Added libbpf submodule.

.github/workflows/kflowd-ci.yml

@@ -1,10 +1,11 @@
 name: kflowd-ci
 
 on:
+  workflow_dispatch:
   push:
-    branches: [ "master" ]
+    branches: [ "main" ]
   pull_request:
-    branches: [ "master" ]
+    branches: [ "main" ]
 
 jobs:
   ci:

.github/workflows/kflowd-gh-stats.yml

@@ -1,6 +1,7 @@
 name: kflowd-gh-stats
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '10 0 * * *'
 
@@ -11,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - name: 'Clone Repository'
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
@@ -33,9 +34,12 @@ jobs:
         git config user.email "<>"
         git checkout gh-stats
 
-        gh api -H "Accept: application/vnd.github+json" /repos/kflowd/kflowd/traffic/views > gh-stats-views-14d
+        gh api -H "Accept: application/vnd.github+json" /repos/tarsal-oss/kflowd/traffic/views > gh-stats-views-14d
         VIEWS_14D=$(jq ".count" gh-stats-views-14d)
         VIEWS_UNIQUE_14D=$(jq ".uniques" gh-stats-views-14d)
+        if ! [ -f gh-stats-views-all ]; then
+            echo "[]" > gh-stats-views-all
+        fi
         cp gh-stats-views-all all
         jq "[.views[]]" gh-stats-views-14d > 14d
         jq -s "add | sort_by(.timestamp,-.count) | unique_by(.timestamp) | reverse" 14d all > gh-stats-views-all
@@ -45,9 +49,12 @@ jobs:
         echo -e "{\"schemaVersion\": 1, \"label\": \"Unique 14d\", "\
                 "\"message\": \"$VIEWS_UNIQUE_14D of $VIEWS_14D\", \"color\": \"yellow\"}" > gh-stats-views-14d.json
 
-        gh api -H "Accept: application/vnd.github+json" /repos/kflowd/kflowd/traffic/clones > gh-stats-clones-14d
+        gh api -H "Accept: application/vnd.github+json" /repos/tarsal-oss/kflowd/traffic/clones > gh-stats-clones-14d
         CLONES_14D=$(jq ".count" gh-stats-clones-14d)
         CLONES_UNIQUE_14D=$(jq ".uniques" gh-stats-clones-14d)
+        if ! [ -f gh-stats-clones-all ]; then
+            echo "[]" > gh-stats-clones-all
+        fi
         cp gh-stats-clones-all all
         jq "[.clones[]]" gh-stats-clones-14d > 14d
         jq -s "add | sort_by(.timestamp,-.count) | unique_by(.timestamp) | reverse" 14d all > gh-stats-clones-all
@@ -67,7 +74,7 @@ jobs:
       uses: Mattraks/delete-workflow-runs@v2
       with:
         token: ${{ secrets.GH_STATS_TOKEN }}
-        repository: kflowd/kflowd
+        repository: tarsal-oss/kflowd
         delete_workflow_pattern: kflowd-gh-stats
         retain_days: 0
         keep_minimum_runs: 0
@@ -76,7 +83,7 @@ jobs:
       uses: Mattraks/delete-workflow-runs@v2
       with:
         token: ${{ secrets.GH_STATS_TOKEN }}
-        repository: kflowd/kflowd
+        repository: tarsal-oss/kflowd
         delete_workflow_pattern: pages-build-deployment
         retain_days: 0
         keep_minimum_runs: 0

.gitmodules

@@ -0,0 +1,7 @@
+[submodule "libbpf"]
+	path = libbpf
+	url = https://github.com/libbpf/libbpf.git
+[submodule "plugins"]
+	path = plugins
+	url = [email protected]:kflowd/kflowd-plugins.git
+	update = none

README.md

@@ -1,6 +1,6 @@
 <div align="right">
-<a href="#" target="_blank"><img src="https://img.shields.io/endpoint?url=https://kflowd.github.io/kflowd/gh-stats-version.json"/></a>
-<a href="https://github.com/kflowd/kflowd/actions/workflows/kflowd-ci.yml" target="_blank"><img src="https://github.com/kflowd/kflowd/actions/workflows/kflowd-ci.yml/badge.svg"/></a>
+<a href="#" target="_blank"><img src="https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-version.json"/></a>
+<a href="https://github.com/tarsal-oss/kflowd/actions/workflows/kflowd-ci.yml" target="_blank"><img src="https://github.com/tarsal-oss/kflowd/actions/workflows/kflowd-ci.yml/badge.svg"/></a>
 <a href="#license" target="_blank"><img src="https://img.shields.io/badge/License-GPL_v2-lightgrey.svg"/></a>
 </div>
 
