Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Introduction

Bombini logo

Bombini is an eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks. At its core, Bombini employs modular components called Detectors, each responsible for monitoring and reporting specific types of system events.

Detectors are organized by event class and kernel subsystem:

  • ProcMon: Tracks process creation and termination, as well as privilege escalation events.
  • FileMon: Monitors file system activity and file-related operations.
  • NetMon: Observes TCP connection establishment and teardown.
  • KernelMon: Detects interaction with eBPF kernel subsystem.
  • IOUringMon: Inspects io_uring submission queue activity.
  • SysEnumMon (experimental): Detects system enumeration by correlating distinct watch-list observations within a sliding time window.

All Detectors perform in-kernel event filtering directly within eBPF programs, minimizing overhead and reducing the volume of data sent to userspace.

Bombini rule engine enables the detection of advanced threats, such as the disclosure of GTFOBins, which involves the execution of privileged shells through the abuse of eligible binaries.

Additionally, ProcMon, FileMon and NetMon can optionally enforce sandboxing policies, allowing fine-grained control over process execution, file access and ip connections based on configurable rules.

By combining the safety of Rust, the power of eBPF, and the flexibility of LSM hooks, Bombini provides a lightweight, high-performance, and extensible runtime security monitoring solution for Linux systems.

Getting Started

Before moving further, please, check the compatibility page.

Container

Download Bombini container image:

docker pull ghcr.io/bombinisecurity/bombini:v1.0.0

Run

You can easily run Bombini with this command:

docker run --pid=host --rm -it --privileged -v /sys/fs/bpf:/sys/fs/bpf bombini

By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting process execs and exits. To customize your Bombini setup, please, follow the Configuration chapter and mount config directory to the container:

docker run --pid=host --rm -it --privileged -v <your-config-dir>:/usr/local/lib/bombini/config:ro  -v /sys/fs/bpf:/sys/fs/bpf bombini

You can save event logs to the file:

docker run --pid=host --rm -it --privileged -v /tmp/bombini.log:/log/bombini.log -v /sys/fs/bpf:/sys/fs/bpf bombini --event-log /log/bombini.log

Or send them via unix socket:

docker run --pid=host --rm -it --privileged -v /tmp/bombini.sock:/log/bombini.sock -v /sys/fs/bpf:/sys/fs/bpf bombini --event-socket /log/bombini.sock

Bombini uses env_logger crate. To see agent logs pass --env "RUST_LOG=info|debug"to docker run.

Kubernetes

First pull bombini image:

docker pull ghcr.io/bombinisecurity/bombini:v1.0.0

bombini.yaml manifest has bombini ConfigMap with all configuration setup. By default, only ProcMon detector is loaded. To customize your Bombini setup, please, follow the Configuration chapter.

To start bombini DaemonSet run:

kubectl apply -f ./bombini.yaml

Events can be found in bombini k8s log.

Kind Example

Pull bombini image:

docker pull ghcr.io/bombinisecurity/bombini:v1.0.0

Install kind.

If your cwd is repo root change it to ./install/k8s

cd ./install/k8s

Create kind cluster:

kind create cluster --config ./kind-config.yaml --name bombini-test-cluster

Load bombini image in kind cluster:

kind load docker-image bombini:latest --name bombini-test-cluster

Start bombini:

kubectl apply -f ./bombini.yaml

Check events:

kubectl get pods | grep "^bombini" | awk '{print $1}' | xargs kubectl logs -f

Tarball

You can get a tarball with installation scripts for bombini systemd service:

wget https://github.com/bombinisecurity/bombini/releases/download/v1.0.0/bombini-v1.0.0.tar.gz

Install / Uninstall

Unpack bombini tarball:

tar -xvf ./target/bombini.tar.gz -C ./target

If you need config customization then update detector configs in target/bombini/usr/local/lib/bombini/config. Then run install script:

sudo ./target/bombini/install.sh

Check events:

tail -f /var/log/bombini/bombini.log

Uninstall with uninstall.sh:

sudo ./target/bombini/uninstall.sh

Build

First, install build dependencies:

  1. Install Rust.
  2. Install clang and libbpf-dev. Ubuntu: apt install clang libbpf-dev.
  3. Prepare environment for Aya.

Release build:

cargo xtask build --release

Run

sudo ./target/release/bombini --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config

Or using cargo:

cargo xtask run --release -- --bpf-objs ./target/bpfel-unknown-none/release --config-dir ./config

By default Bombini starts only ProcMon detector intercepting process execs and exits. To customize your Bombini setup, please, follow the Configuration. Bombini uses env_logger crate. To see agent logs set RUST_LOG=info|debug environment variable.

Configuration

This chapter describes the way Bombini can be configured. Configuration is done by YAML config files. Config files are stored in separate directory ./config for example. In this directory config.yaml file must exist. This file provides a global Bombini agent configuration, which can be overrided by cli arguments. To load detectors in config directory detector config yaml’s must be provided (e.g. procmon.yaml). Configuration of detectors is considered in the next chapters. Protobuf specification for detectors configs located in reference chapter.

Bombini Config

Bombini agent configuration is stored in config.yaml. The example of config.yaml provided bellow:

# Global parameters for bombini agent.
# All paths must be full canonical or
# relative to this config file.
---
# Directory with bpf detector object files
bpf_objs: /usr/local/lib/bombini/bpf

# Path to pin bpf maps.
maps_pin_path: /sys/fs/bpf/bombini

# Event map size (ring buffer size in bytes)
event_map_size: 65536

# Raw event channel size (number of event messages)
event_channel_size: 64

# Procmon process map size
procmon_proc_map_size: 8192

# Retain Transmuters caches every <gc_period> sec
gc_period: 30

# Transmit events to log file
log_file: /var/log/bombini/bombini.log

# Log file size in MB
log_file_size: 10

# Number of log file rotations
log_file_rotations: 5

# Enable log file compression
log_file_compression: false

# Prometheus metric server port. This option enables metric server
metric_server_port: 9100

# List of the detectors to load
detectors:
   - procmon
   #- filemon
   #- netmon
   # -kernelmon
   #- io_uringmon
   #- sysenummon

To enable detectors loading you must put the detector name in config detectors section.

NOTE: YAML file with the same name plus “.yaml” suffix must exist in the same directory with config.yaml.

Bombini CLI Arguments

Ebpf-based agent for observability and security monitoring

Usage: bombini [OPTIONS]

Options:
      --bpf-objs <FILE>                Directory with bpf detector object files
      --maps-pin-path <FILE>           Path to pin bpf maps
      --event-map-size <VALUE>         Event map size (ring buffer size in bytes)
      --event-channel-size <VALUE>     Raw event channel size (number of event messages)
      --procmon-proc-map-size <VALUE>  Procmon process map size
  -D, --detector <NAME>                Detector to load. Can be specified multiple times. Overrides the config
      --gc-period <SEC>                GC period for user mode caches in seconds
      --config-dir <DIR>               YAML config dir with global config and detector configs [default: /usr/local/lib/bombini/config]
      --log-file <FILE>                File path to save events
      --log-file-rotations <VALUE>     Number of rotated files to keep
      --log-file-size <VALUE>          Max size of rotated file in mb
      --log-file-compression           Enable compression for rotated files
      --event-socket <FILE>            Unix socket path to send events
      --metric-server-port <PORT>      Prometheus exporter port
  -h, --help                           Print help
  -V, --version                        Print version

--bpf-objs, --maps-pin-path, --event-map-size, --event-channel-size, detector options can override corresponding config options. --log-file, --event-socket can override default stdout json serialized events output.

Rules

Bombini agent implements a powerful event filtering mechanism that operates entirely within the eBPF layer. This approach ensures minimal overhead and maximum performance by filtering events at the kernel level before they reach user space.

Configuration Structure

Rules are defined in YAML format and organized by hook or hook group. The basic structure follows this pattern:

<hook_name>:
  enabled: <boolean>
  rules:
    - rule: <rule_name>
      scope: <boolean_predicate>
      event: <boolean_predicate>

Example Configuration

file_open:
  enabled: true
  rules:
    - rule: monitor_sensitive_files
      scope: binary_path in ["/usr/bin/cat", "/usr/bin/tail"]
      event: path_prefix == "/etc" AND name in ["passwd", "shadow", "sudoers"]

Rule Components

Scope Predicate. The scope predicate defines the subject to which the rule applies. This typically describes executable or host. To capture all events corresponding to the entire host, just keep scope predicate empty (or remove it from the rule). Executable context can be configured using the following attribute maps:

  • binary_path: Full absolute path to executable
  • binary_name: Executable name
  • binary_prefix: Absolute path prefix for the executable (up to 255 bytes)

The same attributes are also available for the direct parent process (supported by the procmon and filemon detectors only):

  • parent_binary_path: Full absolute path to the parent executable
  • parent_binary_name: Parent executable name
  • parent_binary_prefix: Absolute path prefix for the parent executable (up to 255 bytes)

Event Predicate. The event predicate defines the event characteristics that should trigger the rule. Attribute maps for event filtering are specific for hook associated with the rule. Attribute description can be found in detectors configuration chapters.

Predicate Combination. The scope and event predicates are combined using logical AND. This means both conditions must be satisfied for the rule. It’s is possible to use only scope or event predicate. For this purpose just remove it from rule.

Boolean Predicate Syntax

OperationSyntaxDescriptionExample
ANDANDLogical conjunctionpath_prefix == "/etc" AND name == "passwd"
ORORLogical disjunctionbinary_path == "/usr/bin/cat" OR binary_path == "/usr/bin/tail"
NOTNOTLogical negationNOT uid in [2000, 1000]
Grouping( )Control evaluation precedence(A OR B) AND C
MembershipinCheck value existence in listname in ["passwd", "shadow", "sudoers"]
Equality==Shorthand for single-element membership checkbinary_path == "/usr/bin/cat"

Operator Precedence

The following precedence order applies (from highest to lowest):

  1. Parentheses (), in, ==
  2. NOT
  3. AND
  4. OR

In Operator

The in operator is used to check if a value exists in a list. It can be used with both string and integer lists. Integers can be specified in decimal or hexadecimal format. There is a difference how strings are handled. For example, for path attribute map strings are considered as path strings. For ipv4/ivp6 address strings are considered as CIDRs, for example: "2000::/3" is a CIDR for IPv6. And last but not least, some attribute maps consider strings as bit flags, for example, for ecaps attribute map, ["CAP_SYS_ADMIN", "CAP_SYS_PTRACE"] will check if any of this flags (capabilities) are set.

Technical Limitations

  1. Maximum rules per hook: 32
  2. Maximum operations per rule: 16
  3. Maximum in operations per attribute in rule: 8

The last two constraints are applied to optimized rule.

Rule Optimizations

Bombini agent applies several optimizations to rules to improve performance:

  • fold_not
  • fold_or
  • fold_and

Fold_or Optimization

The fold_or optimization combines multiple OR operations with underling “in” containing the same attribute map into a single “in” operation.

Example

file_open:
  enabled: true
  rules:
    - rule: monitor_sensitive_files
      event: path == "/etc" OR path == "/var" OR path in ["/etc", "/tmp", "/opt"]

This rule will be optimized to:

file_open:
  enabled: true
  rules:
    - rule: monitor_sensitive_files
      event: path in ["/etc", "/tmp", "/opt", "/var"]

Fold_and Optimization

The fold_and optimization combines multiple AND operations with underling “in” containing the same attribute map into a single “in” operation.

Example

file_open:
  enabled: true
  rules:
    - rule: monitor_sensitive_files
      event: path == "/etc" AND path in ["/etc", "/tmp", "/opt"]

This rule will be optimized to:

file_open:
  enabled: true
  rules:
    - rule: monitor_sensitive_files
      event: path in ["/etc"]

Also, this optimization checks if predicate is always false, and returns error:

file_open:
  enabled: true
  rules:
    - rule: monitor_sensitive_files
      event: path == "/log" AND path in ["/etc", "/tmp", "/opt"]

Fold_not Optimization

The fold_not optimization combines multiple NOT operations into a single NOT operation using De Morgan’s laws.

Example

file_open:
  enabled: true
  rules:
    - rule: fold_not_and
      event: NOT path == "/var" AND NOT path == "/tmp"

This rule firstly will be optimized to:

file_open:
  enabled: true
  rules:
    - rule: fold_not_and
      event: NOT (path == "/var" OR path == "/tmp")

And resulting rule after fold_or optimization will be:

file_open:
  enabled: true
  rules:
    - rule: fold_not_and
      event: NOT path in ["/var", "/tmp"]

Sandbox Mode

Bombini supports sandboxing for ProcMon, FileMon and NetMon detectors, allowing to define fine-grained access control policies that are enforced directly in-kernel via eBPF LSM hooks. When enabled, sandboxing evaluates rules in enforcement mode: matching events can be allowed or denied based on the configured policy. In allow-list mode, event restrictions are tied to the scope of the event. If there is no scope restriction, the event restriction is applied to the entire host.

