Elkeid is a Cloud-Native Host-Based Intrusion Detection solution project to provide next-generation Threat Detection and Behavior Audition with modern architecture.

Elkeid

(Originated from AgentSmith-HIDS, but now it’s not just HIDS)

English | 简体中文

Elkeid is a support cloud-native and base linux host security(Intrusion detection and risk identification) solution.

Elkeid Architecture

Elkeid Host Ability

  • Elkeid Agent Linux userspace agent,responsible for managing various plugin,communication with Elkeid Server.
  • Elkeid Driver Driver can collect data on Linux Kernel, support container environment, communication with Elkeid Driver Plugin.
  • Elkeid RASP Support CPython、Golang、JVM、NodeJS runtime data probe, supports dynamic injection into the runtime.
  • Elkeid Agent Plugin List
    • Driver Plugin: Responsible for managing Elkeid Driver, and process the driver data.
    • Collector Plugin: Responsible for the collection of assets/log information on the Linux System, such as user list, crontab, package information, etc.
    • Journal Watcher: Responsible for monitoring systemd logs, currently supports ssh related log collection and reporting.
    • Scanner Plugin: Responsible for static detection of malicious files on the host, currently supports yara.
    • RASP Plugin: Responsible for managing RASP components and processing data collected from RASP, not open source yet.

The above components can provide these data:

Elkeid Backend Ability

  • Elkeid AgentCenter Responsible for communicating with the Agent, collecting Agent data and simply processing it and then summing it into the MQ, is also responsible for the management of the Agent, including Agent upgrade, configuration modification, task distribution, etc.
  • Elkeid ServiceDiscovery Each component in the background needs to register and synchronize service information with the component regularly, so as to ensure that the instances in each service module are visible to each other and facilitate direct communication.
  • Elkeid Manager Responsible for the management of the entire backend, and provide related query and management API.

Elkeid Advantage

The current open source module lacks a rule engine and detection rule, and cannot provide intrusion detection capabilities. However, the current open source part can be easily integrated with other HIDS/NIDS/XDR solutions, or you can perform data processing on the collected data to meet your own needs. Elkeid has the following main advantages:

  • Excellent Performance: With the help of Elkeid Driver and many custom developments, the end-to-end capability is excellent
  • Born For Intrusion Detection: Data collection is based on high-intensity confrontation, and targeted data collection is available for many advanced confrontation scenarios such as Kernel Rootkit, privilege escalation, and fileless attacks.
  • Support Cloud Native: Cloud native environment is supported from end-to-end capabilities to back-end deployment.
  • One-million-level Production Environment Verification: The whole has been internally verified at a million-level, and the stability and performance have been tested from end to server. Elkeid is not just a PoC, it is production-level; the open source version is the internal Release Version.
  • Secondary Development Friendly: Elkeid facilitates secondary development and increased demand for customization.

Quick Start

Contact us && Cooperation

Lark Group

License

  • Elkeid Driver: GPLv2
  • Elkeid RASP: Apache-2.0
  • Elkeid Agent: Apache-2.0
  • Elkeid Server: Apache-2.0

