eBPF Guard

This project is a mini EDR built as a portfolio piece for a junior eBPF security engineer role. It observes behavior on a Linux endpoint and writes suspicious events as JSON Lines logs.

Instead of trying to imitate a large commercial EDR, this project focuses on implementing a small security pipeline end to end: collecting events from execve, openat, and connect syscalls, processing them in a user-space rule engine, and writing structured logs.

Posts

  1. Building a Mini EDR with eBPF 1: MVP Design

    This post describes the MVP structure: collecting execve, openat, and connect through tracepoints, passing events through a BPF ring buffer, and handling rule matching and JSONL output in user space. The kernel side focuses on event collection, while user space handles decisions and output.

  2. Building a Mini EDR with eBPF 2: Improving File Access Detection

    This post improves the first version of openat detection, which only observed syscall entry and could not tell whether access actually succeeded. It connects sys_enter_openat and sys_exit_openat, separates /etc/shadow access attempts from successful opens, and splits the policy into SHADOW_OPEN_ATTEMPT and SHADOW_OPEN_SUCCESS.

  3. Building a Mini EDR with eBPF 3: Reducing False Positives in SUSPICIOUS_CONNECT

    This post improves how connect events are interpreted by enriching command line context in user space and adding destination IP classification, allowlists, and suppression handling. The focus is not to expand detection blindly, but to leave logs that are more worth investigating.

Code