Sandbox configuration is added at the hook level and follows this pattern:

<hook_name>:
  enabled: <boolean>
  sandbox:
    enabled: <boolean> # optional, default: false
    deny_list: <boolean>  # optional, default: false
  rules:
    - rule: <rule_name>
      scope: <boolean_predicate>
      event: <boolean_predicate>

Sandbox Parameters

  • enabled: Activates sandbox enforcement for the hook. When false, rules operate in monitoring-only mode.
  • deny_list: Controls policy mode:
    • false (default): Allow-list mode — only events matching rules are permitted; all others are denied.
    • true: Deny-list mode — events matching rules are explicitly blocked; all others are permitted.

Examples

Prevent dash, sh and bash from writing to filemon.yaml:

file_open:
  enabled: true
  sandbox:
    enabled: true
    deny_list: true
  rules:
  - rule: OpenTestSandBoxRule
    scope: binary_name in ["dash", "sh", "bash"]
    event: name == "filemon.yaml" AND access_mode == "O_WRONLY"

Allow head command to read only files from /usr/lib or read filemon.yaml:

file_open:
  enabled: true
  sandbox:
    enabled: true
  rules:
  - rule: OpenTestSandBoxRule
    scope: binary_name == "head"
    event: path_prefix == "/usr/lib" OR name in ["filemon.yaml"]

Only binaries from the specified paths can be executed:

bprm_check:
  enabled: true
  sandbox:
    enabled: true
  rules:
  - rule: BprmCheckTestRule
    event: path_prefix in ["/usr", "/bin", "/sbin", "/home"]

Allow curl to connect only to 127.0.0.1 and port 8080:

socket_connect:
  enabled: true
  sandbox:
    enabled: true
    deny_list: false
  rules:
  - rule: SocketConnectSandboxRule
    scope: binary_name == "curl"
    event: ipv4_addr == "127.0.0.1" AND port == 8080

ProcMon

ProcMon is the main detector that collects information about process being spawned and detached. Information about living process is stored in shared eBPF map and in Process cache in user space. Every other detector needs ProcMon that monitors process execs and exits. This detector cannot be disabled.

Required Linux Kernel Version

6.2 or greater

Config Description

It is possible to enable IMA hashes of executed binary in process information. To enable put this to config (false by default):

ima_hash: true

It is possible to set garbage collection period in seconds for PROCMON_PROC_MAP (process info in eBPF). Default value is 30 sec.

gc_period: 30

Process Hooks

ProcMon helps to monitor privilege escalation during process execution. It uses LSM hooks for this:

  • security_task_fix_setuid (config name: setuid)
  • security_task_fix_setgid (config name: setgid)
  • security_capset (config name: capset)
  • security_task_prctl (config name: prctl)
  • security_create_user_ns (config name: create_user_ns)
  • security_ptrace_access_check (config name: ptrace_access_check)
  • security_bprm_check (config name: bprm_check)

Also there is a tracepoint hook only for sandbox mode: sched_process_exec. It allows to block execs by sending SIGKILL to the process.

To enable hook:

<hook>:
  enabled: true

Event Filtering

All hooks support scope filtering. In addition to the binary_* attributes, ProcMon scope filtering supports matching the direct parent process binary via the parent_binary_path, parent_binary_name and parent_binary_prefix attributes (see Rules).

The following list of hooks support event filtering by rules and sandbox mode:

  • security_task_fix_setuid
  • security_task_fix_setgid
  • security_capset
  • security_create_user_ns
  • security_bprm_check
  • sched_process_exec

security_task_fix_setuid

setuid supports the following filtering attributes:

  • uid - new uid
  • euid - new euid

Example

setuid:
  enabled: true
  rules:
  - rule: UidTestRule
    event: uid == 1000 AND euid == 0

security_task_fix_setgid

setgid supports the following filtering attributes:

  • gid - new gid
  • egid - new egid

Example

setgid:
  enabled: true
  rules:
  - rule: GidTestRule
    event: gid == 1000 AND egid == 0

security_capset

capset supports the following filtering attributes:

  • ecaps - new effective capabilities
  • pcaps - new permitted capabilities

List of capabilities can be found in capabilities(7). we support a placeholder ANY_CAPS that matches all capabilities. Expression ecaps in ["ANY_CAPS"] or ecaps == "ANY_CAPS" checks if any capability is set.

Example

setcaps:
  enabled: true
  rules:
  - rule: CapsTestRule
    event: ecaps == "CAP_SYS_ADMIN"

security_create_user_ns

create_user_ns supports the following filtering attributes:

  • ecaps - effective capabilities
  • euid - effective uid

Example

create_user_ns:
  enabled: true
  rules:
  - rule: UnprivNsTestRule
    event: NOT ecaps == "CAP_SYS_ADMIN"

security_bprm_check

bprm_check supports the following filtering attributes:

  • path - absolute path of executed binary via exec
  • name - name of executed binary via exec
  • path_prefix - absolute path prefix of executed binary via exec
  • euid - euid of executed binary via exec
  • egid - egid of executed binary via exec
  • ecaps - effective capabilities of executed binary via exec

Example

bprm_check:
  enabled: true
  rules:
  - rule: TestBprmCheck
    event: path_prefix == "/tmp" AND name == "ls"

sched_process_exec

sched_process_exec supports the following filtering attributes:

  • arg0-arg31 - arguments of executed binary. The index at the end of the argument allows to distinguish between arguments. It is NOT the index of the argument in argv array.

This hook is only available in sandbox mode, which is always enabled. It is used to block execs by sending SIGKILL to the process.

Example

sched_process_exec:
  enabled: true
  rules:
  - rule: ExecveSandboxTestRule
    scope: binary_name == "rm"
    event: arg0 in ["-r", "-rf"] AND arg1 in ["/etc/passwd"]

In this example, we block all execs of rm binary if one of the arguments is -r or -rf and another is /etc/passwd.

GTFObins

The BprmCheck hook can be used to detect the execution of GTFOBins. It checks if privileged shell is executed and returns process information about GTFOBins binary that is spawning the shell.

Config Description

Scope predicate represents the list of GTFOBins filenames. Event predicate represents the list of possible shell filenames and checks if the executing process is running as root.

bprm_check:
  enabled: true
  sandbox:
    enabled: true
    deny_list: true
  rules:
  - rule: GTFOBins  # https://gtfobins.github.io/#+shell%20+SUID%20+Sudo
    scope: binary_name in
      [
        "aa-exec",
        "awk",
        "busctl",
        "busybox",
        ...
      ]
    event: name in ["sh", "bash", "dash", "zsh"] AND euid == 0

When sandbox deny_list mode is set true execution of GTFOBins is blocked.

FileMon

Detector provides events related to file / filesystem operations. Supported LSM hooks:

  • file_open hook provides info about file owner/permissions + permissions with process accessed the file.
  • mmap_file hook provides info about mmaped file: path, protection flags.
  • path_truncate hook provides info about path truncated by truncate syscall.
  • path_unlink provides info about path being deleted.
  • path_symlink provides info about symlink creation.
  • path_chmod provides info about changing file permissions.
  • path_chown provides info about changing file owner.
  • sb_mount provides info about mounted devices.
  • file_ioctl provides info about ioctl commands.

Required Linux Kernel Version

  • file_open: 6.2 or greater
  • mmap_file: 6.2 or greater
  • sb_mount: 6.2 or greater
  • file_ioctl: 6.2 or greater
  • path_truncate: 6.8 or greater
  • path_unlink: 6.8 or greater
  • path_symlink: 6.8 or greater
  • path_chmod: 6.8 or greater
  • path_chown: 6.8 or greater

Config Description

Config represents a dictionary with supported LSM BPF file hooks:

  • file_open
  • mmap_file
  • path_truncate
  • path_unlink
  • path_symlink
  • path_chmod
  • path_chown
  • sb_mount
  • file_ioctl

For each file hook the following options are supported:

  • enabled enables detection for current hook. False by default.

Event Filtering

All hooks support scope filtering. In addition to the binary_* attributes, FileMon scope filtering supports matching the direct parent process binary via the parent_binary_path, parent_binary_name and parent_binary_prefix attributes (see Rules).

The following list of hooks support event filtering by rules and sandbox mode:

  • file_open
  • path_truncate
  • path_unlink
  • path_symlink
  • path_chmod
  • path_chown
  • mmap_file
  • file_ioctl

file_open

file_open supports the following filtering attributes:

  • path - the absolute path of opening file.
  • path_prefix - the absolute path prefix of opening file.
  • name - the name of opening file.
  • access_mode - the access mode of opening file. It is treated as an enum value and can have only one value at a runtime (e.g., O_RDONLY, O_WRONLY, O_RDWR). See man.
  • creation_flags - the creation flags of opening file. It is treated as mask and can have multiple values at a runtime (e.g., O_CREAT, O_EXCL, O_TRUNC simultaneously). See man.

Example

file_open:
  enabled: true
  rules:
  - rule: OpenTestRule
    scope: binary_name in ["ls", "tail"]
    event: path in ["/etc"] OR name == "filemon.yaml"

path_truncate

file_truncate supports the following filtering attributes:

  • path - the absolute path of truncating file.
  • path_prefix - the absolute path prefix of truncating file.
  • name - the name of truncating file.

Example

path_truncate:
  enabled: true
  rules:
  - rule: TruncateTestRule
    event: path_prefix == "/tmp/bombini-test-"

path_unlink supports the following filtering attributes:

  • path - the absolute path of deleting file.
  • path_prefix - the absolute path prefix of deleting file.
  • name - the name of deleting file.

Example

path_unlink:
  enabled: true
  rules:
  - rule: UnlinkTestRule
    event: path_prefix == "/tmp" AND name == "test.json"

path_symlink supports the following filtering attributes:

  • path - the path of target file (maybe relative).
  • path_prefix - the path prefix of target file (maybe relative).

Example

path_symlink:
  enabled: true
  rules:
  - rule: SymlinkTestRule
    event: path_prefix == "../"

path_chmod

path_chmod supports the following filtering attributes:

  • path - the absolute path of changing permissions file.
  • path_prefix - the absolute path prefix of changing permissions file.
  • name - the name of changing permissions file.
  • mode - the new file’s permissions. See man for details.

Example

path_chmod:
  enabled: true
  rules:
  - rule: ChmodTestRule
    event: name == "filemon.yaml" AND mode in ["S_IWOTH","S_IWGRP","S_IWUSR"]

path_chown

path_chown supports the following filtering attributes:

  • path - the absolute path of changing owner file.
  • path_prefix - the absolute path prefix of changing owner file.
  • name - the name of changing owner file.
  • uid - the new file’s owner UID.
  • gid - the new file’s owner GID.

Example

path_chown:
  enabled: true
  rules:
  - rule: ChownTestRule
    event: name == "filemon.yaml" AND uid == 0 AND gid == 0

mmap_file

mmap_file supports the following filtering attributes:

  • path - the absolute path of mmaped file.
  • path_prefix - the absolute path prefix of mmaped file.
  • name - the name of mmaped file.
  • prot_mode - the memory protection of mmaped file. It is treated as mask and can have multiple values at a runtime (PROT_READ, PROT_WRITE, PROT_EXEC). See man for details.
  • flags - the flags of mmaped file. It is treated as mask and can have multiple values at a runtime (e.g., MAP_PRIVATE, MAP_SHARED, MAP_ANON). See man for details.

Example

mmap_file:
  enabled: true
  rules:
  - rule: MmapTestRule
    event: name == "filemon.yaml"

file_ioctl

file_ioctl supports the following filtering attributes:

  • path - the absolute path of device file.
  • path_prefix - the absolute path prefix of device file.
  • name - the name of device file.
  • cmd - ioctl command.

Example

file_ioctl:
  enabled: true
  rules:
  - rule: IoctlTestRule
    event: path_prefix == "/dev" AND cmd in [4712, 2147766906, 769]

NetMon

NetMon detector provides information about ingress/egress TCP connections based on IPv4/IPv6. It also provides information about socket events.

Hooks:

  • tcp_v4_connect: collect egress TCP IPv4 connection requests
  • tcp_v6_connect: collect egress TCP IPv6 connection requests
  • tcp_close: collect connection close events
  • inet_csk_accept: collect TCP v4/v6 ingress connections
  • socket_create: collect socket creation events
  • socket_create: collect socket connect events

Required Linux Kernel Version

6.2 or greater

Config Description

Config represents a dictionary with supported hooks for ingress/egress tcp connections and socket events:

  • ingress
  • egress
  • socket_create
  • socket_connect

Event Filtering

All hooks support scope and event filtering. Hooks for socket events support sandbox mode. Hooks for tcp connections does not.

Tcp Connections

NetMon supports attributes filtering for ingress/egress tcp connection events.

  • ipv4_dst - destination IPv4 address of ingress/egress tcp connection
  • ipv4_src - source IPv4 address of ingress/egress tcp connection
  • ipv6_dst - destination IPv6 address of ingress/egress tcp connection
  • ipv6_src - source IPv6 address of ingress/egress tcp connection
  • port_src - source port of ingress/egress tcp connection
  • port_dst - destination port of ingress/egress tcp connection

Examples

egress:
  enabled: true
  rules:
  - rule: tcp-connections-out-of-cluster
    event: >
      NOT ipv4_dst in [
        "10.0.0.0/8",
        "172.16.0.0/12",
        "192.168.0.0/16",
        "127.0.0.1",
        "0.0.0.0"
      ] OR ipv6_dst == "2000::/3"
egress:
  enabled: true
  rules:
  - rule: tcp-connections-to-api-server
    event: ipv4_dst == "10.96.0.1" AND port_dst == 443

Socket Creation

NetMon supports attributes filtering for socket creation events.