404StarLink 2.0 - Galaxy

Elkeid has joined 404Team 404StarLink 2.0 - Galaxy

Comments
  • Elkeid/rasp/php/  编译失败

    Elkeid/rasp/php/ 编译失败

    -- Using the single-header code from /Elkeid/rasp/php/build/_deps/json-src/single_include/
    -- 
    --         ---( Libevent 2.1.12-stable )---
    -- 
    -- Available event backends: 
    -- CMAKE_BINARY_DIR:         /Elkeid/rasp/php/build
    -- CMAKE_CURRENT_BINARY_DIR: /Elkeid/rasp/php/build/_deps/libevent-build
    -- CMAKE_SOURCE_DIR:         /Elkeid/rasp/php
    -- CMAKE_CURRENT_SOURCE_DIR: /Elkeid/rasp/php/build/_deps/libevent-src
    -- PROJECT_BINARY_DIR:       /Elkeid/rasp/php/build/_deps/libevent-build
    -- PROJECT_SOURCE_DIR:       /Elkeid/rasp/php/build/_deps/libevent-src
    -- CMAKE_MODULE_PATH:        cmake;/Elkeid/rasp/php/build/_deps/libevent-src/cmake/
    -- CMAKE_COMMAND:            /usr/bin/cmake
    -- CMAKE_ROOT:               /usr/share/cmake
    -- CMAKE_SYSTEM:             Linux-4.18.0-348.7.1.el8_5.x86_64
    -- CMAKE_SYSTEM_NAME:        Linux
    -- CMAKE_SYSTEM_VERSION:     4.18.0-348.7.1.el8_5.x86_64
    -- CMAKE_SYSTEM_PROCESSOR:   x86_64
    -- CMAKE_SKIP_RPATH:         NO
    -- CMAKE_VERBOSE_MAKEFILE:   FALSE
    -- CMAKE_C_FLAGS:             -Wall -Wextra -Wno-unused-parameter -Wstrict-aliasing -Wstrict-prototypes -fno-strict-aliasing -Wmissing-prototypes -Winit-self -Wmissing-field-initializers -Wdeclaration-after-statement -Waddress -Wnormalized=id -Woverride-init -Wlogical-op -Wwrite-strings
    -- CMAKE_BUILD_TYPE:         Release
    -- CMAKE_C_COMPILER:         /usr/bin/gcc (id GNU, clang 0, GNUC 1)
    -- CMAKE_AR:                 /usr/bin/ar
    -- CMAKE_RANLIB:             /usr/bin/ranlib
    -- 
    -- Configuring done
    -- Generating done
    -- Build files have been written to: /Elkeid/rasp/php/build
    Consolidate compiler generated dependencies of target c_runtime
    Consolidate compiler generated dependencies of target zero
    Consolidate compiler generated dependencies of target event_core_static
    [  9%] Built target c_runtime
    [ 21%] Built target zero
    [ 48%] Built target event_core_static
    Consolidate compiler generated dependencies of target event_pthreads_static
    Consolidate compiler generated dependencies of target event_extra_static
    Consolidate compiler generated dependencies of target event_static
    [ 50%] Built target event_pthreads_static
    [ 57%] Built target event_extra_static
    Consolidate compiler generated dependencies of target php_probe
    [ 89%] Built target event_static
    [ 90%] Linking CXX shared library ../lib/libphp_probe.so
    /usr/bin/ld: cannot find -lstdc++
    collect2: error: ld returned 1 exit status
    gmake[2]: *** [CMakeFiles/php_probe.dir/build.make:198: ../lib/libphp_probe.so] Error 1
    gmake[1]: *** [CMakeFiles/Makefile2:191: CMakeFiles/php_probe.dir/all] Error 2
    gmake: *** [Makefile:136: all] Error 2
    

    查看了一下CMakeFiles/php_probe.dir/build.make 198

    php_probe_EXTERNAL_OBJECTS =
    
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/library.cpp.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/php/api.cpp.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/php/hash.cpp.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/client/smith_client.cpp.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/client/smith_message.cpp.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/client/smith_probe.cpp.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/tiny-regex-c/re.c.o
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/build.make
    ../lib/libphp_probe.so: ../lib/libzero.a
    ../lib/libphp_probe.so: ../lib/libc_runtime.a
    ../lib/libphp_probe.so: ../lib/libevent_core.a
    ../lib/libphp_probe.so: ../lib/libevent_pthreads.a
    ../lib/libphp_probe.so: ../lib/libevent_core.a
    ../lib/libphp_probe.so: CMakeFiles/php_probe.dir/link.txt
    
    

    好像是libphp_probe.so 没有生成成功。感觉像是lib的目录原因。暂时没有找到原因

  • rasp注入失败: shrink shellcode execute failed

    rasp注入失败: shrink shellcode execute failed

    我按照官方文档自己在docker搭建和使用(https://github.com/bytedance/Elkeid/issues/95) 的dockerfile搭建都出现了问题。

