
| Field | Type | Label | Description |
|---|---|---|---|
| name | string | Name of the rule. | |
| scope | string | Logical predicate describes scope this rule will be applied, e.g. process, container. | |
| event | string | Logical predicate for describes event rule will be applied |
SandboxMode
Sandbox parameters.
Scalar Value Types
Events
In this chapter all types of events produced by Bombini are described. Events are grouped by corresponding detectors. In event descriptions you also find JSON examples.
Each event has a process information related to this event.
JSON schema for all events located in reference chapter
ProcMon
ProcessExec
ProcessExec event represents a new executed binary (execve).
{
"parent": {
"args": "-u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell",
"auid": 1000,
"binary_path": "/usr/bin/tmux",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "tmux",
"gid": 1000,
"pid": 72741,
"ppid": 2219,
"secureexec": "",
"start_time": "2025-11-26T17:42:02.112Z",
"tid": 72741,
"uid": 1000
},
"process": {
"args": "-c byobu-status tmux_left",
"auid": 1000,
"binary_path": "/usr/bin/dash",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "dash",
"gid": 1000,
"pid": 6700,
"ppid": 72741,
"secureexec": "",
"start_time": "2025-12-11T11:45:47.773Z",
"tid": 6700,
"uid": 1000
},
"timestamp": "2025-12-11T11:45:47.773Z",
"type": "ProcessExec"
}
IMA Binary Hash
Process information can be enriched with binary hashes collected from IMA.
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "-lah",
"auid": 1000,
"binary_ima_hash": "sha256:0148f5ab3062a905281d8deb9645363da5131011c9e7b6dcaa38b504e41b68ea",
"binary_path": "/usr/bin/ls",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "ls",
"gid": 0,
"pid": 7259,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:12.653Z",
"tid": 7259,
"uid": 0
},
"timestamp": "2025-12-11T11:46:12.653Z",
"type": "ProcessExec"
}
Fileless Execution
Event has information if no file used for process execution (memfd_create).
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "fileless-exec-test",
"auid": 1000,
"binary_path": "/memfd:fileless-exec-test (deleted)",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "memfd:fileless-exec-test",
"gid": 0,
"pid": 7206,
"ppid": 6576,
"secureexec": "FILELESS_EXEC",
"start_time": "2025-12-11T11:46:10.107Z",
"tid": 7206,
"uid": 0
},
"timestamp": "2025-12-11T11:46:10.107Z",
"type": "ProcessExec"
}
ProcessClone
ProcessClone represents a process creation with fork() or clone() syscall types.
{
"parent": {
"args": "-u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell",
"auid": 1000,
"binary_path": "/usr/bin/tmux",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "tmux",
"gid": 1000,
"pid": 72741,
"ppid": 2219,
"secureexec": "",
"start_time": "2025-11-26T17:42:02.112Z",
"tid": 72741,
"uid": 1000
},
"process": {
"args": "-u -2 -f /usr/share/byobu/profiles/tmuxrc new-session -n - /usr/bin/byobu-shell",
"auid": 0,
"binary_path": "/usr/bin/tmux",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": true,
"egid": 1000,
"euid": 1000,
"filename": "tmux",
"gid": 1000,
"pid": 7243,
"ppid": 72741,
"secureexec": "",
"start_time": "2025-12-11T11:46:11.813Z",
"tid": 7243,
"uid": 1000
},
"timestamp": "2025-12-11T11:46:11.813Z",
"type": "ProcessClone"
}
ProcessExit
ProcessExit event represents an exited process.
{
"parent": {
"args": "/usr/bin/byobu-status tmux_right",
"auid": 1000,
"binary_ima_hash": "sha256:86d31f6fb799e91fa21bad341484564510ca287703a16e9e46c53338776f4f42",
"binary_path": "/usr/bin/dash",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "dash",
"gid": 1000,
"pid": 7248,
"ppid": 7243,
"secureexec": "",
"start_time": "2025-12-11T11:46:11.845Z",
"tid": 7248,
"uid": 1000
},
"process": {
"args": "/usr/bin/byobu-status tmux_right",
"auid": 0,
"binary_path": "/usr/bin/dash",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": true,
"egid": 1000,
"euid": 1000,
"filename": "dash",
"gid": 1000,
"pid": 7250,
"ppid": 7248,
"secureexec": "",
"start_time": "2025-12-11T11:46:11.849Z",
"tid": 7250,
"uid": 1000
},
"timestamp": "2025-12-11T11:46:11.850Z",
"type": "ProcessExit"
}
ProcessEvents
ProcessEvents represent a collection of events somehow related to privilege escalation
Setuid
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "-u nobody true",
"auid": 1000,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "sudo",
"gid": 0,
"pid": 7425,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:20.687Z",
"tid": 7425,
"uid": 0
},
"process_event": {
"euid": 0,
"flags": "LSM_SETID_RES",
"fsuid": 0,
"type": "Setuid",
"uid": 0
},
"timestamp": "2025-12-11T11:46:20.693Z",
"type": "ProcessEvent",
"blocked": false,