  • family - socket address family (AF_INET, AF_INET6, AF_UNIX, …).
  • type - socket type (SOCK_STREAM, SOCK_DGRAM, SOCK_RAW, …).
  • flags - socket flags. This attribute is treated as mask and can have multiple values at a runtime (e.g., SOCK_NONBLOCK and SOCK_CLOEXEC simultaneously).
  • protocol - socket protocol.

Examples

socket_create:
  enabled: true
  rules:
  - rule: socket-creation
    event: (family == "AF_INET6" OR family == "AF_INET")AND type == "SOCK_STREAM"

For more information about socket attributes see man.

Socket Connect

NetMon supports attributes filtering for socket connect events.

  • ipv4_dst - destination IPv4 address of egress connection
  • ipv6_dst - destination IPv6 address of egress connection
  • port_dst - destination port of egress connection

Examples

socket_connect:
  enabled: true
  rules:
  - rule: socket-connect
    event: ipv4_dst == "10.96.0.1" AND port_dst == 443 OR ipv6_dst == "2000::/3"

For more information about socket attributes see man. We only support 2 socket address families: AF_INET and AF_INET6. This hook can be used for NetMon connections enforcement.

KernelMon

Detector provides events related to kernel modification/intergration. Supported LSM hooks:

  • bpf_map_create hook is used to detect BPF map creation.
  • bpf_map hook provides information about BPF map access by userspace. Hook is triggered when userspace tries to get eBPF map descriptor. Descriptor could be used to read/write data from/to the map, pin it to the filesystem, inspect kernel metadata.
  • bpf_prog_load hook is used to detect BPF program loading.
  • bpf_prog hook provides information about BPF program access by userspace. Hook is triggered when userspace tries to get eBPF program descriptor. Descriptor could be used to attach/detach program to/from the hook, pin it to the filesystem or inspect kernel metadata.

Required Linux Kernel Version

6.2 or greater

Config Description

Config represents a dictionary with supported LSM BPF file hooks:

  • bpf_map_create
  • bpf_map
  • bpf_prog_load
  • bpf_prog

For each file hook the following options are supported:

  • enabled enables detection for current hook. False by default.

Event Filtering

All hooks support event filtering and do not provide sandboxing for now.

bpf_map_create

bpf_map_create supports the following filtering attributes:

  • name - name of BPF map (16 bytes).
  • prefix - prefix of BPF map name (first 16 bytes).
  • type - type of BPF map. See linux kernel for the list of supported types.

Example

bpf_map_create:
  enabled: true
  rules:
  - rule: "BpfMapCreateTest"
    event: type == "BPF_MAP_TYPE_HASH" AND name == "AT_exec_count"

bpf_map

bpf_map supports the following filtering attributes:

  • id- id of BPF map.
  • name - name of BPF map (16 bytes).
  • prefix - prefix of BPF map name (first 16 bytes).
  • type - type of BPF map. See linux kernel for the list of supported types.

Example

bpf_map:
  enabled: true
  rules:
  - rule: "KernelMonBpfMapTest"
    event: type == "BPF_MAP_TYPE_HASH" AND prefix == "AT_exec"

bpf_prog_load

bpf_prog_load supports the following filtering attributes:

  • name - name of BPF program (16 bytes).
  • prefix - prefix of BPF program name (first 16 bytes).
  • type - type of BPF program. See linux kernel for the list of supported types.

Example

bpf_prog_load:
  enabled: true
  rules:
  - rule: "KernelMonBpfProgLoadTest"
    event: type == "BPF_PROG_TYPE_TRACING" AND prefix == "rawtracepoint"

bpf_prog

bpf_prog supports the following filtering attributes:

  • id- id of BPF program.
  • name - name of BPF program (16 bytes).
  • prefix - prefix of BPF program name (first 16 bytes).
  • type - type of BPF program. See linux kernel for the list of supported types.

Example

bpf_prog:
  enabled: true
  rules:
  - rule: "KernelMonBpfProgTest"
    event: type == "BPF_PROG_TYPE_TRACING" AND name == "rawtracepoint_v"

IOUringMon

IOUring detector tracks SQE submitting using io_uring_submit_req tracepoint.

Inspired by:

  1. curing example and post.
  2. RingReaper example and post.

Required Linux Kernel Version

6.8 or greater

Config Description

IOUringMon doesn’t provide rule-based filtering.

SysEnumMon

Experimental. This detector differs from the others: it correlates observations across a process tree rather than reporting single events. Correlation is currently tied to the direct parent, so processes spawned indirectly (find -exec, bash -c) may evade it, and the shared correlation state is read under RCU with time checks, so simultaneous hits on multiple CPUs can race. The behaviour and configuration may change once it gathers real-world feedback.

Detector correlates system enumeration (reconnaissance) activity. Automated privilege escalation scanners (PEASS-ng: LinPEAS, LinEnum, pspy and similar) perform many small enumeration steps in a short time: they execute information gathering binaries (id, whoami, uname, netstat and so on) and read sensitive files (/etc/shadow, /etc/ssh/* and so on). A single step is legitimate on its own, so an alert is raised only when several distinct observations from the watch list accumulate inside one process tree within a sliding time window. Supported LSM hooks:

  • bprm_check_security hook observes executed binary names on execve.
  • file_open hook observes opened file paths.

Both hooks are always loaded, there is no per-hook enable switch. SysEnumMon depends on ProcMon.

Required Linux Kernel Version

6.2 or greater

Config Description

SysEnumMon does not provide rule-based filtering or sandbox mode. It is configured by a watch list and two correlation parameters:

  • chain_size - threshold K: number of distinct observations from the watch list that must occur within the window to raise an alert. K must not exceed 7, the per-process chain capacity.
  • window_size_sec - sliding window length W in seconds. Only observations seen within the last W seconds are kept in a process tree’s chain: as new observations arrive, any leading observation older than W seconds is dropped from the chain. An alert is raised when K distinct observations fall inside the same W-second window.
  • bprm_check.name - list of binary names matched on execve.
  • file_open.path - list of exact file paths matched on file_open.
  • file_open.path_prefix - list of path prefixes matched on file_open (longest prefix match).

Observations are de-duplicated, so repeating the same entry does not advance the counter: a script that calls id in a loop does not raise an alert. The total number of unique watch list entries (names + paths + prefixes) must not exceed 256.

Example

chain_size: 3
window_size_sec: 10
bprm_check:
  name:
    - id
    - whoami
    - uname
    - netstat
    - ss
    - getcap
file_open:
  path:
    - /etc/shadow
  path_prefix:
    - /etc/ssh

Protocol Documentation

Table of Contents

Top

proto/config.proto

FileMonConfig

Configuration file for FileMon detector.

FieldTypeLabelDescription
file_openHookConfigsecurity_file_open config.
path_truncateHookConfigsecurity_path_truncate config.
path_unlinkHookConfigsecurity_path_unlink config.
path_symlinkHookConfigsecurity_path_symlink config.
path_chmodHookConfigsecurity_path_chmod config.
path_chownHookConfigsecurity_path_chown config.
sb_mountHookConfigsecurity_sb_mount config.
mmap_fileHookConfigsecurity_mmap_file config.
file_ioctlHookConfigsecurity_file_ioctl config.

HookConfig

Hook or group of hooks configuration

FieldTypeLabelDescription
enabledboolLoad eBPF programs
sandboxSandboxModeSandbox capabilities.
rulesRulerepeatedFiltering rules

KernelMonConfig

Configuration file for KernelMon detector.

FieldTypeLabelDescription
bpf_mapHookConfigGetting access to bpf map
bpf_map_createHookConfigCreating bpf map
bpf_progHookConfigGetting access to bpf program
bpf_prog_loadHookConfigCreating to bpf program

NetMonConfig

Configuration file for NetMon detector.

FieldTypeLabelDescription
ingressHookConfigIngress traffic connections
egressHookConfigEgress traffic connections
socket_createHookConfigSocket creation
socket_connectHookConfigConnect over socket

ProcMonConfig

Configuration file for ProcMon detector

FieldTypeLabelDescription
setuidHookConfigsetuid hook config.
capsetHookConfigcapset hook config.
prctlHookConfigprctl hook config.
create_user_nsHookConfigcreate_user_ns hook config.
ptrace_access_checkHookConfigptrace_attach hook config.
setgidHookConfigsetgid hook config.
bprm_checkHookConfigbprm_check hook config.
sched_process_execHookConfigsched_process_exec sandbox hook config.
ima_hashbooloptionalCollect IMA hashes for executed binaries.
gc_perioduint64optionalGC period for PROCMON_PROC_MAP default 30 sec.

Rule

Rule definition. Scope and event predicates are used as logical conjunction.

FieldTypeLabelDescription
namestringName of the rule.
scopestringLogical predicate describes scope this rule will be applied, e.g. process, container.
eventstringLogical predicate for describes event rule will be applied

SandboxMode

Sandbox parameters.

FieldTypeLabelDescription
enabledboolEnable sandbox mode.
deny_listboolConsider rules as deny list.

Scalar Value Types

.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)

Events

In this chapter all types of events produced by Bombini are described. Events are grouped by corresponding detectors. In event descriptions you also find JSON examples.

Each event has a process information related to this event.

JSON schema for all events located in reference chapter

ProcMon

ProcessExec

ProcessExec event represents a new executed binary (execve).

{
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQxMjQ6ODY5NDYyNTkwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84124,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:42:47.608Z",
    "tid": 84124,
    "uid": 0
  },
  "process": {
    "args": "-l",
    "auid": 1000,
    "binary_path": "/usr/sbin/fdisk",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQxNDU6ODY5NDYzNTk4MDM5Mzcy",
    "filename": "fdisk",
    "gid": 0,
    "parent_exec_id": "ODQxMjQ6ODY5NDYyNTkwMDAwMDAw",
    "pid": 84145,
    "ppid": 84124,
    "secureexec": "",
    "start_time": "2026-04-30T11:42:48.616Z",
    "tid": 84145,
    "uid": 0
  },
  "timestamp": "2026-04-30T11:42:48.616Z",
  "type": "ProcessExec"
}

IMA Binary Hash

Process information can be enriched with binary hashes collected from IMA.

{
  "parent": {
    "args": "/home/fedotoff/.vscode/extensions/google.geminicodeassist-2.75.0/agent/a2a-server.mjs",
    "auid": 1000,
    "binary_path": "/usr/share/code/code",
    "cap_effective": "",
    "cap_inheritable": "",
    "cap_permitted": "",
    "cloned": false,
    "egid": 1000,
    "euid": 1000,
    "exec_id": "ODQ3NDk6ODY5NTExOTkwMDAwMDAw",
    "filename": "code",
    "gid": 1000,
    "parent_exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
    "pid": 84749,
    "ppid": 15166,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:37.008Z",
    "tid": 84749,
    "uid": 1000
  },
  "process": {
    "args": "--version",
    "auid": 1000,
    "binary_ima_hash": "sha256:2a8c18fbf43da9f692d75474c72bea9dfd796c260b0f3dfe456376abc3bbd668",
    "binary_path": "/usr/bin/git",
    "cap_effective": "",
    "cap_inheritable": "",
    "cap_permitted": "",
    "cloned": false,
    "egid": 1000,
    "euid": 1000,
    "exec_id": "ODQ3ODM6ODY5NTEyNjI5ODAyMzQ5",
    "filename": "git",
    "gid": 1000,
    "parent_exec_id": "ODQ3NDk6ODY5NTExOTkwMDAwMDAw",
    "pid": 84783,
    "ppid": 84749,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:37.648Z",
    "tid": 84783,
    "uid": 1000
  },
  "timestamp": "2026-04-30T11:43:37.648Z",
  "type": "ProcessExec"
}

Fileless Execution

Event has information if no file used for process execution (memfd_create).

{
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "filename": "procmon-ffa17fc59f5de4b8",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84662,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:32.788Z",
    "tid": 84662,
    "uid": 0
  },
  "process": {
    "args": "fileless-exec-test",
    "auid": 1000,
    "binary_path": "/memfd:fileless-exec-test (deleted)",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ3NDY6ODY5NTExNjgyNTg4OTc4",
    "filename": "memfd:fileless-exec-test",
    "gid": 0,
    "parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "pid": 84746,
    "ppid": 84662,
    "secureexec": "FILELESS_EXEC",
    "start_time": "2026-04-30T11:43:36.701Z",
    "tid": 84746,
    "uid": 0
  },
  "timestamp": "2026-04-30T11:43:36.701Z",
  "type": "ProcessExec"
}

ProcessClone

ProcessClone represents a process creation with fork() or clone() syscall types.