    这里我尝试对Java应用和python都进行了注入,出现了不同的错误

    错误信息:

    root@6aa3edaf4d2f:/# ps -aux|grep python
    root        37  1.5  0.3  10052  6160 pts/1    S+   12:52   0:00 python 1.py
    root        39  0.0  0.0   3312   716 pts/0    S+   12:52   0:00 grep --color=auto python
    root@6aa3edaf4d2f:/# /etc/elkeid/plugin/RASP/elkeid_rasp -p 37
    2021-09-08 12:53:04 | INFO  |             main.cpp:41  ] find target: 0x5621bc920000 -> /usr/bin/python2.7
    2021-09-08 12:53:04 | INFO  |             main.cpp:120 ] ensure func: 0x5621bcae6ff0 run func: 0x5621bc9d9d73 release func: 0x5621bcae7040
    2021-09-08 12:53:04 | INFO  |             main.cpp:30  ] inject '/etc/elkeid/plugin/RASP/rasp/python_caller /etc/elkeid/plugin/RASP/rasp/python/entry.py 1 0x5621bcae6ff0 0x5621bc9d9d73 0x5621bcae7040' to process 37
    2021-09-08 12:53:04 | INFO  |        pt_inject.cpp:93  ] attach process success
    2021-09-08 12:53:04 | INFO  |        pt_inject.cpp:241 ] backup memory: 0x5621bc96d000[0x29c]
    2021-09-08 12:53:04 | INFO  |        pt_inject.cpp:246 ] jump entry: 0x5621bc96d000[0xa4]
    2021-09-08 12:53:04 | INFO  |        pt_inject.cpp:311 ] restore memory
    2021-09-08 12:53:04 | INFO  |             main.cpp:51  ] workspace: 0x7f6a2d044010
    2021-09-08 12:53:04 | INFO  |        pt_inject.cpp:132 ] backup memory: 0x7f6a2d045000[0x9c8]
    2021-09-08 12:53:04 | INFO  |        pt_inject.cpp:137 ] jump entry: 0x7f6a2d045000[0xa4]
    2021-09-08 12:53:05 | INFO  |        pt_inject.cpp:201 ] exit status: 0
    2021-09-08 12:53:05 | INFO  |        pt_inject.cpp:217 ] restore memory
    2021-09-08 12:53:05 | INFO  |             main.cpp:89  ] free workspace
    2021-09-08 12:53:05 | INFO  |        pt_inject.cpp:241 ] backup memory: 0x5621bc96d000[0x12c]
    2021-09-08 12:53:05 | INFO  |        pt_inject.cpp:246 ] jump entry: 0x5621bc96d000[0xa4]
    2021-09-08 12:53:05 | INFO  |        pt_inject.cpp:308 ] receive signal: Illegal instruction
    2021-09-08 12:53:05 | WARN  |        pt_inject.cpp:284 ] process terminated: Illegal instruction
    2021-09-08 12:53:05 | ERROR |             main.cpp:92  ] shrink shellcode execute failed
    [2021-09-08T12:53:05Z ERROR librasp::manager] attach failed: ProcessInfo { pid: 37, exe_path: Some("python2.7"), process_self: Process { pid: 37, stat: Stat { _private: (), pid: 37, comm: "python", state: 'S', ppid: 22, pgrp: 37, session: 22, tty_nr: 34817, tpgid: 37, flags: 4210944, minflt: 864, cminflt: 0, majflt: 1, cmajflt: 0, utime: 3, stime: 6, cutime: 0, cstime: 0, priority: 20, nice: 0, num_threads: 1, itrealvalue: 0, starttime: 4421093, vsize: 10293248, rss: 1540, rsslim: 18446744073709551615, startcode: 94702897909760, endcode: 94702899640465, startstack: 140723004937296, kstkesp: 0, kstkeip: 0, signal: 0, blocked: 0, sigignore: 16781312, sigcatch: 2, wchan: 0, nswap: 0, cnswap: 0, exit_signal: Some(17), processor: Some(2), rt_priority: Some(0), policy: Some(0), delayacct_blkio_ticks: Some(0), guest_time: Some(0), cguest_time: Some(0), start_data: Some(94702900781200), end_data: