eBPF-based File I/O Monitoring

Product Category

Endpoint Detection and Response (EDR)

Objective

Implement eBPF programs to monitor and capture file I/O events on Linux systems, providing detailed telemetry data for enhanced security monitoring.

Details

System Calls Intercepted: open, openat, creat, unlink, rename, and more.

Data Captured:

  • Timestamp
  • Process ID and Parent Process ID
  • Process file name and path
  • Command line used to initiate the process
  • Type of activity (e.g., open, rename, delete)
  • File I/O flags and modes
Use Case

This implementation was used to detect unauthorized access or modifications to sensitive files, track changes in system files for compliance, and improve the overall security posture by providing real-time alerts on suspicious file activities.