{
  "parent": {
    "args": "",
    "auid": 1000,
    "binary_path": "/usr/share/code/code",
    "cap_effective": "",
    "cap_inheritable": "",
    "cap_permitted": "",
    "cloned": false,
    "egid": 1000,
    "euid": 1000,
    "exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
    "filename": "code",
    "gid": 1000,
    "parent_exec_id": "MTQ5NzM6ODYwNzY4NDkwMDAwMDAw",
    "pid": 15166,
    "ppid": 14973,
    "secureexec": "",
    "start_time": "2026-04-30T09:17:58.278Z",
    "tid": 15166,
    "uid": 1000
  },
  "process": {
    "args": "",
    "auid": 0,
    "binary_path": "/usr/share/code/code",
    "cap_effective": "",
    "cap_inheritable": "",
    "cap_permitted": "",
    "cloned": true,
    "egid": 1000,
    "euid": 1000,
    "exec_id": "ODQ3NDg6ODY5NTExOTU5NjkyMTA5",
    "filename": "code",
    "gid": 1000,
    "parent_exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
    "pid": 84748,
    "ppid": 15166,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:36.978Z",
    "tid": 84748,
    "uid": 1000
  },
  "timestamp": "2026-04-30T11:43:36.978Z",
  "type": "ProcessClone"
}

ProcessExit

ProcessExit event represents an exited process.

{
  "parent": {
    "args": "",
    "auid": 1000,
    "binary_path": "/usr/share/code/code",
    "cap_effective": "",
    "cap_inheritable": "",
    "cap_permitted": "",
    "cloned": false,
    "egid": 1000,
    "euid": 1000,
    "exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
    "filename": "code",
    "gid": 1000,
    "parent_exec_id": "MTQ5NzM6ODYwNzY4NDkwMDAwMDAw",
    "pid": 15166,
    "ppid": 14973,
    "secureexec": "",
    "start_time": "2026-04-30T09:17:58.278Z",
    "tid": 15166,
    "uid": 1000
  },
  "process": {
    "args": "/home/fedotoff/.vscode/extensions/google.geminicodeassist-2.75.0/agent/a2a-server.mjs",
    "auid": 1000,
    "binary_path": "/usr/share/code/code",
    "cap_effective": "",
    "cap_inheritable": "",
    "cap_permitted": "",
    "cloned": false,
    "egid": 1000,
    "euid": 1000,
    "exec_id": "ODQ2ODk6ODY5NTA4NDIwMDAwMDAw",
    "filename": "code",
    "gid": 1000,
    "parent_exec_id": "MTUxNjY6ODYwNzczMjYwMDAwMDAw",
    "pid": 84689,
    "ppid": 15166,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:33.438Z",
    "tid": 84689,
    "uid": 1000
  },
  "timestamp": "2026-04-30T11:43:36.961Z",
  "type": "ProcessExit"
}

ProcessEvents

ProcessEvents represent a collection of events somehow related to privilege escalation

Setuid

{
  "blocked": false,
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "filename": "procmon-ffa17fc59f5de4b8",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84662,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:32.788Z",
    "tid": 84662,
    "uid": 0
  },
  "process": {
    "args": "-u nobody true",
    "auid": 1000,
    "binary_path": "/usr/bin/sudo",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ5MTA6ODY5NTIwMTc5ODU0ODA5",
    "filename": "sudo",
    "gid": 0,
    "parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "pid": 84910,
    "ppid": 84662,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:45.198Z",
    "tid": 84910,
    "uid": 0
  },
  "process_event": {
    "euid": 0,
    "flags": "LSM_SETID_RES",
    "fsuid": 0,
    "type": "Setuid",
    "uid": 0
  },
  "rule": "ProcMonSetuid",
  "timestamp": "2026-04-30T11:43:45.201Z",
  "type": "ProcessEvent"
}

Setgid

{
  "blocked": false,
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "filename": "procmon-ffa17fc59f5de4b8",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84662,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:32.788Z",
    "tid": 84662,
    "uid": 0
  },
  "process": {
    "args": "-u nobody true",
    "auid": 1000,
    "binary_path": "/usr/bin/sudo",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ4ODM6ODY5NTE4NTE2MDAyMDk5",
    "filename": "sudo",
    "gid": 0,
    "parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "pid": 84883,
    "ppid": 84662,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:43.534Z",
    "tid": 84883,
    "uid": 0
  },
  "process_event": {
    "egid": 0,
    "flags": "LSM_SETID_RES",
    "fsgid": 0,
    "gid": 0,
    "type": "Setgid"
  },
  "rule": "ProcMonSetgid",
  "timestamp": "2026-04-30T11:43:43.539Z",
  "type": "ProcessEvent"
}

Setcaps

{
  "blocked": false,
  "parent": {
    "args": "capsh --caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
    "auid": 0,
    "binary_path": "/usr/bin/sudo",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": true,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ4NjA6ODY5NTE2NjM0MzkyMTcw",
    "filename": "sudo",
    "gid": 0,
    "parent_exec_id": "ODQ4NTk6ODY5NTE2NjI2Nzc5Mzg1",
    "pid": 84860,
    "ppid": 84859,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:41.652Z",
    "tid": 84860,
    "uid": 0
  },
  "process": {
    "args": "--caps=cap_sys_admin=ep cap_net_raw=ep -- -c id",
    "auid": 1000,
    "binary_path": "/usr/sbin/capsh",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ4NjE6ODY5NTE2NjM1NzgwNzAx",
    "filename": "capsh",
    "gid": 0,
    "parent_exec_id": "ODQ4NjA6ODY5NTE2NjM0MzkyMTcw",
    "pid": 84861,
    "ppid": 84860,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:41.654Z",
    "tid": 84861,
    "uid": 0
  },
  "process_event": {
    "effective": "CAP_NET_RAW | CAP_SYS_ADMIN",
    "inheritable": "",
    "permitted": "CAP_NET_RAW | CAP_SYS_ADMIN",
    "type": "Setcaps"
  },
  "rule": "ProcMonSetcaps",
  "timestamp": "2026-04-30T11:43:41.654Z",
  "type": "ProcessEvent"
}

Prctl

{
  "blocked": false,
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "filename": "procmon-ffa17fc59f5de4b8",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84662,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:32.788Z",
    "tid": 84662,
    "uid": 0
  },
  "process": {
    "args": "--keep=1 -- -c echo KEEPCAPS enabled",
    "auid": 1000,
    "binary_path": "/usr/sbin/capsh",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ4MTg6ODY5NTE0OTczMjgxMTk1",
    "filename": "capsh",
    "gid": 0,
    "parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "pid": 84818,
    "ppid": 84662,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:39.991Z",
    "tid": 84818,
    "uid": 0
  },
  "process_event": {
    "cmd": {
      "PrSetKeepCaps": 1
    },
    "type": "Prctl"
  },
  "rule": "ProcMonPrctl",
  "timestamp": "2026-04-30T11:43:39.992Z",
  "type": "ProcessEvent"
}

CreateUserNs

{
  "blocked": false,
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/procmon-ffa17fc59f5de4b8",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "filename": "procmon-ffa17fc59f5de4b8",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84662,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:32.788Z",
    "tid": 84662,
    "uid": 0
  },
  "process": {
    "args": "-U",
    "auid": 1000,
    "binary_path": "/usr/bin/unshare",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ3MjQ6ODY5NTEwNDE4NzgyMjAx",
    "filename": "unshare",
    "gid": 0,
    "parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
    "pid": 84724,
    "ppid": 84662,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:35.437Z",
    "tid": 84724,
    "uid": 0
  },
  "process_event": {
    "type": "CreateUserNs"
  },
  "rule": "ProcMonCreateUserNs",
  "timestamp": "2026-04-30T11:43:35.437Z",
  "type": "ProcessEvent"
}

PtraceAccessCheck

{
  "type": "ProcessEvent",
  "process": {
    "start_time": "2025-12-11T12:07:20.621Z",
    "cloned": false,
    "pid": 26539,
    "tid": 26539,
    "ppid": 72885,
    "uid": 1000,
    "euid": 1000,
    "gid": 1000,
    "egid": 1000,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "gdb",
    "binary_path": "/usr/bin/gdb",
    "exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "args": "attach -p 26029"
  },
  "parent": {
    "start_time": "2025-11-26T17:42:04.042Z",
    "cloned": false,
    "pid": 72885,
    "tid": 72885,
    "ppid": 72741,
    "uid": 1000,
    "euid": 1000,
    "gid": 1000,
    "egid": 1000,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "zsh",
    "binary_path": "/usr/bin/zsh",
    "exec_id": "ODUwMDA6ODY5NTI0OTM4NjAzNzMz",
    "parent_exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
    "args": ""
  },
  "process_event": {
    "type": "PtraceAccessCheck",
    "child": {
      "start_time": "2025-12-11T12:06:49.791Z",
      "cloned": false,
      "pid": 26029,
      "tid": 26029,
      "ppid": 2230022,
      "uid": 1000,
      "euid": 1000,
      "gid": 1000,
      "egid": 1000,
      "auid": 1000,
      "cap_inheritable": "",
      "cap_permitted": "",
      "cap_effective": "",
      "secureexec": "",
      "filename": "vim.basic",
      "binary_path": "/usr/bin/vim.basic",
      "exec_id": "ODQ3MjQ6ODY5NTEwNDE4NzgyMjAx",
      "parent_exec_id": "ODQ2NjI6ODY5NTA3NzcwMDAwMDAw",
      "args": "./evets.log"
    },
    "mode": "PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS"
  },
  "blocked": false,
  "timestamp": "2025-12-11T12:07:20.712Z"
}

BprmCheck

{
  "blocked": true,
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/sandbox-b2a60a831c22e140",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
    "filename": "sandbox-b2a60a831c22e140",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84930,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:46.078Z",
    "tid": 84930,
    "uid": 0
  },
  "process": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 0,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/sandbox-b2a60a831c22e140",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": true,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODUwMDA6ODY5NTI0OTM4NjAzNzMz",
    "filename": "sandbox-b2a60a831c22e140",
    "gid": 0,
    "parent_exec_id": "ODQ5MzA6ODY5NTIxMDYwMDAwMDAw",
    "pid": 85000,
    "ppid": 84930,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:49.957Z",
    "tid": 85000,
    "uid": 0
  },
  "process_event": {
    "binary": "/tmp/bombini-test-qvhme/ls",
    "type": "BprmCheck"
  },
  "rule": "BprmCheckTestRule",
  "timestamp": "2026-04-30T11:43:49.957Z",
  "type": "ProcessEvent"
}

ExecveSandbox

{
  "blocked": true,
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_procmon_execve_sandbox",
    "auid": 535357931,
    "binary_path": "/home/lima.linux/bombini/target/release/deps/procmon-48b2b61de1b256a2",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MTIzNjU6ODU5MTk4MDAwMDAwMA",
    "filename": "procmon-48b2b61de1b256a2",
    "gid": 0,
    "parent_exec_id": "MTIyMDM6ODUzODIxMDAwMDAwMA",
    "pid": 12365,
    "ppid": 12203,
    "secureexec": "",
    "start_time": "2026-07-06T13:30:27.923Z",
    "tid": 12365,
    "uid": 0
  },
  "process": {
    "args": "-la -h",
    "auid": 535357931,
    "binary_path": "/usr/bin/ls",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MTIzNzk6ODU5MzAyOTczMzIyMA",
    "filename": "ls",
    "gid": 0,
    "parent_exec_id": "MTIzNjU6ODU5MTk4MDAwMDAwMA",
    "pid": 12379,
    "ppid": 12365,
    "secureexec": "",
    "start_time": "2026-07-06T13:30:28.972Z",
    "tid": 12379,
    "uid": 0
  },
  "process_event": {
    "type": "ExecveSandbox"
  },
  "rule": "ExecveSandboxTestRule",
  "timestamp": "2026-07-06T13:30:28.972Z",
  "type": "ProcessEvent"
}

FileMon

FileEvent represent a collection of events related to file / filesystem operations.

PathTruncate

Event is triggered when file is truncated by truncate syscall.

{
  "blocked": false,
  "hook": {
    "path": "/tmp/bombini-test-ouG0p/bombini-test-truncate",
    "type": "PathTruncate"
  },
  "parent": {
    "args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "filename": "cargo",
    "gid": 0,
    "parent_exec_id": "Mjk1NTc6ODYxMTYwMTYwMDAwMDAw",
    "pid": 29558,
    "ppid": 29557,
    "secureexec": "",
    "start_time": "2026-04-30T09:24:25.178Z",
    "tid": 29558,
    "uid": 0
  },
  "process": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "rule": "TruncateTestRule",
  "timestamp": "2026-04-30T09:25:40.554Z",
  "type": "FileEvent"
}

Event is triggered when file is deleted.

{
  "blocked": false,
  "hook": {
    "path": "/tmp/bombini-test-QCS8G/bombini-test-unlink",
    "type": "PathUnlink"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "process": {
    "args": "/tmp/bombini-test-QCS8G/bombini-test-unlink",
    "auid": 1000,
    "binary_path": "/usr/bin/rm",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzA0NTU6ODYxMjM3OTAxMTk2NDY0",
    "filename": "rm",
    "gid": 0,
    "parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "pid": 30455,
    "ppid": 30195,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:42.919Z",
    "tid": 30455,
    "uid": 0
  },
  "rule": "UnlinkTestRule",
  "timestamp": "2026-04-30T09:25:42.920Z",
  "type": "FileEvent"
}

Event is triggered when symbolic link is created.