Some(94702901270416), start_brk: Some(94702923673600), arg_start: Some(140723004942423), arg_end: Some(140723004942435), env_start: Some(140723004942435), env_end: Some(140723004944360), exit_code: Some(0) }, owner: 0, root: "/proc/37" }, process_tree: None, runtime_info: Some(Runtime { name: "CPython", version: "" }), container_info: None, namespace_info: Some(Namespaces { _private: (), cgroup: Some("cgroup:[4026531835]"), ipc: Some("ipc:[4026532542]"), mnt: Some("mnt:[4026532540]"), net: Some("net:[4026532545]"), pid: Some("pid:[4026532543]"), user: Some("user:[4026531837]"), uts: Some("uts:[4026532541]"), pid_for_children: Some("pid:[4026532543]"), time: Some("time:[4026531834]"), time_for_children: Some("time:[4026531834]") }), cmdline: None, environ: None, exe: Some("/usr/bin/python2.7"), attach_time: None, failed_time: None, missing_time: None }
    [2021-09-08T12:53:05Z ERROR elkeid_rasp] attach process failed: attach failed: ProcessInfo { pid: 37, exe_path: Some("python2.7"), process_self: Process { pid: 37, stat: Stat { _private: (), pid: 37, comm: "python", state: 'S', ppid: 22, pgrp: 37, session: 22, tty_nr: 34817, tpgid: 37, flags: 4210944, minflt: 864, cminflt: 0, majflt: 1, cmajflt: 0, utime: 3, stime: 6, cutime: 0, cstime: 0, priority: 20, nice: 0, num_threads: 1, itrealvalue: 0, starttime: 4421093, vsize: 10293248, rss: 1540, rsslim: 18446744073709551615, startcode: 94702897909760, endcode: 94702899640465, startstack: 140723004937296, kstkesp: 0, kstkeip: 0, signal: 0, blocked: 0, sigignore: 16781312, sigcatch: 2, wchan: 0, nswap: 0, cnswap: 0, exit_signal: Some(17), processor: Some(2), rt_priority: Some(0), policy: Some(0), delayacct_blkio_ticks: Some(0), guest_time: Some(0), cguest_time: Some(0), start_data: Some(94702900781200), end_data: Some(94702901270416), start_brk: Some(94702923673600), arg_start: Some(140723004942423), arg_end: Some(140723004942435), env_start: Some(140723004942435), env_end: Some(140723004944360), exit_code: Some(0) }, owner: 0, root: "/proc/37" }, process_tree: None, runtime_info: Some(Runtime { name: "CPython", version: "" }), container_info: None, namespace_info: Some(Namespaces { _private: (), cgroup: Some("cgroup:[4026531835]"), ipc: Some("ipc:[4026532542]"), mnt: Some("mnt:[4026532540]"), net: Some("net:[4026532545]"), pid: Some("pid:[4026532543]"), user: Some("user:[4026531837]"), uts: Some("uts:[4026532541]"), pid_for_children: Some("pid:[4026532543]"), time: Some("time:[4026531834]"), time_for_children: Some("time:[4026531834]") }), cmdline: None, environ: None, exe: Some("/usr/bin/python2.7"), attach_time: None, failed_time: None, missing_time: None }
    root@6aa3edaf4d2f:/# ps -aux|grep java
    root        49  123 14.1 4217148 288388 pts/1  Sl+  12:53   0:24 java -jar java-sec-code-1.0.0.jar
    root        88  0.0  0.0   3312   656 pts/0    S+   12:53   0:00 grep --color=auto java
    root@6aa3edaf4d2f:/# /etc/elkeid/plugin/RASP/elkeid_rasp -p 49
    Connected to remote JVM
    Response code = 0
    return code: 0
    