@@ -11,14 +11,18 @@
 
 ## Kernel-based Process Monitoring on Linux Endpoints via eBPF
 
-### kflowd runs as agent on Linux endpoints to monitor processes via eBPF kernel subsystem for filesystem and TCP and UDP networking events to enable immediate threat and anomaly detection on suspicious activities.
-#### Advanced non-ebpf related features as DNS and HTTP application messsage decoding, checksum calculation for virus detection, process and file versioning for vulnerability detection and file device, network interface and user-group identification for files and processes can be enabled via open-binary plugin modules.
-
+### kflowd runs as agent on Linux endpoints to monitor processes via eBPF kernel subsystem for filesystem and TCP and UDP networking events, enabling immediate threat and anomaly detection on suspicious activities.
+#### Advanced non-ebpf related features such as DNS and HTTP application message decoding, checksum calculation for virus detection, process and file versioning for vulnerability detection and file device, network interface and user-group identification for files and processes can be enabled via open-binary plugin modules. The modules can be downloaded [here](https://tarsal.co/kflowd-download/) or please contact us at [[email protected]](mailto:[email protected]) for more details.
 kflowd contains an eBPF program running in kernel context and its control application running in userspace.<br>
 The eBPF program traces kernel functions to monitor processes based on file system and networking events. Events are aggregated into records and submitted into a ringbuffer where they are polled by the userspace control application. All Records are enriched with process information and then converted into a message in JSON output format.<br>
-Final messages are printed to stdout console and can be sent via UDP protocol to specified hosts for post-processing in the cloud.
+Final messages are printed to stdout console and can be sent via UDP protocol to specified hosts for ingestion in a security data pipeline.
 
 kflowd runs on Linux kernels 5.10+ and is built with the **libbpf+CO-RE** (Compile-Once-Run-Everywhere) eBPF development toolchain using **BTF** (BPF Type Format) to allow portability by avoiding dependencies on differences in kernel headers between kernel versions on deployment.
+<div align="left">
+<picture>
+<img src="https://github.com/tarsal-oss/kflowd/assets/108887718/50546c8e-33b1-44ba-a114-bd84519c1cc3" width="700">
+</picture>
+</div>
 