{
  "blocked": false,
  "hook": {
    "link_path": "/tmp/bombini-test-LcAq6/bombini_test_symlink_1",
    "old_path": "/tmp/bombini-test-symlink-F7rij",
    "type": "PathSymlink"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "process": {
    "args": "-s /tmp/bombini-test-symlink-F7rij /tmp/bombini-test-LcAq6/bombini_test_symlink_1",
    "auid": 1000,
    "binary_path": "/usr/bin/ln",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAzOTA6ODYxMjMzMjc4Mzg5MjUy",
    "filename": "ln",
    "gid": 0,
    "parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "pid": 30390,
    "ppid": 30195,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:38.296Z",
    "tid": 30390,
    "uid": 0
  },
  "rule": "SymlinkTestRule",
  "timestamp": "2026-04-30T09:25:38.297Z",
  "type": "FileEvent"
}

FileOpen

{
  "blocked": true,
  "hook": {
    "access_mode": "O_WRONLY",
    "creation_flags": "O_CREAT | O_TRUNC | O_LARGEFILE",
    "gid": 0,
    "i_mode": "-rw-r--r--",
    "path": "/tmp/bombini-test-lJKrO/config/filemon.yaml",
    "type": "FileOpen",
    "uid": 0
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/sandbox-b2a60a831c22e140",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzA5OTc6ODYxMjgzMjQwMDAwMDAw",
    "filename": "sandbox-b2a60a831c22e140",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30997,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:26:28.258Z",
    "tid": 30997,
    "uid": 0
  },
  "process": {
    "args": "-c echo 'Hello' > /tmp/bombini-test-lJKrO/config/filemon.yaml",
    "auid": 1000,
    "binary_path": "/usr/bin/dash",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzEwMjA6ODYxMjg0NzQ2Nzc2ODU0",
    "filename": "dash",
    "gid": 0,
    "parent_exec_id": "MzA5OTc6ODYxMjgzMjQwMDAwMDAw",
    "pid": 31020,
    "ppid": 30997,
    "secureexec": "",
    "start_time": "2026-04-30T09:26:29.765Z",
    "tid": 31020,
    "uid": 0
  },
  "rule": "OpenTestSandBoxRule",
  "timestamp": "2026-04-30T09:26:29.765Z",
  "type": "FileEvent"
}

PathChmod

{
  "blocked": false,
  "hook": {
    "i_mode": "?rw-r--r--",
    "path": "/tmp/bombini-test-E7eJb/config/filemon.yaml",
    "type": "PathChmod"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "process": {
    "args": "+w /tmp/bombini-test-E7eJb/config/filemon.yaml",
    "auid": 1000,
    "binary_path": "/usr/bin/chmod",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAzMTg6ODYxMjI3NzI0MzU5NjIy",
    "filename": "chmod",
    "gid": 0,
    "parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "pid": 30318,
    "ppid": 30195,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:32.742Z",
    "tid": 30318,
    "uid": 0
  },
  "rule": "ChmodTestRule",
  "timestamp": "2026-04-30T09:25:32.744Z",
  "type": "FileEvent"
}

PathChown

{
  "blocked": false,
  "hook": {
    "gid": 0,
    "path": "/tmp/bombini-test-JbqTN/config/filemon.yaml",
    "type": "PathChown",
    "uid": 0
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "process": {
    "args": "0:0 /tmp/bombini-test-JbqTN/config/filemon.yaml",
    "auid": 1000,
    "binary_path": "/usr/bin/chown",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAzNTk6ODYxMjMwODg5NzM5NDcz",
    "filename": "chown",
    "gid": 0,
    "parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "pid": 30359,
    "ppid": 30195,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:35.908Z",
    "tid": 30359,
    "uid": 0
  },
  "rule": "ChownTestRule",
  "timestamp": "2026-04-30T09:25:35.910Z",
  "type": "FileEvent"
}

SbMount

Event is triggered when block device is mounted.

{
  "type": "FileEvent",
  "process": {
    "start_time": "2025-12-11T13:07:53.637Z",
    "cloned": false,
    "pid": 83289,
    "tid": 83289,
    "ppid": 83119,
    "uid": 0,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 4294967295,
    "cap_inheritable": "",
    "cap_permitted": "ALL_CAPS",
    "cap_effective": "ALL_CAPS",
    "secureexec": "",
    "filename": "busybox",
    "binary_path": "/bin/busybox",
    "args": "/dev/sda1 /mnt",
    "exec_id": "MzAzNTk6ODYxMjMwODg5NzM5NDcz",
    "parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "container_id": "161287b604973779d82648fbbf6a418"
  },
  "parent": {
    "start_time": "2025-12-11T13:07:46.743Z",
    "cloned": false,
    "pid": 83119,
    "tid": 83119,
    "ppid": 83097,
    "uid": 0,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 4294967295,
    "cap_inheritable": "",
    "cap_permitted": "ALL_CAPS",
    "cap_effective": "ALL_CAPS",
    "secureexec": "",
    "filename": "busybox",
    "binary_path": "/bin/busybox",
    "args": "",
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "container_id": "161287b604973779d82648fbbf6a418"
  },
  "hook": {
    "type": "SbMount",
    "dev": "/dev/sda1",
    "mnt": "/mnt",
    "flags": 1306860944
  },
  "blocked": false,
  "timestamp": "2025-12-11T13:07:53.637Z"
}

MmapFile

{
  "blocked": false,
  "hook": {
    "flags": "MAP_SHARED",
    "path": "/tmp/bombini-test-VB2Ri/config/filemon.yaml",
    "prot": "PROT_READ | PROT_WRITE",
    "type": "MmapFile"
  },
  "parent": {
    "args": "test --release --features=examples -- -q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "filename": "cargo",
    "gid": 0,
    "parent_exec_id": "Mjk1NTc6ODYxMTYwMTYwMDAwMDAw",
    "pid": 29558,
    "ppid": 29557,
    "secureexec": "",
    "start_time": "2026-04-30T09:24:25.178Z",
    "tid": 29558,
    "uid": 0
  },
  "process": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "rule": "MmapFileTestRule",
  "timestamp": "2026-04-30T09:25:27.599Z",
  "type": "FileEvent"
}

FileIoctl

{
  "blocked": false,
  "hook": {
    "cmd": 4712,
    "i_mode": "brw-rw----",
    "path": "/dev/loop0",
    "type": "FileIoctl"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/filemon-39a009b56d273b88",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "filename": "filemon-39a009b56d273b88",
    "gid": 0,
    "parent_exec_id": "Mjk1NTg6ODYxMTYwMTYwMDAwMDAw",
    "pid": 30195,
    "ppid": 29558,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:24.928Z",
    "tid": 30195,
    "uid": 0
  },
  "process": {
    "args": "-l",
    "auid": 1000,
    "binary_path": "/usr/sbin/fdisk",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "MzAyMTk6ODYxMjIwOTE5NzQxMzc5",
    "filename": "fdisk",
    "gid": 0,
    "parent_exec_id": "MzAxOTU6ODYxMjE5OTEwMDAwMDAw",
    "pid": 30219,
    "ppid": 30195,
    "secureexec": "",
    "start_time": "2026-04-30T09:25:25.938Z",
    "tid": 30219,
    "uid": 0
  },
  "rule": "IoctlTestRule",
  "timestamp": "2026-04-30T09:25:25.941Z",
  "type": "FileEvent"
}

NetMon

NetworkEvent represents a collection of events which describe ingress/egress TCP connections over ipv4/v6.

TcpConnectionEstablish

Example:

nc -l 7878
telnet -6 localhost 7878
{
  "network_event": {
    "cookie": 32771,
    "daddr": "::1",
    "dport": 7879,
    "saddr": "::1",
    "sport": 59986,
    "type": "TcpConnectionEstablish"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "filename": "netmon-8844df73ce6a95b2",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84537,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:19.288Z",
    "tid": 84537,
    "uid": 0
  },
  "process": {
    "args": "-6 localhost 7879",
    "auid": 1000,
    "binary_path": "/usr/bin/inetutils-telnet",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjA6ODY5NTA2ODg5NjExMjM4",
    "filename": "inetutils-telnet",
    "gid": 0,
    "parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "pid": 84660,
    "ppid": 84537,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:31.908Z",
    "tid": 84660,
    "uid": 0
  },
  "rule": "NetMonIpv6Test",
  "timestamp": "2026-04-30T11:43:31.910Z",
  "type": "NetworkEvent"
}

Example:

nc -l 7878
telnet localhost 7878
{
  "network_event": {
    "cookie": 4099,
    "daddr": "127.0.0.1",
    "dport": 7878,
    "saddr": "127.0.0.1",
    "sport": 53484,
    "type": "TcpConnectionEstablish"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "filename": "netmon-8844df73ce6a95b2",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84537,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:19.288Z",
    "tid": 84537,
    "uid": 0
  },
  "process": {
    "args": "localhost 7878",
    "auid": 1000,
    "binary_path": "/usr/bin/inetutils-telnet",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2MDY6ODY5NTAwMjc2MTA1NTEz",
    "filename": "inetutils-telnet",
    "gid": 0,
    "parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "pid": 84606,
    "ppid": 84537,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:25.294Z",
    "tid": 84606,
    "uid": 0
  },
  "rule": "NetMonIpv4Test",
  "timestamp": "2026-04-30T11:43:25.295Z",
  "type": "NetworkEvent"
}

TcpConnectionClose

Example:

nc -l 7878
telnet -6 localhost 7878
{
  "network_event": {
    "cookie": 32771,
    "daddr": "::1",
    "dport": 7879,
    "saddr": "::1",
    "sport": 59986,
    "type": "TcpConnectionClose"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "filename": "netmon-8844df73ce6a95b2",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84537,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:19.288Z",
    "tid": 84537,
    "uid": 0
  },
  "process": {
    "args": "-6 localhost 7879",
    "auid": 1000,
    "binary_path": "/usr/bin/inetutils-telnet",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2NjA6ODY5NTA2ODg5NjExMjM4",
    "filename": "inetutils-telnet",
    "gid": 0,
    "parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "pid": 84660,
    "ppid": 84537,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:31.908Z",
    "tid": 84660,
    "uid": 0
  },
  "timestamp": "2026-04-30T11:43:31.910Z",
  "type": "NetworkEvent"
}

Example:

nc -l 7878
telnet localhost 7878
{
  "network_event": {
    "cookie": 4099,
    "daddr": "127.0.0.1",
    "dport": 7878,
    "saddr": "127.0.0.1",
    "sport": 53484,
    "type": "TcpConnectionClose"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/netmon-8844df73ce6a95b2",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "filename": "netmon-8844df73ce6a95b2",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84537,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:19.288Z",
    "tid": 84537,
    "uid": 0
  },
  "process": {
    "args": "localhost 7878",
    "auid": 1000,
    "binary_path": "/usr/bin/inetutils-telnet",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ2MDY6ODY5NTAwMjc2MTA1NTEz",
    "filename": "inetutils-telnet",
    "gid": 0,
    "parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "pid": 84606,
    "ppid": 84537,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:25.294Z",
    "tid": 84606,
    "uid": 0
  },
  "timestamp": "2026-04-30T11:43:25.296Z",
  "type": "NetworkEvent"
}

TcpConnectionAccept

Example:

nc -l 7878
telnet localhost 7878
{
  "type": "NetworkEvent",
  "process": {
    "start_time": "2025-12-11T12:31:29.950Z",
    "cloned": false,
    "pid": 47767,
    "tid": 47767,
    "ppid": 2230022,
    "uid": 1000,
    "euid": 1000,
    "gid": 1000,
    "egid": 1000,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "nc.openbsd",
    "binary_path": "/usr/bin/nc.openbsd",
    "exec_id": "ODQ1ODY6ODY5NDk4Nzc1Njg0MTEx",
    "parent_exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "args": "-l 7878"
  },
  "parent": {
    "start_time": "2025-12-04T07:30:11.663Z",
    "cloned": false,
    "pid": 2230022,
    "tid": 2230022,
    "ppid": 72741,
    "uid": 1000,
    "euid": 1000,
    "gid": 1000,
    "egid": 1000,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "zsh",
    "binary_path": "/usr/bin/zsh",
    "exec_id": "ODQ1Mzc6ODY5NDk0MjcwMDAwMDAw",
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "args": ""
  },
  "network_event": {
    "type": "TcpConnectionAccept",
    "saddr": "0.0.0.0",
    "daddr": "0.0.0.0",
    "sport": 7878,
    "dport": 0,
    "cookie": 8283
  },
  "timestamp": "2025-12-11T12:31:34.646Z"
}