    [2021-09-08T12:54:01Z ERROR elkeid_rasp] recv msg failed: receiving on an empty and disconnected channel
    
  • agent运行提示NO NETWORK IS available

    agent运行提示NO NETWORK IS available

    /Elkeid/agent# cd /etc/elkeid && /etc/elkeid/elkeid-agent & [1] 15038 root@debian:~/Elkeid/agent# panic: No network is available

    goroutine 23 [running]: go.uber.org/zap/zapcore.(*CheckedEntry).Write(0xc00037c000, 0x0, 0x0, 0x0) /root/go/pkg/mod/go.uber.org/[email protected]/zapcore/entry.go:234 +0x58d go.uber.org/zap.(*SugaredLogger).log(0xc0000a83d8, 0x4, 0x0, 0x0, 0xc00032bfc0, 0x1, 0x1, 0x0, 0x0, 0x0) /root/go/pkg/mod/go.uber.org/[email protected]/sugar.go:234 +0xf6 go.uber.org/zap.(*SugaredLogger).Panic(...) /root/go/pkg/mod/go.uber.org/[email protected]/sugar.go:123 github.com/bytedance/Elkeid/agent/transport.Run() /root/Elkeid/agent/transport/client.go:30 +0x488 created by main.main /root/Elkeid/agent/main.go:75 +0xc05 ^C [1]+ 退出 2 cd /etc/elkeid && /etc/elkeid/elkeid-agent

  • 重启agent,未执行插入hids_drive模块操作

    重启agent,未执行插入hids_drive模块操作

    如题:

    [root@aliyun-10-43-28-28 driver]# service elkeid-agent restart  
    [root@aliyun-10-43-28-28 driver]# lsmod |grep hids 
    [root@aliyun-10-43-28-28 driver]# ls 
    driver  driver.log  driver.stderr  hids_driver_latest_2.6.32-696.30.1.el6.x86_64_amd64.ko
    [root@aliyun-10-43-28-28 driver]# insmod hids_driver_latest_2.6.32-696.30.1.el6.x86_64_amd64.ko 
    [root@aliyun-10-43-28-28 driver]# lsmod | grep hids
    hids_driver           137949  0
    [root@aliyun-10-43-28-28 driver]#
    

    且日志中有如下错误信息:

    [root@aliyun-10-43-28-28 driver]# cat driver.log 
    2022-06-07T15:33:58.609645659+08:00     ERROR   driver  src/main.rs:35  when loading kernel module,an error occurred: load module failed: ENOSYS: Function not implemented
    

    单独运行driver插件程序,有如下日志信息:

    2022-06-07T15:41:07.181329755+08:00     INFO    driver  src/main.rs:39  init kmod successfully
    2022-06-07T15:41:07.181422550+08:00     INFO    driver  src/main.rs:57  task receive handler is running
    2022-06-07T15:41:07.181500940+08:00     INFO    driver  src/main.rs:63  init ringbuf successfully
    2022-06-07T15:41:07.181520623+08:00     INFO    driver::kmod    src/kmod.rs:194 heartbeat: {"filtered_exe_entries": "[]", "udp_recvmsg_kprobe_state": "0", "udpv6_recvmsg_kprobe_state": "0", "filtered_argv_entries": "[]"}
    2022-06-07T15:41:09.957363648+08:00     ERROR   driver  src/main.rs:51  when receiving task,an error occurred:unexpected wire type
    2022-06-07T15:41:10.273722374+08:00     INFO    driver  src/main.rs:98  plugin will exit
    