"rule": "SetuidTestRule"
}
Setgid
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-e80e3549db660238",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-e80e3549db660238",
"gid": 0,
"pid": 1175516,
"ppid": 1174657,
"secureexec": "",
"start_time": "2025-12-25T18:46:55.692Z",
"tid": 1175516,
"uid": 0
},
"process": {
"args": "-u nobody true",
"auid": 1000,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "sudo",
"gid": 0,
"pid": 1176620,
"ppid": 1175516,
"secureexec": "",
"start_time": "2025-12-25T18:47:36.348Z",
"tid": 1176620,
"uid": 0
},
"process_event": {
"egid": 0,
"flags": "LSM_SETID_RES",
"fsgid": 0,
"gid": 0,
"type": "Setgid"
},
"timestamp": "2025-12-25T18:47:36.355Z",
"type": "ProcessEvent",
"blocked": false,
"rule": "SetgidTestRule"
}
Setcaps
{
"parent": {
"args": "capsh --caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
"auid": 0,
"binary_path": "/usr/bin/sudo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": true,
"egid": 0,
"euid": 0,
"filename": "sudo",
"gid": 0,
"pid": 7381,
"ppid": 7380,
"secureexec": "",
"start_time": "2025-12-11T11:46:18.013Z",
"tid": 7381,
"uid": 0
},
"process": {
"args": "--caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
"auid": 1000,
"binary_path": "/usr/sbin/capsh",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "capsh",
"gid": 0,
"pid": 7382,
"ppid": 7381,
"secureexec": "",
"start_time": "2025-12-11T11:46:18.016Z",
"tid": 7382,
"uid": 0
},
"process_event": {
"effective": "CAP_NET_RAW | CAP_SYS_ADMIN",
"inheritable": "",
"permitted": "CAP_NET_RAW | CAP_SYS_ADMIN",
"type": "Setcaps"
},
"timestamp": "2025-12-11T11:46:18.016Z",
"type": "ProcessEvent",
"blocked": false,
"rule": "SetcapsTestRule"
}
Prctl
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 217149,
"ppid": 216910,
"secureexec": "",
"start_time": "2025-12-14T11:16:03.806Z",
"tid": 217149,
"uid": 0
},
"process": {
"args": "--keep=1 -- -c echo KEEPCAPS enabled",
"auid": 1000,
"binary_path": "/usr/sbin/capsh",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "capsh",
"gid": 0,
"pid": 217438,
"ppid": 217149,
"secureexec": "",
"start_time": "2025-12-14T11:16:36.901Z",
"tid": 217438,
"uid": 0
},
"process_event": {
"cmd": {
"PrSetKeepCaps": 1
},
"type": "Prctl"
},
"timestamp": "2025-12-14T11:16:36.903Z",
"type": "ProcessEvent",
"blocked": false,
"rule": "PrctlTestRule"
}
CreateUserNs
{
"parent": null,
"process": {
"args": "-U",
"auid": 1000,
"binary_path": "/usr/bin/unshare",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "unshare",
"gid": 0,
"pid": 217376,
"ppid": 217149,
"secureexec": "",
"start_time": "2025-12-14T11:16:29.111Z",
"tid": 217376,
"uid": 0
},
"process_event": {
"type": "CreateUserNs"
},
"timestamp": "2025-12-14T11:16:29.113Z",
"type": "ProcessEvent",
"rule": "CreateUserNsTestRule"
}
PtraceAccessCheck
{
"type": "ProcessEvent",
"process": {
"start_time": "2025-12-11T12:07:20.621Z",
"cloned": false,
"pid": 26539,
"tid": 26539,
"ppid": 72885,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "gdb",
"binary_path": "/usr/bin/gdb",
"args": "attach -p 26029"
},
"parent": {
"start_time": "2025-11-26T17:42:04.042Z",
"cloned": false,
"pid": 72885,
"tid": 72885,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"process_event": {
"type": "PtraceAccessCheck",
"child": {
"start_time": "2025-12-11T12:06:49.791Z",
"cloned": false,
"pid": 26029,
"tid": 26029,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "vim.basic",
"binary_path": "/usr/bin/vim.basic",
"args": "./evets.log"
},
"mode": "PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS"
},
"blocked": false,
"timestamp": "2025-12-11T12:07:20.712Z"
}
BprmCheck
{
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_procmon_bprm_check",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-a231bc096179efb9",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "procmon-a231bc096179efb9",
"gid": 0,
"pid": 2605086,
"ppid": 2605064,
"secureexec": "",
"start_time": "2026-03-08T14:49:55.896Z",
"tid": 2605086,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_procmon_bprm_check",
"auid": 0,
"binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-a231bc096179efb9",
"cap_effective": "ANY_CAPS",
"cap_inheritable": "",
"cap_permitted": "ANY_CAPS",
"cloned": true,
"egid": 0,
"euid": 0,
"filename": "procmon-a231bc096179efb9",
"gid": 0,
"pid": 2605173,
"ppid": 2605086,
"secureexec": "",
"start_time": "2026-03-08T14:49:57.908Z",
"tid": 2605173,
"uid": 0
},
"process_event": {
"binary": "/usr/bin/ls",
"type": "BprmCheck"
},
"rule": "BprmCheckTestRule",
"timestamp": "2026-03-08T14:49:57.909Z",
"blocked": false,
"type": "ProcessEvent"
}
FileMon
FileEvent represent a collection of events related to file / filesystem operations.
