ingraind
Data-first Monitoring
ingraind is a security monitoring agent built around RedBPF for complex containerized environments and endpoints. The ingraind agent uses eBPF probes to provide safe and performant instrumentation for any Linux-based environment.
InGrain provides oversight of assets and risks:
- Your customer data - an employee copying your customer database to their personal cloud store.
- Your infrastructure - an attacker executing a zero day attack to gain access to your web servers.
- Your resources - malware using your users machines compute resources to mine cryptocurrency.
This is what curl https://www.linkedin.com/in/abdelhasib-naamaoui/
looks like if seen through ingraind:
Requirements
- LLVM/Clang version 9 or newer
- Rust toolchain rustup.rs
- Linux 4.15 kernel or newer including kernel headers
- capnproto
Compile
The usual Rust compilation ritual will produce a binary in target/release
:
$ cargo build --release
or for a kernel version other than the running one:
$ export KERNEL_VERSION=1.2.3
$ cargo build --release
or with a custom kernel tree path (needs to include generated files):
$ export KERNEL_SOURCE=/build/linux
$ cargo build --release
We keep ingraind
compatible with the musl
target on x86_64
, which you can build like so:
$ cargo build --release --target=x86_64-unknown-linux-musl
Build a docker image
To build a Docker image, use the instructions above to build an ingrain binary for the desired kernel. By default, the Dockerfile will assume you've built ingraind
for the musl
target.
$ docker build .
You can specify an arbitrary ingraind
binary by setting the BINARY_PATH
environment variable:
$ docker build --build-arg BINARY_PATH=./target/x86_64-unknown-linux-musl/release/ingraind .
Configuration & Run
To get an idea about the configuration file structure, consult the wiki or take a look at the example config for a full reference.
To start ingraind
, run:
$ ./target/release/ingraind config.toml
Depending on the backends used in the config file, some secrets may need to be passed as environment variables. These are documented in config.toml.example, which should be a good starting point, and a sane default to get ingraind
running, printing everything to the standard output.
Repo structure
The bpf
directory contains the BPF programs written in C. These are compiled by build.rs
, and embedded in the final binary, and will be managed by the grains.
The ingraind-probes
directory contains the BPF programs written in Rust.
Anything else?
For more information, take a look at the Wiki
Contribution
This project is for everyone. We ask that our users and contributors take a few minutes to review our [code of conduct]((https://github.com/abdelhasib)
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the GPL-3.0 license, shall be licensed as GPL-3.0, without any additional terms or conditions.
For further advice on getting started, please consult the Please note that all contributions MUST contain a sign-off line. Abdelhasib Naamaoui