SocketCreate

Example:

nc -l 7878
{
  "type": "NetworkEvent",
  "process": {
    "start_time": "2026-05-28T15:45:13.131Z",
    "cloned": false,
    "pid": 3445,
    "tid": 3445,
    "ppid": 1778,
    "uid": 535357931,
    "euid": 535357931,
    "gid": 1000,
    "egid": 1000,
    "auid": 535357931,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "nc.openbsd",
    "binary_path": "/usr/bin/nc.openbsd",
    "args": "-l 7878",
    "exec_id": "MzQ0NToxMTUwMDI0MjcxNTAxNA",
    "parent_exec_id": "MTc3ODoxMjc2MDAwMDAwMA"
  },
  "parent": {
    "start_time": "2026-05-28T12:33:45.648Z",
    "cloned": false,
    "pid": 1778,
    "tid": 1778,
    "ppid": 1700,
    "uid": 535357931,
    "euid": 535357931,
    "gid": 1000,
    "egid": 1000,
    "auid": 535357931,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "bash",
    "binary_path": "/usr/bin/bash",
    "args": "--login",
    "exec_id": "MTc3ODoxMjc2MDAwMDAwMA",
    "parent_exec_id": "MTcwMDo5NjEwMDAwMDAw"
  },
  "blocked": false,
  "network_event": {
    "type": "SocketCreate",
    "family": "AF_INET",
    "sock_type": "SOCK_STREAM",
    "flags": "",
    "protocol": 6
  },
  "timestamp": "2026-05-28T15:45:13.133Z"
}

SocketConnect

Example:

nc -l 7871
telnet localhost 7871
{
  "type": "NetworkEvent",
  "process": {
    "start_time": "2026-05-31T13:56:01.177Z",
    "cloned": false,
    "pid": 17649,
    "tid": 17649,
    "ppid": 1830,
    "uid": 535357931,
    "euid": 535357931,
    "gid": 1000,
    "egid": 1000,
    "auid": 535357931,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "inetutils-telnet",
    "binary_path": "/usr/bin/inetutils-telnet",
    "args": "-4 localhost 7871",
    "exec_id": "MTc2NDk6ODg1Njg1ODQ4OTg0MQ",
    "parent_exec_id": "MTgzMDoyMTUxMDAwMDAwMA"
  },
  "parent": {
    "start_time": "2026-05-31T11:28:45.829Z",
    "cloned": false,
    "pid": 1830,
    "tid": 1830,
    "ppid": 1753,
    "uid": 535357931,
    "euid": 535357931,
    "gid": 1000,
    "egid": 1000,
    "auid": 535357931,
    "cap_inheritable": "",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "bash",
    "binary_path": "/usr/bin/bash",
    "args": "--login",
    "exec_id": "MTgzMDoyMTUxMDAwMDAwMA",
    "parent_exec_id": "MTc1MzoxNTIyMDAwMDAwMA"
  },
  "blocked": false,
  "network_event": {
    "type": "SocketConnect",
    "family": "AF_INET",
    "sock_type": "SOCK_STREAM",
    "protocol": 6,
    "daddr": "127.0.0.1",
    "dport": 7871
  },
  "timestamp": "2026-05-31T13:56:01.181Z",
  "rule": "SocketConnecttestRule"
}

KernelMon

KernelEvent represent a collection of events related to kernel modification/intergration.

BpfMapCreate

Event is triggered when BPF map is created.

{
  "blocked": false,
  "kernel_event": {
    "key_size": 1024,
    "map_type": "BPF_MAP_TYPE_HASH",
    "max_entries": 4096,
    "name": "AT_exec_count",
    "type": "BpfMapCreate",
    "value_size": 8
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "filename": "kernelmon-f8c2496bd03fa01a",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84403,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:04.228Z",
    "tid": 84403,
    "uid": 0
  },
  "process": {
    "args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
    "auid": 1000,
    "binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
    "filename": "bpftrace",
    "gid": 0,
    "parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "pid": 84477,
    "ppid": 84403,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:11.264Z",
    "tid": 84477,
    "uid": 0
  },
  "rule": "KernelMonBpfMapCreateTest",
  "timestamp": "2026-04-30T11:43:17.578Z",
  "type": "KernelEvent"
}

BpfMapAccess

Event is triggered when BPF map is accessed by userspace.

{
  "blocked": false,
  "kernel_event": {
    "access_mode": "O_RDWR",
    "id": 11702,
    "map_type": "BPF_MAP_TYPE_HASH",
    "name": "AT_exec_count",
    "type": "BpfMapAccess"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "filename": "kernelmon-f8c2496bd03fa01a",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84403,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:04.228Z",
    "tid": 84403,
    "uid": 0
  },
  "process": {
    "args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
    "auid": 1000,
    "binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
    "filename": "bpftrace",
    "gid": 0,
    "parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "pid": 84477,
    "ppid": 84403,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:11.264Z",
    "tid": 84477,
    "uid": 0
  },
  "rule": "KernelMonBpfMapTest",
  "timestamp": "2026-04-30T11:43:17.578Z",
  "type": "KernelEvent"
}

BpfProgLoad

Event is triggered when BPF program is loaded into the kernel.

{
  "blocked": false,
  "kernel_event": {
    "name": "rawtracepoint_v",
    "prog_type": "BPF_PROG_TYPE_TRACING",
    "type": "BpfProgLoad"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "filename": "kernelmon-f8c2496bd03fa01a",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84403,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:04.228Z",
    "tid": 84403,
    "uid": 0
  },
  "process": {
    "args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
    "auid": 1000,
    "binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
    "filename": "bpftrace",
    "gid": 0,
    "parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "pid": 84477,
    "ppid": 84403,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:11.264Z",
    "tid": 84477,
    "uid": 0
  },
  "rule": "KernelMonBpfProgLoadTest",
  "timestamp": "2026-04-30T11:43:17.578Z",
  "type": "KernelEvent"
}

BpfProgAccess

Event is triggered when BPF program is accessed by userspace.

{
  "blocked": false,
  "kernel_event": {
    "hook": "sched_process_exec",
    "id": 1657,
    "name": "rawtracepoint_v",
    "prog_type": "BPF_PROG_TYPE_TRACING",
    "type": "BpfProgAccess"
  },
  "parent": {
    "args": "-q --show-output --test-threads 1 test_6_2_ test_6_8_",
    "auid": 1000,
    "binary_path": "/home/fedotoff/bombini/target/release/deps/kernelmon-f8c2496bd03fa01a",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "filename": "kernelmon-f8c2496bd03fa01a",
    "gid": 0,
    "parent_exec_id": "ODQxMDU6ODY5NDYyNDQwMDAwMDAw",
    "pid": 84403,
    "ppid": 84105,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:04.228Z",
    "tid": 84403,
    "uid": 0
  },
  "process": {
    "args": "-v -e rawtracepoint:sched_process_exec { @exec_count[str(((struct linux_binprm *)arg2)->filename)]++; }",
    "auid": 1000,
    "binary_path": "/nix/store/z49imdq9s4w9syjpnsab1jdh4xaccymm-bpftrace/bin/bpftrace",
    "cap_effective": "ANY_CAPS",
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cloned": false,
    "egid": 0,
    "euid": 0,
    "exec_id": "ODQ0Nzc6ODY5NDg2MjQ1NzU5MTkz",
    "filename": "bpftrace",
    "gid": 0,
    "parent_exec_id": "ODQ0MDM6ODY5NDc5MjEwMDAwMDAw",
    "pid": 84477,
    "ppid": 84403,
    "secureexec": "",
    "start_time": "2026-04-30T11:43:11.264Z",
    "tid": 84477,
    "uid": 0
  },
  "rule": "KernelMonBpfProgTest",
  "timestamp": "2026-04-30T11:43:17.579Z",
  "type": "KernelEvent"
}

Note: hook field is available for specific BPF program types. For example, for BPF_PROG_TYPE_TRACING, BPF_PROG_TYPE_LSM and some others.

IOUringMon

For these IORING_OP’s Bombini provides extra information:

  • IORING_OP_OPENAT / IORING_OP_OPENAT2
  • IORING_OP_STATX
  • IORING_OP_UNLINKAT
  • IORING_OP_CONNECT
  • IORING_OP_ACCEPT

For other event types only opcode is provided.

IORING_OP_CONNECT

{
  "type": "IOUringEvent",
  "process": {
    "start_time": "2026-04-30T12:14:56.094Z",
    "cloned": false,
    "pid": 101235,
    "tid": 101235,
    "ppid": 101234,
    "uid": 0,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "agent",
    "binary_path": "/home/fedotoff/RingReaper/agent",
    "args": "",
    "exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
    "parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
  },
  "parent": {
    "start_time": "2026-04-30T12:14:56.080Z",
    "cloned": true,
    "pid": 101234,
    "tid": 101234,
    "ppid": 101219,
    "uid": 1000,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 0,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "sudo",
    "binary_path": "/usr/bin/sudo",
    "args": "./agent",
    "exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
    "parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
  },
  "opcode": "IORING_OP_CONNECT",
  "op_info": {
    "addr": "127.0.0.1",
    "port": 443
  },
  "timestamp": "2026-04-30T12:14:56.094Z"
}

IORING_OP_OPENAT

{
  "type": "IOUringEvent",
  "process": {
    "start_time": "2026-04-30T12:14:56.094Z",
    "cloned": false,
    "pid": 101235,
    "tid": 101235,
    "ppid": 101234,
    "uid": 0,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "agent",
    "binary_path": "/home/fedotoff/RingReaper/agent",
    "args": "",
    "exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
    "parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
  },
  "parent": {
    "start_time": "2026-04-30T12:14:56.080Z",
    "cloned": true,
    "pid": 101234,
    "tid": 101234,
    "ppid": 101219,
    "uid": 1000,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 0,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "sudo",
    "binary_path": "/usr/bin/sudo",
    "args": "./agent",
    "exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
    "parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
  },
  "opcode": "IORING_OP_OPENAT",
  "op_info": {
    "path": "/etc/passwd",
    "access_flags": "O_RDONLY",
    "creation_flags": "O_LARGEFILE"
  },
  "timestamp": "2026-04-30T12:16:20.665Z"
}

IORING_OP_STATX

{
  "type": "IOUringEvent",
  "process": {
    "start_time": "2026-04-30T12:14:56.094Z",
    "cloned": false,
    "pid": 101235,
    "tid": 101235,
    "ppid": 101234,
    "uid": 0,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "agent",
    "binary_path": "/home/fedotoff/RingReaper/agent",
    "args": "",
    "exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
    "parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
  },
  "parent": {
    "start_time": "2026-04-30T12:14:56.080Z",
    "cloned": true,
    "pid": 101234,
    "tid": 101234,
    "ppid": 101219,
    "uid": 1000,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 0,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "sudo",
    "binary_path": "/usr/bin/sudo",
    "args": "./agent",
    "exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
    "parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
  },
  "opcode": "IORING_OP_STATX",
  "op_info": {
    "path": "/usr/bin/python3"
  },
  "timestamp": "2026-04-30T12:16:43.607Z"
}

IORING_OP_UNLINKAT

{
  "type": "IOUringEvent",
  "process": {
    "start_time": "2026-04-30T12:14:56.094Z",
    "cloned": false,
    "pid": 101235,
    "tid": 101235,
    "ppid": 101234,
    "uid": 0,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 1000,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "agent",
    "binary_path": "/home/fedotoff/RingReaper/agent",
    "args": "",
    "exec_id": "MTAxMjM1Ojg3MTM5MTA3NTYxMjM5MA",
    "parent_exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA"
  },
  "parent": {
    "start_time": "2026-04-30T12:14:56.080Z",
    "cloned": true,
    "pid": 101234,
    "tid": 101234,
    "ppid": 101219,
    "uid": 1000,
    "euid": 0,
    "gid": 0,
    "egid": 0,
    "auid": 0,
    "cap_inheritable": "",
    "cap_permitted": "ANY_CAPS",
    "cap_effective": "ANY_CAPS",
    "secureexec": "",
    "filename": "sudo",
    "binary_path": "/usr/bin/sudo",
    "args": "./agent",
    "exec_id": "MTAxMjM0Ojg3MTM5MTA2MjE0MzMxOA",
    "parent_exec_id": "MTAxMjE5Ojg3MTM4ODc3NzYyODAwNg"
  },
  "opcode": "IORING_OP_UNLINKAT",
  "op_info": {
    "path": "/home/fedotoff/RingReaper/agent"
  },
  "timestamp": "2026-04-30T12:17:08.674Z"
}

SysEnumMon

SysEnumMonEvent

SysEnumMonEvent represents detected system enumeration activity: at least chain_size distinct observations from the watch list were correlated inside one process tree within the window_size_sec window.

Correlation is keyed on the parent PID, so the whole chain belongs to a single parent process tree. That parent is reported once as the top-level process (restored from the ProcMon Process cache). The event then carries a chain of observations, each with its entry and a timestamp. The entry is tagged by type: Exec (from bprm_check_security, with the executed binary) or FileOpen (from file_open, with the opened path). The binary/path is captured in the event itself. For a path_prefix rule the path is the actual opened file under the prefix, not the configured prefix. The reported path is truncated to 255 bytes (MAX_FILE_PREFIX) in the output event.