PathTruncate
Event is triggered when file is truncated by truncate syscall.
{
"hook": {
"path": "/tmp/bombini-test-U28D8",
"type": "PathTruncate"
},
"parent": {
"args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "cargo",
"gid": 0,
"pid": 5914,
"ppid": 5913,
"secureexec": "",
"start_time": "2025-12-11T11:45:09.002Z",
"tid": 5914,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"timestamp": "2025-12-11T11:46:28.965Z",
"type": "FileEvent",
"blocked": false,
"rule": "TruncateTestRule"
}
PathUnlink
Event is triggered when file is deleted.
{
"hook": {
"path": "/tmp/bombini-test-5R3Uq",
"type": "PathUnlink"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "/tmp/bombini-test-5R3Uq",
"auid": 1000,
"binary_path": "/usr/bin/rm",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "rm",
"gid": 0,
"pid": 7656,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:31.741Z",
"tid": 7656,
"uid": 0
},
"timestamp": "2025-12-11T11:46:31.742Z",
"type": "FileEvent",
"blocked": false,
"rule": "UnlinkTestRule"
}
PathSymlink
Event is triggered when symbolic link is created.
{
"type": "FileEvent",
"process": {
"start_time": "2026-01-23T08:15:16.135Z",
"cloned": false,
"pid": 1944,
"tid": 1944,
"ppid": 1806,
"uid": 535357931,
"euid": 535357931,
"gid": 1000,
"egid": 1000,
"auid": 535357931,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "ln",
"binary_path": "/usr/bin/ln",
"args": "-s /etc/passwd /home/lima.linux/not_a_passwrod"
},
"parent": {
"start_time": "2026-01-23T08:12:56.496Z",
"cloned": false,
"pid": 1806,
"tid": 1806,
"ppid": 1711,
"uid": 535357931,
"euid": 535357931,
"gid": 1000,
"egid": 1000,
"auid": 535357931,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "bash",
"binary_path": "/usr/bin/bash",
"args": "--login"
},
"hook": {
"type": "PathSymlink",
"link_path": "/home/lima.linux/not_a_passwrod",
"old_path": "/etc/passwd"
},
"timestamp": "2026-01-23T08:15:16.135Z",
"rule": "SymlinkTestRule"
}
FileOpen
{
"hook": {
"access_mode": "O_RDONLY",
"creation_flags": "O_NONBLOCK | O_LARGEFILE | O_DIRECTORY",
"gid": 0,
"i_mode": "drwxr-xr-x",
"path": "/etc",
"type": "FileOpen",
"uid": 0
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "-lah /etc",
"auid": 1000,
"binary_path": "/usr/bin/ls",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "ls",
"gid": 0,
"pid": 6897,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:45:57.090Z",
"tid": 6897,
"uid": 0
},
"timestamp": "2025-12-11T11:45:57.094Z",
"type": "FileEvent",
"blocked": false,
"rule": "OpenTestRule"
}
PathChmod
{
"hook": {
"i_mode": "?rw-r--r--",
"path": "/tmp/bombini-test-S6lD9/config/filemon.yaml",
"type": "PathChmod"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "+w /tmp/bombini-test-S6lD9/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/chmod",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "chmod",
"gid": 0,
"pid": 7491,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:23.486Z",
"tid": 7491,
"uid": 0
},
"timestamp": "2025-12-11T11:46:23.488Z",
"type": "FileEvent",
"blocked": false,
"rule": "ChmodTestRule"
}
PathChown
{
"hook": {
"gid": 0,
"path": "/tmp/bombini-test-49KFg/config/filemon.yaml",
"type": "PathChown",
"uid": 0
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "0:0 /tmp/bombini-test-49KFg/config/filemon.yaml",
"auid": 1000,
"binary_path": "/usr/bin/chown",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "chown",
"gid": 0,
"pid": 7552,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:46:26.188Z",
"tid": 7552,
"uid": 0
},
"timestamp": "2025-12-11T11:46:26.190Z",
"type": "FileEvent",
"blocked": false,
"rule": "ChownTestRule"
}
SbMount
Event is triggered when block device is mounted.