 ### JSON Output
 
@@ -36,7 +40,7 @@ kflowd outputs JSON messages generated for each record of aggregated file system
   "InfoHostIP": "38.110.1.24",
   "InfoSystem": "Linux",
   "InfoKernel": "6.1.0-10-amd64",
-  "InfoVersion": "kflowd-v1.2.50",
+  "InfoVersion": "kflowd-v0.9.1",
   "InfoUptime": 21.262713426,
   "ProcParent": "sshd",
   "Proc": "sftp-server",
@@ -92,7 +96,7 @@ kflowd outputs JSON messages generated for each record of aggregated file system
   "InfoHostIP": "38.110.1.24",
   "InfoSystem": "Linux",
   "InfoKernel": "6.1.0-10-amd64",
-  "InfoVersion": "kflowd-v1.2.50",
+  "InfoVersion": "kflowd-v0.9.1",
   "InfoUptime": 23.972984597,
   "ProcParent": "bash",
   "Proc": "curl",
@@ -180,7 +184,7 @@ kflowd outputs JSON messages generated for each record of aggregated file system
   "InfoHostIP": "38.110.1.24",
   "InfoSystem": "Linux",
   "InfoKernel": "6.1.0-10-amd64",
-  "InfoVersion": "kflowd-v1.2.50",
+  "InfoVersion": "kflowd-v0.9.1",
   "InfoUptime": 24.873001288,
   "ProcParent": "bash",
   "Proc": "curl",
@@ -292,7 +296,7 @@ For high performance UDP output the following kernel network settings are recomm
 ### Runtime Options
 ```
 Usage:
-  kflowd [-m file,socket] [-t IDLE,ACTIVE] [-e EVENTS] [-o json|table] [-v] [-c]
+  kflowd [-m file,socket] [-t IDLE,ACTIVE] [-e EVENTS] [-o json|json-min|table] [-v] [-c]
          [-p dns=PROTO/PORT,...] [-p http=PROTO/PORT,...] [-u IP:PORT] [-q] [-d] [-V]
          [-T TOKEN] [-D PROCESS], [-l] [--legend], [-h] [--help], [--version]
   -m file,socket          Monitor only specified kernel subsystem (filesystem or sockets)
@@ -308,9 +312,9 @@ Usage:
                             (supported only for rpm- and deb-based package management)
   -c                      Checksum hashes of MD5 and SHA256 calculated for executables
   -p dns=PROTO/PORT,...   Port(s) examined for decoding of DNS application protocol
-                            (default: dns=udp/53,tcp/53, disabled: dns=off)
+                            (default: 'dns=udp/53,tcp/53', disabled: 'dns=off')
   -p http=PROTO/PORT,...  Port(s) examined for decoding of HTTP application protocol
-                            (default: http=tcp/80, disabled: http=off)
+                            (default: 'http=tcp/80', disabled: 'http=off')
   -u IP:PORT,...          UDP server(s) IPv4 or IPv6 address to send json output to.
                           Output also printed to stdout console unless quiet option -q or
                             daemon mode -d specified
@@ -370,6 +374,14 @@ Examples:
       sudo ln -s /usr/bin/clang-16 /usr/bin/clang
       sudo ln -s /usr/bin/llvm-strip-16 /usr/bin/llvm-strip
       ```
+    - Install nfpm Linux packager:
+      ```
+      echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/
+            /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+      sudo apt update
+      sudo apt install nfpm
+      ```
+
 - Redhat-based (Amazon Linux, Fedora)
 
     - Install libraries:
@@ -387,10 +399,19 @@ Examples:
       sudo yum install clang*
       sudo yum install llvm*
       ```
+    - Install nfpm Linux packager:
+      ```
+      echo '[goreleaser]
+            name=GoReleaser
+            baseurl=https://repo.goreleaser.com/yum/
+            enabled=1
+            gpgcheck=0' | sudo tee /etc/yum.repos.d/goreleaser.repo
+      sudo yum install nfpm
+      ```
 
 ### Build Instructions
 ```
-git clone https://github.com/kflowd/kflowd.git
+git clone https://github.com/tarsal-oss/kflowd.git
 cd kflowd
 git submodule update --init --recursive
 cd src
@@ -404,13 +425,13 @@ Packages can be installed on Linux x86_64 and arm64 based platforms:
 sudo yum install ./kflowd-x.x.x.<amd64 | aarch64>.rpm
 sudo apt install ./kflowd-x.x.x_<x86_64 | arm64>.deb
 ```
-Note that build artifacts for all versions on x86_64 platform can be downloaded under GitHub actions:
-[Pre-built binaries and rpm/deb packages](https://github.com/kflowd/kflowd/actions/workflows/kflowd-ci.yml)
+Note that build artifacts with binaries and packages of all versions for x86_64 (glibc 2.31+) platforms can be downloaded under GitHub Actions in the Artifacts section of the kflowd-ci workflow run:\
+[Pre-built x86_64 binaries, RPM and DEB packages (zipped)](https://github.com/tarsal-oss/kflowd/actions/workflows/kflowd-ci.yml)
 
 <br>
 
 ### License
-This work is licensed under [GNU General Public License v2.0](https://github.com/kflowd/kflowd/blob/master/LICENSE).
+This work is licensed under [GNU General Public License v2.0](https://github.com/tarsal-oss/kflowd/blob/master/LICENSE).
 ```
 SPDX-License-Identifier: GPL-2.0
 ```
@@ -423,9 +444,9 @@ SPDX-License-Identifier: GPL-2.0
 
 <br>
 <div align="right">
-<a href="https://github.com/kflowd/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://kflowd.github.io/kflowd/gh-stats-clones.json"/></a>
