Bombini is an eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks. At its core, Bombini employs modular components called Detectors, each responsible for monitoring and reporting specific types of system events.

Please, check the compatibility issues first.

The most convenient way now is to build container with Bombini:

git clone https://github.com/bombinisecurity/bombini.git && \
cd ./bombini && \
docker build  -t bombini .

You can easily run Bombini with this command:

docker run --pid=host --rm -it --privileged -v /sys/fs/bpf:/sys/fs/bpf bombini

By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting process execs and exits. To customize your Bombini setup, please, follow the configuration guide and mount config directory to the container:

docker run --pid=host --rm -it --privileged -v <your-config-dir>:/usr/local/lib/bombini/config:ro  -v /sys/fs/bpf:/sys/fs/bpf bombini

To build Bombini from source, please, follow build guide.

Please, check out CONTRIBUTING.md for the contributing guideline.