{
"type": "FileEvent",
"process": {
"start_time": "2025-12-11T13:07:53.637Z",
"cloned": false,
"pid": 83289,
"tid": 83289,
"ppid": 83119,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 4294967295,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "busybox",
"binary_path": "/bin/busybox",
"args": "/dev/sda1 /mnt",
"container_id": "161287b604973779d82648fbbf6a418"
},
"parent": {
"start_time": "2025-12-11T13:07:46.743Z",
"cloned": false,
"pid": 83119,
"tid": 83119,
"ppid": 83097,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 4294967295,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "busybox",
"binary_path": "/bin/busybox",
"args": "",
"container_id": "161287b604973779d82648fbbf6a418"
},
"hook": {
"type": "SbMount",
"dev": "/dev/sda1",
"mnt": "/mnt",
"flags": 1306860944
},
"blocked": false,
"timestamp": "2025-12-11T13:07:53.637Z"
}
MmapFile
{
"hook": {
"flags": "MAP_SHARED | MAP_PRIVATE",
"path": "/tmp/bombini-test-kpUpE/config/filemon.yaml",
"prot": "PROT_READ | PROT_WRITE",
"type": "MmapFile"
},
"parent": {
"args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "cargo",
"gid": 0,
"pid": 5914,
"ppid": 5913,
"secureexec": "",
"start_time": "2025-12-11T11:45:09.002Z",
"tid": 5914,
"uid": 0
},
"process": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"timestamp": "2025-12-11T11:45:52.856Z",
"blocked": false,
"type": "FileEvent"
}
FileIoctl
{
"hook": {
"cmd": 3221775552,
"i_mode": "crw-rw----",
"path": "/dev/dri/card1",
"type": "FileIoctl"
},
"parent": {
"args": "--user",
"auid": 1000,
"binary_path": "/usr/lib/systemd/systemd",
"cap_effective": "CAP_WAKE_ALARM",
"cap_inheritable": "CAP_WAKE_ALARM",
"cap_permitted": "CAP_WAKE_ALARM",
"cloned": false,
"container_id": "1000.slice/user@1000.service/in",
"egid": 1000,
"euid": 1000,
"filename": "systemd",
"gid": 1000,
"pid": 2219,
"ppid": 1,
"secureexec": "",
"start_time": "2025-11-26T14:28:37.112Z",
"tid": 2219,
"uid": 1000
},
"process": {
"args": "",
"auid": 1000,
"binary_path": "/usr/bin/gnome-shell",
"cap_effective": "",
"cap_inheritable": "",
"cap_permitted": "",
"cloned": false,
"egid": 1000,
"euid": 1000,
"filename": "gnome-shell",
"gid": 1000,
"pid": 2476,
"ppid": 2219,
"secureexec": "",
"start_time": "2025-11-26T14:28:37.942Z",
"tid": 2476,
"uid": 1000
},
"timestamp": "2025-12-11T11:45:48.084Z",
"type": "FileEvent",
"blocked": false,
"rule": "IoctlTestRule"
}
NetMon
NetworkEvent represents a collection of events which describe ingress/egress TCP connections over ipv4/v6.
TcpConnectionEstablish
Example: wget -qO- -6 google.com
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:24.089Z",
"cloned": false,
"pid": 47663,
"tid": 47663,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "wget",
"binary_path": "/usr/bin/wget",
"args": "-qO- -6 google.com"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"network_event": {
"type": "TcpConnectionEstablish",
"saddr": "2a00:1370:81a6:3f56:35f:ba59:506b:7d59",
"daddr": "2a00:1450:4001:80f::200e",
"sport": 44538,
"dport": 80,
"cookie": 63
},
"timestamp": "2025-12-11T12:31:24.105Z"
}
Example:
nc -l 7878
telnet localhost 7878
{
"network_event": {
"cookie": 49184,
"daddr": "127.0.0.1",
"dport": 7878,
"saddr": "127.0.0.1",
"sport": 49856,
"type": "TcpConnectionEstablish"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "localhost 7878",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "inetutils-telnet",
"gid": 0,
"pid": 6961,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:45:59.923Z",
"tid": 6961,
"uid": 0
},
"timestamp": "2025-12-11T11:45:59.931Z",
"type": "NetworkEvent",
"rule": "NetMonIpv4Test"
}
TcpConnectionClose
Example: wget -qO- -6 google.com
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:24.089Z",
"cloned": false,
"pid": 47663,
"tid": 47663,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "wget",
"binary_path": "/usr/bin/wget",
"args": "-qO- -6 google.com"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"network_event": {
"type": "TcpConnectionClose",
"saddr": "2a00:1370:81a6:3f56:35f:ba59:506b:7d59",
"daddr": "2a00:1450:4001:80f::200e",