-<a href="https://github.com/kflowd/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://kflowd.github.io/kflowd/gh-stats-clones-14d.json"/></a>
+<a href="https://github.com/tarsal-oss/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-clones.json"/></a>
+<a href="https://github.com/tarsal-oss/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-clones-14d.json"/></a>
 <br>
-<a href="https://github.com/kflowd/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://kflowd.github.io/kflowd/gh-stats-views.json"/></a>
-<a href="https://github.com/kflowd/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://kflowd.github.io/kflowd/gh-stats-views-14d.json"/></a>
+<a href="https://github.com/tarsal-oss/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-views.json"/></a>
+<a href="https://github.com/tarsal-oss/kflowd/graphs/traffic" target="_blank"><img src="https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-views-14d.json"/></a>
 </div>

src/Makefile

@@ -1,10 +1,10 @@
 #
 # Makefile for kflowd
 #
-# Authors: Dirk Tennie <dirk@kflow.co>
-#          Barrett Lyon <blyon@kflow.co>
+# Authors: Dirk Tennie <dirk@tarsal.co>
+#          Barrett Lyon <blyon@tarsal.co>
 #
-# Copyright (c) 2024 Kflow.co
+# Copyright 2024 (c) Tarsal, Inc
 #
 
 OUTPUT := .output
@@ -84,12 +84,12 @@ platform: linux
 version: $(PACKAGE_VERSION)
 provides:
 - kflowd
-maintainer: "Dirk Tennie <dirk@kflow.co>"
+maintainer: "Dirk Tennie <dirk@tarsal.co>"
 description: |
-  kflowd by kflow.co
+  kflowd by Tarsal.co
   Kernel-based process monitoring for Linux via eBPF
-vendor: kflow.co
-homepage: https://www.kflow.co
+vendor: Tarsal.co
+homepage: https://www.tarsal.co
 license: "GPL 2.0"
 contents:
 - src: ../bin/kflowd

src/kflowd.bpf.c

@@ -1,10 +1,10 @@
 /*
  * kflowd.bpf.c
  *
- * Authors: Dirk Tennie <dirk@kflow.co>
- *          Barrett Lyon <blyon@kflow.co>
+ * Authors: Dirk Tennie <dirk@tarsal.co>
+ *          Barrett Lyon <blyon@tarsal.co>
  *
- * Copyright (c) 2024 Kflow.co
+ * Copyright 2024 (c) Tarsal, Inc
  *
  */
 #include "vmlinux.h"

src/kflowd.c

@@ -1,10 +1,10 @@
 /*
  * kflowd.c
  *
- * Authors: Dirk Tennie <dirk@kflow.co>
- *          Barrett Lyon <blyon@kflow.co>
+ * Authors: Dirk Tennie <dirk@tarsal.co>
+ *          Barrett Lyon <blyon@tarsal.co>
  *
- * Copyright (c) 2024 Kflow.co
+ * Copyright 2024 (c) Tarsal, Inc
  *
  */
 
@@ -39,13 +39,13 @@ static char title_str[] = "\e[1m  _     __ _                  _\n"
                           " | | __/ _| | _____      ____| |\n"
                           " | |/ / |_| |/ _ \\ \\ /\\ / / _` |\n"
                           " |   <|  _| | (_) \\ V  V / (_| |\n"
-                          " |_|\\_\\_| |_|\\___/ \\_/\\_/ \\__,_|\e[0m  by Kflow.co\n";
+                          " |_|\\_\\_| |_|\\___/ \\_/\\_/ \\__,_|\e[0m  by Tarsal.co\n";
 
-static char header_str[] = "\e[1;33mkflowd -- (c) 2024 Kflow.co\e[0m\n"
+static char header_str[] = "\e[1;33mkflowd -- (c) 2024 Tarsal, Inc\e[0m\n"
                            "\e[0;33mKernel-based Process Monitoring via eBPF subsystem (" VERSION ")\e[0m\n";
 static char usage_str[] =
     "Usage:\n"
-    "  kflowd [-m file,socket] [-t IDLE,ACTIVE] [-e EVENTS] [-o json|table] [-v] [-c]\n"
+    "  kflowd [-m file,socket] [-t IDLE,ACTIVE] [-e EVENTS] [-o json|json-min|table] [-v] [-c]\n"
     "         [-p dns=PROTO/PORT,...] [-p http=PROTO/PORT,...] [-u IP:PORT] [-q] [-d] [-V]\n"
     "         [-T TOKEN] [-D PROCESS], [-l] [--legend], [-h] [--help], [--version]\n"
     "  -m file,socket          Monitor only specified kernel subsystem (filesystem or sockets)\n"
@@ -61,9 +61,9 @@ static char usage_str[] =
     "                            (supported only for rpm- and deb-based package management)\n"
     "  -c                      Checksum hashes of MD5 and SHA256 calculated for executables\n"
     "  -p dns=PROTO/PORT,...   Port(s) examined for decoding of DNS application protocol\n"
-    "                            (default: dns=udp/53,tcp/53, disabled: dns=off)\n"
+    "                            (default: 'dns=udp/53,tcp/53', disabled: 'dns=off')\n"
     "  -p http=PROTO/PORT,...  Port(s) examined for decoding of HTTP application protocol\n"
-    "                            (default: http=tcp/80, disabled: http=off)\n"
+    "                            (default: 'http=tcp/80', disabled: 'http=off')\n"
     "  -u IP:PORT,...          UDP server(s) IPv4 or IPv6 address to send json output to.\n"
     "                          Output also printed to stdout console unless quiet option -q or\n"
     "                            daemon mode -d specified\n"

src/kflowd.h

@@ -1,10 +1,10 @@
 /*
  * kflowd.h
  *
- * Authors: Dirk Tennie <dirk@kflow.co>
- *          Barrett Lyon <blyon@kflow.co>
+ * Authors: Dirk Tennie <dirk@tarsal.co>
+ *          Barrett Lyon <blyon@tarsal.co>
  *
- * Copyright (c) 2024 Kflow.co
+ * Copyright 2024 (c) Tarsal, Inc
  *
  */
 #ifndef __KFLOWD_H