Linux / eBPF
Linuxevents
eBPF-based monitoring without shipping kernel headers or a stack of environment-specific bytecode artifacts.
View on GitHub
trailofbits/linuxevents
Best for
Collecting process and network telemetry with fewer deployment assumptions.
Surface
Linux / eBPF
Catalog group
Inspect operating systems and endpoint surfaces
Repository
trailofbits/linuxevents
From the README
This is a proof-of-concept for a container-aware process and network event publisher library with no runtime dependencies (i.e. kernel headers). It works by using LLVM/Clang, the BTF debug information (btfparse) and our C++ BPF utilities (ebpf-common). 1. Download and extract the osquery-toolchain 2. Clone the repository: git clone --recursive https://github.com/trailofbits/linuxevents 3.Read the full README on GitHub ↗
Related tools · Inspect operating systems and endpoint surfaces
- ebpfpub Monitors system and library calls across multiple kernel versions with minimal runtime dependencies.
- ebpf-verifier Research prototype for running the eBPF verifier outside the live kernel to make cross-version testing practical.
- winchecksec Static inspection of Windows binaries for mitigations like DEP, ASLR, and code integrity.
- pe-parse Minimal, security-focused parser for Portable Executable files built to survive malicious or malformed inputs.
- osquery-extensions Collection of Trail of Bits extensions that expand what osquery can inspect and expose.