"sport": 44538,
"dport": 80,
"cookie": 63
},
"timestamp": "2025-12-11T12:31:24.942Z",
}
Example:
nc -l 7878
telnet localhost 7878
{
"network_event": {
"cookie": 49184,
"daddr": "127.0.0.1",
"dport": 7878,
"saddr": "127.0.0.1",
"sport": 49856,
"type": "TcpConnectionClose"
},
"parent": {
"args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
"auid": 1000,
"binary_path": "/home/fedotoff/bombini/target/release/deps/tests-539c5f7a878130ef",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "tests-539c5f7a878130ef",
"gid": 0,
"pid": 6576,
"ppid": 5914,
"secureexec": "",
"start_time": "2025-12-11T11:45:41.992Z",
"tid": 6576,
"uid": 0
},
"process": {
"args": "localhost 7878",
"auid": 1000,
"binary_path": "/usr/bin/inetutils-telnet",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "inetutils-telnet",
"gid": 0,
"pid": 6961,
"ppid": 6576,
"secureexec": "",
"start_time": "2025-12-11T11:45:59.923Z",
"tid": 6961,
"uid": 0
},
"timestamp": "2025-12-11T11:45:59.932Z",
"type": "NetworkEvent",
}
TcpConnectionAccept
Example:
nc -l 7878
telnet localhost 7878
{
"type": "NetworkEvent",
"process": {
"start_time": "2025-12-11T12:31:29.950Z",
"cloned": false,
"pid": 47767,
"tid": 47767,
"ppid": 2230022,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "nc.openbsd",
"binary_path": "/usr/bin/nc.openbsd",
"args": "-l 7878"
},
"parent": {
"start_time": "2025-12-04T07:30:11.663Z",
"cloned": false,
"pid": 2230022,
"tid": 2230022,
"ppid": 72741,
"uid": 1000,
"euid": 1000,
"gid": 1000,
"egid": 1000,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "",
"cap_effective": "",
"secureexec": "",
"filename": "zsh",
"binary_path": "/usr/bin/zsh",
"args": ""
},
"network_event": {
"type": "TcpConnectionAccept",
"saddr": "0.0.0.0",
"daddr": "0.0.0.0",
"sport": 7878,
"dport": 0,
"cookie": 8283
},
"timestamp": "2025-12-11T12:31:34.646Z"
}
IOUringMon
For these IORING_OP’s Bombini provides extra information:
- IORING_OP_OPENAT / IORING_OP_OPENAT2
- IORING_OP_STATX
- IORING_OP_UNLINKAT
- IORING_OP_CONNECT
- IORING_OP_ACCEPT
For other event types only opcode is provided.
IORING_OP_CONNECT
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_CONNECT",
"op_info": {
"addr": "127.0.0.1",
"port": 443
},
"timestamp": "2025-12-11T12:37:46.238Z"
}
IORING_OP_OPENAT
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_OPENAT",
"op_info": {
"path": "/etc/passwd",
"access_flags": "O_RDONLY",
"creation_flags": "O_LARGEFILE"
},
"timestamp": "2025-12-11T12:38:25.972Z"
}
IORING_OP_STATX
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_STATX",
"op_info": {
"path": "/usr/bin/."
},
"timestamp": "2025-12-11T12:38:48.557Z"
}
IORING_OP_UNLINKAT
{
"type": "IOUringEvent",
"process": {
"start_time": "2025-12-11T12:37:46.235Z",
"cloned": false,
"pid": 53256,
"tid": 53256,
"ppid": 53255,
"uid": 0,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 1000,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "agent",
"binary_path": "/home/fedotoff/RingReaper/agent",
"args": ""
},
"parent": {
"start_time": "2025-12-11T12:37:46.221Z",
"cloned": true,
"pid": 53255,
"tid": 53255,
"ppid": 53226,
"uid": 1000,
"euid": 0,
"gid": 0,
"egid": 0,
"auid": 0,
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cap_effective": "ALL_CAPS",
"secureexec": "",
"filename": "sudo",
"binary_path": "/usr/bin/sudo",
"args": "./agent"
},
"opcode": "IORING_OP_UNLINKAT",
"op_info": {
"path": "/home/fedotoff/RingReaper/agent"
},
"timestamp": "2025-12-11T12:39:29.061Z"
}
GTFObins
GTFOBins event represents a process information about GTFO binary that tries to spawn privilege shell.
{
"process": {
"args": "-a /dev/null sh",
"auid": 1000,
"binary_path": "/usr/bin/xargs",
"cap_effective": "ALL_CAPS",
"cap_inheritable": "",
"cap_permitted": "ALL_CAPS",
"cloned": false,
"egid": 0,
"euid": 0,
"filename": "xargs",
"gid": 0,
"pid": 2159624,
"ppid": 2159623,
"secureexec": "",
"start_time": "2025-12-03T21:56:26.328Z",
"tid": 2159624,
"uid": 0
},
"timestamp": "2025-12-03T21:56:26.329Z",
"type": "GTFOBinsEvent"
}
Reference
JSON schema for all events.
FileMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "FileEvent",
"description": "File Event",
"type": "object",
"properties": {
"blocked": {
"description": "If event is blocked by sandbox mode",
"type": "boolean"
},
"hook": {
"description": "LSM File hook info",
"$ref": "#/$defs/LsmFileHook"
},
"parent": {
"description": "Parent Information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process Information",
"$ref": "#/$defs/Process"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"blocked",
"hook",
"timestamp"
],
"$defs": {
"ChmodInfo": {
"type": "object",
"properties": {
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path",
"i_mode"
]
},
"ChownInfo": {
"type": "object",
"properties": {
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"path": {
"description": "full path",
"type": "string"
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"path",
"uid",
"gid"
]
},
"FileOpenInfo": {
"type": "object",
"properties": {
"access_mode": {
"description": "access mode passed to open()",
"type": "string"
},
"creation_flags": {
"description": "creation flags passed to open()",
"type": "string"
},
"gid": {
"description": "Group owner GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
},
"uid": {
"description": "File owner UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"path",
"access_mode",
"creation_flags",
"uid",
"gid",
"i_mode"
]
},
"IoctlInfo": {
"type": "object",
"properties": {
"cmd": {
"description": "cmd",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"i_mode": {
"description": "i_mode",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path",
"i_mode",
"cmd"
]
},
"LsmFileHook": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "FileOpen"
}
},
"$ref": "#/$defs/FileOpenInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathTruncate"
}
},
"$ref": "#/$defs/PathInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathUnlink"
}
},
"$ref": "#/$defs/PathInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathSymlink"
}
},
"$ref": "#/$defs/PathSymlink",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathChmod"
}
},
"$ref": "#/$defs/ChmodInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PathChown"
}
},
"$ref": "#/$defs/ChownInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "SbMount"
}
},
"$ref": "#/$defs/MountInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "MmapFile"
}
},
"$ref": "#/$defs/MmapInfo",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "FileIoctl"
}
},
"$ref": "#/$defs/IoctlInfo",
"required": [
"type"
]
}
]
},
"MmapInfo": {
"type": "object",
"properties": {
"flags": {
"description": "mmap flags",
"type": "string"
},
"path": {
"description": "full path",
"type": "string"
},
"prot": {
"description": "mmap protection",
"type": "string"
}
},
"required": [
"path",
"prot",
"flags"
]
},
"MountInfo": {
"type": "object",
"properties": {
"dev": {
"description": "device name",
"type": "string"
},
"flags": {
"description": "mount flags",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"mnt": {
"description": "mount path",
"type": "string"
}
},
"required": [
"dev",
"mnt",
"flags"
]
},
"PathInfo": {
"type": "object",
"properties": {
"path": {
"description": "full path",
"type": "string"
}
},
"required": [
"path"
]
},
"PathSymlink": {
"type": "object",
"properties": {
"link_path": {
"description": "full path",
"type": "string"
},
"old_path": {
"description": "symlink target",
"type": "string"
}
},
"required": [
"link_path",
"old_path"
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
GTFOBins
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "GTFOBinsEvent",
"description": "GTFO binary event execution attempt",
"type": "object",
"properties": {
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
IOUringMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "IOUringEvent",
"description": "io_uring events",
"type": "object",
"properties": {
"op_info": {
"description": "extra info for operation",
"$ref": "#/$defs/IOUringOpInfo"
},
"opcode": {
"description": "io_uring_ops",
"type": "string"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"opcode",
"op_info",
"timestamp"
],
"$defs": {
"IOUringOpInfo": {
"anyOf": [
{
"type": "object",
"properties": {
"access_flags": {
"type": "string"
},
"creation_flags": {
"type": "string"
},
"path": {
"type": "string"
}
},
"required": [
"path",
"access_flags",
"creation_flags"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
}
},
"required": [
"path"
]
},
{
"type": "object",
"properties": {
"path": {
"type": "string"
}
},
"required": [
"path"
]
},
{
"type": "object",
"properties": {
"addr": {
"type": "string"
},
"port": {
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
}
},
"required": [
"addr",
"port"
]
},
{
"type": "null"
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
NetMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "NetworkEvent",
"description": "Network event",
"type": "object",
"properties": {
"network_event": {
"description": "Network event",
"$ref": "#/$defs/NetworkEventType"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"network_event",
"timestamp"
],
"$defs": {
"NetworkEventType": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionEstablish"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionClose"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "TcpConnectionAccept"
}
},
"$ref": "#/$defs/TcpConnection",
"required": [
"type"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
},
"TcpConnection": {
"description": "TCP IPv4 connection information",
"type": "object",
"properties": {
"cookie": {
"description": "socket cookie",
"type": "integer",
"format": "uint64",
"minimum": 0
},
"daddr": {
"description": "destination IP address,",
"type": "string"
},
"dport": {
"description": "destination port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
},
"saddr": {
"description": "source IP address",
"type": "string"
},
"sport": {
"description": "source port",
"type": "integer",
"format": "uint16",
"maximum": 65535,
"minimum": 0
}
},
"required": [
"saddr",
"daddr",
"sport",
"dport",
"cookie"
]
}
}
}
ProcMon
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessExec",
"description": "Process exec event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessClone",
"description": "Process clone event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessExit",
"description": "Process exit event",
"type": "object",
"properties": {
"parent": {
"description": "Parent Process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"timestamp"
],
"$defs": {
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
}
}
}
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "ProcessEvent",
"description": "Process Event",
"type": "object",
"properties": {
"blocked": {