{
  "type": "SysEnumMonEvent",
  "process": {
    "start_time": "2026-06-01T11:12:05.590Z",
    "cloned": false,
    "pid": 18983,
    "tid": 18983,
    "ppid": 18904,
    "uid": 1000,
    "euid": 1000,
    "gid": 1000,
    "egid": 1000,
    "auid": 1000,
    "cap_inheritable": "CAP_WAKE_ALARM",
    "cap_permitted": "",
    "cap_effective": "",
    "secureexec": "",
    "filename": "bash",
    "binary_path": "/usr/bin/bash",
    "args": "/tmp/recon.sh",
    "exec_id": "MTg5ODM6MzYzNDMzNTg0MTMwNA",
    "parent_exec_id": "MTg5MDQ6MzYyOTE1MDAwMDAwMA"
  },
  "chain": [
    {
      "entry": {
        "type": "Exec",
        "binary": "id"
      },
      "timestamp": "2026-06-01T11:12:05.591Z"
    },
    {
      "entry": {
        "type": "FileOpen",
        "path": "/etc/passwd"
      },
      "timestamp": "2026-06-01T11:12:05.592Z"
    },
    {
      "entry": {
        "type": "Exec",
        "binary": "uname"
      },
      "timestamp": "2026-06-01T11:12:05.596Z"
    }
  ],
  "timestamp": "2026-06-01T11:12:05.596Z"
}

Reference

JSON schema for all events.

FileMon

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "FileEvent",
  "description": "File Event",
  "type": "object",
  "properties": {
    "blocked": {
      "description": "If event is blocked by sandbox mode",
      "type": "boolean"
    },
    "hook": {
      "description": "LSM File hook info",
      "$ref": "#/$defs/LsmFileHook"
    },
    "parent": {
      "description": "Parent Information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process Information",
      "$ref": "#/$defs/Process"
    },
    "rule": {
      "description": "Rule name",
      "type": [
        "string",
        "null"
      ]
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "blocked",
    "hook",
    "timestamp"
  ],
  "$defs": {
    "ChmodInfo": {
      "type": "object",
      "properties": {
        "i_mode": {
          "description": "i_mode",
          "type": "string"
        },
        "path": {
          "description": "full path",
          "type": "string"
        }
      },
      "required": [
        "path",
        "i_mode"
      ]
    },
    "ChownInfo": {
      "type": "object",
      "properties": {
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "path": {
          "description": "full path",
          "type": "string"
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "path",
        "uid",
        "gid"
      ]
    },
    "FileOpenInfo": {
      "type": "object",
      "properties": {
        "access_mode": {
          "description": "access mode passed to open()",
          "type": "string"
        },
        "creation_flags": {
          "description": "creation flags passed to open()",
          "type": "string"
        },
        "gid": {
          "description": "Group owner GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "i_mode": {
          "description": "i_mode",
          "type": "string"
        },
        "path": {
          "description": "full path",
          "type": "string"
        },
        "uid": {
          "description": "File owner UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "path",
        "access_mode",
        "creation_flags",
        "uid",
        "gid",
        "i_mode"
      ]
    },
    "IoctlInfo": {
      "type": "object",
      "properties": {
        "cmd": {
          "description": "cmd",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "i_mode": {
          "description": "i_mode",
          "type": "string"
        },
        "path": {
          "description": "full path",
          "type": "string"
        }
      },
      "required": [
        "path",
        "i_mode",
        "cmd"
      ]
    },
    "LsmFileHook": {
      "oneOf": [
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "FileOpen"
            }
          },
          "$ref": "#/$defs/FileOpenInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "PathTruncate"
            }
          },
          "$ref": "#/$defs/PathInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "PathUnlink"
            }
          },
          "$ref": "#/$defs/PathInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "PathSymlink"
            }
          },
          "$ref": "#/$defs/PathSymlink",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "PathChmod"
            }
          },
          "$ref": "#/$defs/ChmodInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "PathChown"
            }
          },
          "$ref": "#/$defs/ChownInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "SbMount"
            }
          },
          "$ref": "#/$defs/MountInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "MmapFile"
            }
          },
          "$ref": "#/$defs/MmapInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "FileIoctl"
            }
          },
          "$ref": "#/$defs/IoctlInfo",
          "required": [
            "type"
          ]
        }
      ]
    },
    "MmapInfo": {
      "type": "object",
      "properties": {
        "flags": {
          "description": "mmap flags",
          "type": "string"
        },
        "path": {
          "description": "full path",
          "type": "string"
        },
        "prot": {
          "description": "mmap protection",
          "type": "string"
        }
      },
      "required": [
        "path",
        "prot",
        "flags"
      ]
    },
    "MountInfo": {
      "type": "object",
      "properties": {
        "dev": {
          "description": "device name",
          "type": "string"
        },
        "flags": {
          "description": "mount flags",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "mnt": {
          "description": "mount path",
          "type": "string"
        }
      },
      "required": [
        "dev",
        "mnt",
        "flags"
      ]
    },
    "PathInfo": {
      "type": "object",
      "properties": {
        "path": {
          "description": "full path",
          "type": "string"
        }
      },
      "required": [
        "path"
      ]
    },
    "PathSymlink": {
      "type": "object",
      "properties": {
        "link_path": {
          "description": "full path",
          "type": "string"
        },
        "old_path": {
          "description": "symlink target",
          "type": "string"
        }
      },
      "required": [
        "link_path",
        "old_path"
      ]
    },
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}

IOUringMon

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "IOUringEvent",
  "description": "io_uring events",
  "type": "object",
  "properties": {
    "op_info": {
      "description": "extra info for operation",
      "$ref": "#/$defs/IOUringOpInfo"
    },
    "opcode": {
      "description": "io_uring_ops",
      "type": "string"
    },
    "parent": {
      "description": "Parent process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "opcode",
    "op_info",
    "timestamp"
  ],
  "$defs": {
    "IOUringOpInfo": {
      "anyOf": [
        {
          "type": "object",
          "properties": {
            "access_flags": {
              "type": "string"
            },
            "creation_flags": {
              "type": "string"
            },
            "path": {
              "type": "string"
            }
          },
          "required": [
            "path",
            "access_flags",
            "creation_flags"
          ]
        },
        {
          "type": "object",
          "properties": {
            "path": {
              "type": "string"
            }
          },
          "required": [
            "path"
          ]
        },
        {
          "type": "object",
          "properties": {
            "path": {
              "type": "string"
            }
          },
          "required": [
            "path"
          ]
        },
        {
          "type": "object",
          "properties": {
            "addr": {
              "type": "string"
            },
            "port": {
              "type": "integer",
              "format": "uint16",
              "maximum": 65535,
              "minimum": 0
            }
          },
          "required": [
            "addr",
            "port"
          ]
        },
        {
          "type": "null"
        }
      ]
    },
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}

KernelMon

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "KernelEvent",
  "description": "Kernel Event",
  "type": "object",
  "properties": {
    "blocked": {
      "description": "If event is blocked by sandbox mode",
      "type": "boolean"
    },
    "kernel_event": {
      "description": "Kernel event",
      "$ref": "#/$defs/KernelEventType"
    },
    "parent": {
      "description": "Parent process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "rule": {
      "description": "Rule name",
      "type": [
        "string",
        "null"
      ]
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "blocked",
    "kernel_event",
    "timestamp"
  ],
  "$defs": {
    "BpfMapAccessInfo": {
      "description": "BPF map access information",
      "type": "object",
      "properties": {
        "access_mode": {
          "description": "Access mode",
          "type": "string"
        },
        "id": {
          "description": "BPF map ID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "map_type": {
          "description": "BPF map type",
          "type": "string"
        },
        "name": {
          "description": "BPF map name",
          "type": "string"
        }
      },
      "required": [
        "id",
        "name",
        "map_type",
        "access_mode"
      ]
    },
    "BpfMapCreateInfo": {
      "description": "BPF map access information",
      "type": "object",
      "properties": {
        "key_size": {
          "description": "BPF map key size",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "map_type": {
          "description": "BPF map type",
          "type": "string"
        },
        "max_entries": {
          "description": "BPF map max entries",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "name": {
          "description": "BPF map name",
          "type": "string"
        },
        "value_size": {
          "description": "BPF map value size",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "name",
        "map_type",
        "key_size",
        "value_size",
        "max_entries"
      ]
    },
    "BpfProgAccessInfo": {
      "description": "BPF program access information",
      "type": "object",
      "properties": {
        "hook": {
          "description": "hook if available",
          "type": [
            "string",
            "null"
          ]
        },
        "id": {
          "description": "BPF prog ID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "name": {
          "description": "BPF prog name",
          "type": "string"
        },
        "prog_type": {
          "description": "BPF prog type",
          "type": "string"
        }
      },
      "required": [
        "id",
        "name",
        "prog_type"
      ]
    },
    "BpfProgLoadInfo": {
      "description": "BPF program loading information",
      "type": "object",
      "properties": {
        "name": {
          "description": "BPF prog name",
          "type": "string"
        },
        "prog_type": {
          "description": "BPF prog type",
          "type": "string"
        }
      },
      "required": [
        "name",
        "prog_type"
      ]
    },
    "KernelEventType": {
      "oneOf": [
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "BpfMapAccess"
            }
          },
          "$ref": "#/$defs/BpfMapAccessInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "BpfMapCreate"
            }
          },
          "$ref": "#/$defs/BpfMapCreateInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "BpfProgAccess"
            }
          },
          "$ref": "#/$defs/BpfProgAccessInfo",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "BpfProgLoad"
            }
          },
          "$ref": "#/$defs/BpfProgLoadInfo",
          "required": [
            "type"
          ]
        }
      ]
    },
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}

NetMon

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "NetworkEvent",
  "description": "Network event",
  "type": "object",
  "properties": {
    "blocked": {
      "description": "If event is blocked by sandbox mode",
      "type": "boolean"
    },
    "network_event": {
      "description": "Network event",
      "$ref": "#/$defs/NetworkEventType"
    },
    "parent": {
      "description": "Parent process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "rule": {
      "description": "Rule name",
      "type": [
        "string",
        "null"
      ]
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "blocked",
    "network_event",
    "timestamp"
  ],
  "$defs": {
    "NetworkEventType": {
      "oneOf": [
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "TcpConnectionEstablish"
            }
          },
          "$ref": "#/$defs/TcpConnection",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "TcpConnectionClose"
            }
          },
          "$ref": "#/$defs/TcpConnection",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "TcpConnectionAccept"
            }
          },
          "$ref": "#/$defs/TcpConnection",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "SocketCreate"
            }
          },
          "$ref": "#/$defs/SocketCreate",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "SocketConnect"
            }
          },
          "$ref": "#/$defs/SocketConnect",
          "required": [
            "type"
          ]
        }
      ]
    },
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    },
    "SocketConnect": {
      "description": "Socket connect information",
      "type": "object",
      "properties": {
        "daddr": {
          "description": "destination IP address,",
          "type": "string"
        },
        "dport": {
          "description": "destination port",
          "type": "integer",
          "format": "uint16",
          "maximum": 65535,
          "minimum": 0
        },
        "family": {
          "description": "socket family",
          "type": "string"
        },
        "protocol": {
          "description": "socket protocol",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "sock_type": {
          "description": "socket type",
          "type": "string"
        }
      },
      "required": [
        "family",
        "sock_type",
        "protocol",
        "daddr",
        "dport"
      ]
    },
    "SocketCreate": {
      "description": "Socket creation information",
      "type": "object",
      "properties": {
        "family": {
          "description": "socket family",
          "type": "string"
        },
        "flags": {
          "description": "socket flags",
          "type": "string"
        },
        "protocol": {
          "description": "socket protocol",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "sock_type": {
          "description": "socket type",
          "type": "string"
        }
      },
      "required": [
        "family",
        "sock_type",
        "flags",
        "protocol"
      ]
    },
    "TcpConnection": {
      "description": "TCP IPv4 connection information",
      "type": "object",
      "properties": {
        "cookie": {
          "description": "socket cookie",
          "type": "integer",
          "format": "uint64",
          "minimum": 0
        },
        "daddr": {
          "description": "destination IP address,",
          "type": "string"
        },
        "dport": {
          "description": "destination port",
          "type": "integer",
          "format": "uint16",
          "maximum": 65535,
          "minimum": 0
        },
        "saddr": {
          "description": "source IP address",
          "type": "string"
        },
        "sport": {
          "description": "source port",
          "type": "integer",
          "format": "uint16",
          "maximum": 65535,
          "minimum": 0
        }
      },
      "required": [
        "saddr",
        "daddr",
        "sport",
        "dport",
        "cookie"
      ]
    }
  }
}