"description": "If event is blocked by sandbox mode",
"type": "boolean"
},
"parent": {
"description": "Parent process information",
"anyOf": [
{
"$ref": "#/$defs/Process"
},
{
"type": "null"
}
]
},
"process": {
"description": "Process information",
"$ref": "#/$defs/Process"
},
"process_event": {
"description": "Process event",
"$ref": "#/$defs/ProcessEventType"
},
"rule": {
"description": "Rule name",
"type": [
"string",
"null"
]
},
"timestamp": {
"description": "Event's date and time",
"type": "string"
}
},
"required": [
"process",
"blocked",
"process_event",
"timestamp"
],
"$defs": {
"PrctlCmdUser": {
"description": "Enumeration of prctl supported commands",
"oneOf": [
{
"type": "object",
"properties": {
"Opcode": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"Opcode"
]
},
{
"type": "object",
"properties": {
"PrSetDumpable": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetDumpable"
]
},
{
"type": "object",
"properties": {
"PrSetKeepCaps": {
"type": "integer",
"format": "uint8",
"maximum": 255,
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetKeepCaps"
]
},
{
"type": "object",
"properties": {
"PrSetName": {
"type": "object",
"properties": {
"name": {
"type": "string"
}
},
"required": [
"name"
]
}
},
"additionalProperties": false,
"required": [
"PrSetName"
]
},
{
"type": "object",
"properties": {
"PrSetSecurebits": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"additionalProperties": false,
"required": [
"PrSetSecurebits"
]
}
]
},
"Process": {
"description": "Process information",
"type": "object",
"properties": {
"args": {
"description": "current work directory",
"type": "string"
},
"auid": {
"description": "login UID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"binary_ima_hash": {
"description": "IMA binary hash",
"type": [
"string",
"null"
]
},
"binary_path": {
"description": "full binary path",
"type": "string"
},
"cap_effective": {
"type": "string"
},
"cap_inheritable": {
"type": "string"
},
"cap_permitted": {
"type": "string"
},
"cloned": {
"description": "is process cloned without exec",
"type": "boolean"
},
"container_id": {
"description": "skip for host",
"type": [
"string",
"null"
]
},
"egid": {
"description": "EGID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"euid": {
"description": "EUID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"filename": {
"description": "executable name",
"type": "string"
},
"gid": {
"description": "GID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"pid": {
"description": "PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"ppid": {
"description": "Parent PID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"secureexec": {
"description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
"type": "string"
},
"start_time": {
"description": "last exec or clone time",
"type": "string"
},
"tid": {
"description": "TID",
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"description": "UID",
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"start_time",
"cloned",
"pid",
"tid",
"ppid",
"uid",
"euid",
"gid",
"egid",
"auid",
"cap_inheritable",
"cap_permitted",
"cap_effective",
"secureexec",
"filename",
"binary_path",
"args"
]
},
"ProcessBprmCheck": {
"description": "Bprm_check event",
"type": "object",
"properties": {
"binary": {
"type": "string"
}
},
"required": [
"binary"
]
},
"ProcessCapset": {
"description": "Capset event",
"type": "object",
"properties": {
"effective": {
"type": "string"
},
"inheritable": {
"type": "string"
},
"permitted": {
"type": "string"
}
},
"required": [
"inheritable",
"permitted",
"effective"
]
},
"ProcessCreateUserNs": {
"description": "CreateUserNs event",
"type": "object"
},
"ProcessEventType": {
"description": "Process event types",
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setuid"
}
},
"$ref": "#/$defs/ProcessSetUid",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setgid"
}
},
"$ref": "#/$defs/ProcessSetGid",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Setcaps"
}
},
"$ref": "#/$defs/ProcessCapset",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "Prctl"
}
},
"$ref": "#/$defs/ProcessPrctl",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "CreateUserNs"
}
},
"$ref": "#/$defs/ProcessCreateUserNs",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "PtraceAccessCheck"
}
},
"$ref": "#/$defs/ProcessPtraceAccessCheck",
"required": [
"type"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "BprmCheck"
}
},
"$ref": "#/$defs/ProcessBprmCheck",
"required": [
"type"
]
}
]
},
"ProcessPrctl": {
"description": "Prctl event",
"type": "object",
"properties": {
"cmd": {
"$ref": "#/$defs/PrctlCmdUser"
}
},
"required": [
"cmd"
]
},
"ProcessPtraceAccessCheck": {
"description": "PtraceAttach event",
"type": "object",
"properties": {
"child": {
"$ref": "#/$defs/Process"
},
"mode": {
"type": "string"
}
},
"required": [
"child",
"mode"
]
},
"ProcessSetGid": {
"description": "Setgid event",
"type": "object",
"properties": {
"egid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"flags": {
"description": "LSM_SETID_* flag values",
"type": "string"
},
"fsgid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"gid": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"egid",
"gid",
"fsgid",
"flags"
]
},
"ProcessSetUid": {
"description": "Setuid event",
"type": "object",
"properties": {
"euid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"flags": {
"description": "LSM_SETID_* flag values",
"type": "string"
},
"fsuid": {
"type": "integer",
"format": "uint32",
"minimum": 0
},
"uid": {
"type": "integer",
"format": "uint32",
"minimum": 0
}
},
"required": [
"euid",
"uid",
"fsuid",
"flags"
]
}
}
}
Overview
Consider the design concepts through flowcharts below:
- architecture flowchart
- event transformation flowchart
Architecture Flowchart
---
config:
layout: elk
look: handDrawn
---
flowchart TB
A["Config"] -- configure --> B["Detectors"]
B -- manage --> C["eBPF probes"]
B -- manage --> D["eBPF maps"]
A -- configure --> E["Transmuters"]
A -- configure --> F["Transmitter"]
G["Monitor"] -- use --> E
G["Monitor"] -- use --> F
G["Monitor"] -- read --> H["RingBuffer"]
E -- manage --> I["Process cache"]
C -- send --> H
A@{ shape: docs}
B@{ shape: processes}
C@{ shape: processes}
D@{ shape: cyl}
E@{ shape: processes}
H@{ shape: das}
I@{ shape: cyl}
Detector
Detector provides a common interface for loading / unloading eBPF programs, initializing maps and attaching programs to hook points. EBPF part of detectors is located here. User mode part is here. Detectors can share information between each other storing it in eBPF maps. Some parts of detectors can be reused across different detectors. Detectors submit events to user space using ring buffer. Detectors use YAML config files for initialization. Detectors are stored in Registry.
Transmuter
Transmuter provides a common interface to convert (transmute) low kernel events into serializable data structures (e.g. json). Transmuters can enrich kernel events with some user mode data and implement different types of caching. Transmuters are stored in TransmuterRegistry. One Detector can have many types of Transmuters, but usually it has only one.
Transmitter
Transmitter sends serialized events (byte arrays) to different sources (unix socket, stdout, file, etc).
Monitor
Monitor observes new low level kernel events (messages) and extracts them from ring buffer. According to event type, it fetches corresponding transmuter to convert and enrich eBPF event. Further transmuted events are send to destination with transmitter.
Config
Config provides all information about Bombini setup. It also holds options of bombini cli and config for each detector to be loaded. Detector’s configs are also provided for corresponding transmuters.
Event Transformation Flowchart
---
config:
layout: dagre
look: handDrawn
---
flowchart LR
A["Kernel Events"] -- collect & apply rules --> B["eBPF probes"]
B <-- store/update --> C["eBPF maps"]
B -- send --> D["RingBuffer"]
D --enrich & transform --> E["Transmuters"]
E -- serialize --> F["Transmitter"]
F -- send --> G["Collector"]
E <-- store/update --> I["Process cache"]
A@{ shape: docs}
B@{ shape: processes}
C@{ shape: cyl}
D@{ shape: das}
E@{ shape: processes}
G@{ shape: cyl}
I@{ shape: cyl}
Rule Engine
The rule engine executes entirely within the eBPF layer using a custom Reverse Polish Notation (RPN) interpreter.
Rules are parsed using the LALRPOP framework, which generates an AST that undergoes optimization passes before being
serialized into a binary format. These serialized rules are stored in dedicated eBPF maps,
while in operations trigger lookups against attribute-specific eBPF maps (e.g., binary_path, ipv4_dst, etc.).
Process Execution Detection
eBPF
Process information (ProcInfo) is stored in PROCMON_PROC_MAP which is shared across all detectors.
Map entries are updated with tracepoints: sched_process_exec, sched_process_fork, sched_process_exit, and
security_bprm_comitting_creds LSM BPF hook. This hook is used to collect binary_path with bpf_d_path helper and IMA binary
hash collection. sched_process_fork - creates an entry and sends ProcessClone event, entries are created only for thread leaders (pid == tgid).
It means that Bombini doesn’t track thread creation, but in tracks events (e.g. file open, etc.) in threads. In this case, event will hold
process information about its thread leader.
sched_process_exec - updates entries and sends ProcessExec.
sched_process_exit - mark entry as “exited” for the garbage collector and sends ProcessExit event.
User Space
In Bombini there are three event types related to process execution: ProcessExec, ProcessClone, and ProcessExit.
These events are provided by corresponding Transmuters. Also, they maintain a ProcessCache to hold serializable Process
structures that are used in all event types. ProcessClone event creates an entry in ProcessCache. ProcessExit event marks
entry as “exited” for cache garbage collection. ProcessExec event marks as “exited” Process cache entry, related to previous
clone() or exec() calls and puts new Process entry in cache.
Compatibility
CO-RE support in Aya is not yet implemented (issue). So, for now the only way is to build Bombini on a target host (e.g. container, tarball, binary).
Bombini supports the following Linux kernel versions: 6.2, 6,8 and 6.14. However, it might work on all 6+ kernels.
Requirements
Before run, check if LSM BPF is enabled on your system.
cat /sys/kernel/security/lsm
if there is bpf in the output, than BPF LSM is enabled.
Otherwise, you have to enable it adding this line to /etc/default/grub:
GRUB_CMDLINE_LINUX="lsm=[previous lsm modules],bpf"
Update grub and reboot the system.