ProcMon

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ProcessExec",
  "description": "Process exec event",
  "type": "object",
  "properties": {
    "parent": {
      "description": "Parent Process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "timestamp"
  ],
  "$defs": {
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ProcessClone",
  "description": "Process clone event",
  "type": "object",
  "properties": {
    "parent": {
      "description": "Parent Process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "timestamp"
  ],
  "$defs": {
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ProcessExit",
  "description": "Process exit event",
  "type": "object",
  "properties": {
    "parent": {
      "description": "Parent Process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "timestamp"
  ],
  "$defs": {
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ProcessEvent",
  "description": "Process Event",
  "type": "object",
  "properties": {
    "blocked": {
      "description": "If event is blocked by sandbox mode",
      "type": "boolean"
    },
    "parent": {
      "description": "Parent process information",
      "anyOf": [
        {
          "$ref": "#/$defs/Process"
        },
        {
          "type": "null"
        }
      ]
    },
    "process": {
      "description": "Process information",
      "$ref": "#/$defs/Process"
    },
    "process_event": {
      "description": "Process event",
      "$ref": "#/$defs/ProcessEventType"
    },
    "rule": {
      "description": "Rule name",
      "type": [
        "string",
        "null"
      ]
    },
    "timestamp": {
      "description": "Event's date and time",
      "type": "string"
    }
  },
  "required": [
    "process",
    "blocked",
    "process_event",
    "timestamp"
  ],
  "$defs": {
    "PrctlCmdUser": {
      "description": "Enumeration of prctl supported commands",
      "oneOf": [
        {
          "type": "object",
          "properties": {
            "Opcode": {
              "type": "integer",
              "format": "uint8",
              "maximum": 255,
              "minimum": 0
            }
          },
          "additionalProperties": false,
          "required": [
            "Opcode"
          ]
        },
        {
          "type": "object",
          "properties": {
            "PrSetDumpable": {
              "type": "integer",
              "format": "uint8",
              "maximum": 255,
              "minimum": 0
            }
          },
          "additionalProperties": false,
          "required": [
            "PrSetDumpable"
          ]
        },
        {
          "type": "object",
          "properties": {
            "PrSetKeepCaps": {
              "type": "integer",
              "format": "uint8",
              "maximum": 255,
              "minimum": 0
            }
          },
          "additionalProperties": false,
          "required": [
            "PrSetKeepCaps"
          ]
        },
        {
          "type": "object",
          "properties": {
            "PrSetName": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string"
                }
              },
              "required": [
                "name"
              ]
            }
          },
          "additionalProperties": false,
          "required": [
            "PrSetName"
          ]
        },
        {
          "type": "object",
          "properties": {
            "PrSetSecurebits": {
              "type": "integer",
              "format": "uint32",
              "minimum": 0
            }
          },
          "additionalProperties": false,
          "required": [
            "PrSetSecurebits"
          ]
        }
      ]
    },
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    },
    "ProcessBprmCheck": {
      "description": "Bprm_check event",
      "type": "object",
      "properties": {
        "binary": {
          "type": "string"
        }
      },
      "required": [
        "binary"
      ]
    },
    "ProcessCapset": {
      "description": "Capset event",
      "type": "object",
      "properties": {
        "effective": {
          "type": "string"
        },
        "inheritable": {
          "type": "string"
        },
        "permitted": {
          "type": "string"
        }
      },
      "required": [
        "inheritable",
        "permitted",
        "effective"
      ]
    },
    "ProcessCreateUserNs": {
      "description": "CreateUserNs event",
      "type": "object"
    },
    "ProcessEventType": {
      "description": "Process event types",
      "oneOf": [
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "Setuid"
            }
          },
          "$ref": "#/$defs/ProcessSetUid",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "Setgid"
            }
          },
          "$ref": "#/$defs/ProcessSetGid",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "Setcaps"
            }
          },
          "$ref": "#/$defs/ProcessCapset",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "Prctl"
            }
          },
          "$ref": "#/$defs/ProcessPrctl",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "CreateUserNs"
            }
          },
          "$ref": "#/$defs/ProcessCreateUserNs",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "PtraceAccessCheck"
            }
          },
          "$ref": "#/$defs/ProcessPtraceAccessCheck",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "BprmCheck"
            }
          },
          "$ref": "#/$defs/ProcessBprmCheck",
          "required": [
            "type"
          ]
        },
        {
          "type": "object",
          "properties": {
            "type": {
              "type": "string",
              "const": "ExecveSandbox"
            }
          },
          "required": [
            "type"
          ]
        }
      ]
    },
    "ProcessPrctl": {
      "description": "Prctl event",
      "type": "object",
      "properties": {
        "cmd": {
          "$ref": "#/$defs/PrctlCmdUser"
        }
      },
      "required": [
        "cmd"
      ]
    },
    "ProcessPtraceAccessCheck": {
      "description": "PtraceAttach event",
      "type": "object",
      "properties": {
        "child": {
          "$ref": "#/$defs/Process"
        },
        "mode": {
          "type": "string"
        }
      },
      "required": [
        "child",
        "mode"
      ]
    },
    "ProcessSetGid": {
      "description": "Setgid event",
      "type": "object",
      "properties": {
        "egid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "flags": {
          "description": "LSM_SETID_* flag values",
          "type": "string"
        },
        "fsgid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "gid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "egid",
        "gid",
        "fsgid",
        "flags"
      ]
    },
    "ProcessSetUid": {
      "description": "Setuid event",
      "type": "object",
      "properties": {
        "euid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "flags": {
          "description": "LSM_SETID_* flag values",
          "type": "string"
        },
        "fsuid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "euid",
        "uid",
        "fsuid",
        "flags"
      ]
    }
  }
}

SysEnumMon

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "SysEnumMonEvent",
  "type": "object",
  "properties": {
    "chain": {
      "type": "array",
      "items": {
        "$ref": "#/$defs/ChainEntry"
      }
    },
    "process": {
      "$ref": "#/$defs/Process"
    },
    "timestamp": {
      "type": "string"
    }
  },
  "required": [
    "process",
    "chain",
    "timestamp"
  ],
  "$defs": {
    "ChainEntry": {
      "type": "object",
      "properties": {
        "entry": {
          "$ref": "#/$defs/ChainEntryType"
        },
        "timestamp": {
          "type": "string"
        }
      },
      "required": [
        "entry",
        "timestamp"
      ]
    },
    "ChainEntryType": {
      "oneOf": [
        {
          "type": "object",
          "properties": {
            "binary": {
              "type": "string"
            },
            "type": {
              "type": "string",
              "const": "Exec"
            }
          },
          "required": [
            "type",
            "binary"
          ]
        },
        {
          "type": "object",
          "properties": {
            "path": {
              "type": "string"
            },
            "type": {
              "type": "string",
              "const": "FileOpen"
            }
          },
          "required": [
            "type",
            "path"
          ]
        }
      ]
    },
    "Process": {
      "description": "Process information",
      "type": "object",
      "properties": {
        "args": {
          "description": "current work directory",
          "type": "string"
        },
        "auid": {
          "description": "login UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "binary_ima_hash": {
          "description": "IMA binary hash",
          "type": [
            "string",
            "null"
          ]
        },
        "binary_path": {
          "description": "full binary path",
          "type": "string"
        },
        "cap_effective": {
          "type": "string"
        },
        "cap_inheritable": {
          "type": "string"
        },
        "cap_permitted": {
          "type": "string"
        },
        "cloned": {
          "description": "is process cloned without exec",
          "type": "boolean"
        },
        "container_id": {
          "description": "skip for host",
          "type": [
            "string",
            "null"
          ]
        },
        "egid": {
          "description": "EGID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "euid": {
          "description": "EUID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "exec_id": {
          "description": "Execution ID (hash of the process's PID and start time)",
          "type": "string"
        },
        "filename": {
          "description": "executable name",
          "type": "string"
        },
        "gid": {
          "description": "GID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "parent_exec_id": {
          "description": "Parent execution ID (hash of the parent's PID and start time)",
          "type": "string"
        },
        "pid": {
          "description": "PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "ppid": {
          "description": "Parent PID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "secureexec": {
          "description": "SETUID, SETGID, FILECAPS, FILELESS_EXEC",
          "type": "string"
        },
        "start_time": {
          "description": "last exec or clone time",
          "type": "string"
        },
        "tid": {
          "description": "TID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        },
        "uid": {
          "description": "UID",
          "type": "integer",
          "format": "uint32",
          "minimum": 0
        }
      },
      "required": [
        "start_time",
        "cloned",
        "pid",
        "tid",
        "ppid",
        "uid",
        "euid",
        "gid",
        "egid",
        "auid",
        "cap_inheritable",
        "cap_permitted",
        "cap_effective",
        "secureexec",
        "filename",
        "binary_path",
        "args",
        "exec_id",
        "parent_exec_id"
      ]
    }
  }
}

Metrics

There are 4 metrics that can be exported in OpenMetrics format. Metrics are enabled by providing metric-server-port option and exported to localhost:metric-server-port/metrics endpoint.

Events exported

  • Name: bombini_user_events_exported_total
  • Type: counter
  • Unit: number of events
  • Description: The total number of events exported by Bombini.

Errors in user space

  • Name: bombini_user_events_lost_total
  • Type: counter
  • Unit: number of events
  • Description: The total number of events lost in user space.

Errors in eBPF

  • Name: bombini_bpf_events_lost_total
  • Type: counter
  • Unit: number of events
  • Description: The total number of events lost in eBPF.

Events lost in eBPF

  • Name: bombini_bpf_events_ringbuf_lost_total
  • Type: counter
  • Unit: number of events
  • Description: The total number of events lost in eBPF due to ring buffer overflow.

Overview

Consider the design concepts through flowcharts below:

  • architecture flowchart
  • event transformation flowchart

Architecture Flowchart

---
config:
  layout: elk
  look: handDrawn
---
flowchart TB
    A["Config"] -- configure --> B["Detectors"]
    B -- manage --> C["eBPF probes"]
    B -- manage --> D["eBPF maps"]
    A -- configure --> E["Transmuters"]
    A -- configure --> F["Transmitter"]
    G["Monitor"] -- use --> E
    G["Monitor"] -- use --> F
    G["Monitor"] -- read --> H["RingBuffer"]
    E -- manage --> I["Process cache"]
    C -- send --> H

    A@{ shape: docs}
    B@{ shape: processes}
    C@{ shape: processes}
    D@{ shape: cyl}
    E@{ shape: processes}
    H@{ shape: das}
    I@{ shape: cyl}

Detector

Detector provides a common interface for loading / unloading eBPF programs, initializing maps and attaching programs to hook points. EBPF part of detectors is located here. User mode part is here. Detectors can share information between each other storing it in eBPF maps. Some parts of detectors can be reused across different detectors. Detectors submit events to user space using ring buffer. Detectors use YAML config files for initialization. Detectors are stored in Registry.

Transmuter

Transmuter provides a common interface to convert (transmute) low kernel events into serializable data structures (e.g. json). Transmuters can enrich kernel events with some user mode data and implement different types of caching. Transmuters are stored in TransmuterRegistry. One Detector can have many types of Transmuters, but usually it has only one.

Transmitter

Transmitter sends serialized events (byte arrays) to different sources (unix socket, stdout, file, etc).

Monitor

Monitor observes new low level kernel events (messages) and extracts them from ring buffer. According to event type, it fetches corresponding transmuter to convert and enrich eBPF event. Further transmuted events are send to destination with transmitter.

Config

Config provides all information about Bombini setup. It also holds options of bombini cli and config for each detector to be loaded. Detector’s configs are also provided for corresponding transmuters.

Event Transformation Flowchart

---
config:
  layout: dagre
  look: handDrawn
---
flowchart LR
    A["Kernel Events"] -- collect & apply rules --> B["eBPF probes"]
    B <-- store/update --> C["eBPF maps"]
    B -- send --> D["RingBuffer"]
    D --enrich & transform --> E["Transmuters"]
    E -- serialize --> F["Transmitter"]
    F -- send --> G["Collector"]
    E <-- store/update --> I["Process cache"]

    A@{ shape: docs}
    B@{ shape: processes}
    C@{ shape: cyl}
    D@{ shape: das}
    E@{ shape: processes}
    G@{ shape: cyl}
    I@{ shape: cyl}

Rule Engine

The rule engine executes entirely within the eBPF layer using a custom Reverse Polish Notation (RPN) interpreter. Rules are parsed using the LALRPOP framework, which generates an AST that undergoes optimization passes before being serialized into a binary format. These serialized rules are stored in dedicated eBPF maps, while in operations trigger lookups against attribute-specific eBPF maps (e.g., binary_path, ipv4_dst, etc.).

Process Execution Detection

eBPF

Process information (ProcInfo) is stored in PROCMON_PROC_MAP which is shared across all detectors. Map entries are updated with tracepoints: sched_process_exec, sched_process_fork, sched_process_exit, and security_bprm_comitting_creds LSM BPF hook. This hook is used to collect binary_path with bpf_d_path helper and IMA binary hash collection. sched_process_fork - creates an entry and sends ProcessClone event, entries are created only for thread leaders (pid == tgid). It means that Bombini doesn’t track thread creation, but in tracks events (e.g. file open, etc.) in threads. In this case, event will hold process information about its thread leader. sched_process_exec - updates entries and sends ProcessExec. sched_process_exit - mark entry as “exited” for the garbage collector and sends ProcessExit event.

User Space

In Bombini there are three event types related to process execution: ProcessExec, ProcessClone, and ProcessExit. These events are provided by corresponding Transmuters. Also, they maintain a ProcessCache to hold serializable Process structures that are used in all event types. ProcessClone event creates an entry in ProcessCache. ProcessExit event marks entry as “exited” for cache garbage collection. ProcessExec event marks as “exited” Process cache entry, related to previous clone() or exec() calls and puts new Process entry in cache.

Compatibility

Bombini supports the following Linux kernel versions: 6.2, 6,8 and 6.14. However, it might work on all 6+ kernels.

Requirements

Before run, check if LSM BPF is enabled on your system.

cat /sys/kernel/security/lsm

if there is bpf in the output, than BPF LSM is enabled. Otherwise, you have to enable it adding this line to /etc/default/grub:

GRUB_CMDLINE_LINUX="lsm=[previous lsm modules],bpf"

Update grub and reboot the system.

BTF information must be provided by your Linux kernel. Check if btf file exists:

ls -la /sys/kernel/btf/vmlinux