  • 加载Modify插件报错

    加载Modify插件报错

    描述

    Hub加载Modify插件报错,插件是作为告警压制使用,使用内置的cacheout库实现告警压制功能,但是加载插件后 plugin.stdout 出现错误情况

    plugin.stdout 报错详情

    - - - [2022-08-09 15:29:59] "GET /reload HTTP/1.1" 200 862 0.002285
    - - - [2022-08-09 15:29:59] "GET /reload HTTP/1.1" 200 862 0.003835
    Traceback (most recent call last):
      File "/elkeid/hub/py/pypy/site-packages/gevent/libev/corecffi.py", line 61, in python_prepare_callback
        AbstractCallbacks.python_prepare_callback(self, watcher_ptr)
      File "/elkeid/hub/py/pypy/site-packages/gevent/_ffi/loop.py", line 302, in python_prepare_callback
        loop._run_callbacks()
      File "/elkeid/hub/py/pypy/site-packages/gevent/_ffi/loop.py", line 489, in _run_callbacks
        while self._callbacks:
    KeyboardInterrupt
    2022-08-09T15:36:44Z
    Traceback (most recent call last):
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib-python/3/runpy.py", line 196, in _run_module_as_main
        "__main__", mod_spec)
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib-python/3/runpy.py", line 85, in _run_code
        exec(code, run_globals)
      File "/elkeid/hub/py/pypy/site-packages/gevent/monkey.py", line 1375, in <module>
        main()
      File "/elkeid/hub/py/pypy/site-packages/gevent/monkey.py", line 1336, in main
        return run_meth(sys.argv[0], run_name='__main__')
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib-python/3/runpy.py", line 266, in run_path
        pkg_name=pkg_name, script_name=fname)
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib-python/3/runpy.py", line 96, in _run_module_code
        mod_name, mod_spec, pkg_name, script_name)
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib-python/3/runpy.py", line 85, in _run_code
        exec(code, run_globals)
      File "start.py", line 520, in <module>
        gevent.joinall(segJvlkEGVPQtNMVnhSNWbzVfkBHzWnmniAAbbZWwPweUsXvSRJIeADVULGmMTJKIgpQFQnfOCVMiLiJOwDfmPDZFshzwRZShdXaWtrtYoDKGcrvOcABVErtwkEhaVng)
      File "/elkeid/hub/py/pypy/site-packages/gevent/greenlet.py", line 1067, in joinall
        return wait(greenlets, timeout=timeout, count=count)
      File "/elkeid/hub/py/pypy/site-packages/gevent/_hub_primitives.py", line 287, in wait_on_objects
        return list(iwait_on_objects(objects, timeout, count))
      File "/elkeid/hub/py/pypy/site-packages/gevent/_hub_primitives.py", line 176, in __next__
        item = self._waiter.get()
      File "/elkeid/hub/py/pypy/site-packages/gevent/_waiter.py", line 195, in get
        Waiter.get(self)
      File "/elkeid/hub/py/pypy/site-packages/gevent/_waiter.py", line 154, in get
        return self.hub.switch()
      File "/elkeid/hub/py/pypy/site-packages/gevent/_greenlet_primitives.py", line 65, in switch
        return _greenlet_switch(self) # pylint:disable=undefined-variable
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib_pypy/greenlet.py", line 61, in switch
        return self.__switch('switch', (args, kwds))
      File "/elkeid/hub/py/pypy3.7-v7.3.5-linux64/lib_pypy/greenlet.py", line 115, in __switch
        args, kwds = unbound_method(current, *baseargs, to=target)
      File "/elkeid/hub/py/pypy/site-packages/gevent/libev/corecffi.py", line 61, in python_prepare_callback
        AbstractCallbacks.python_prepare_callback(self, watcher_ptr)
      File "/elkeid/hub/py/pypy/site-packages/gevent/_ffi/loop.py", line 302, in python_prepare_callback
        loop._run_callbacks()
      File "/elkeid/hub/py/pypy/site-packages/gevent/_ffi/loop.py", line 489, in _run_callbacks
        while self._callbacks:
    KeyboardInterrupt
    generating ./_elkeid_queue.c
    (already up-to-date)
    the current directory is '/elkeid/hub/py'
    running build_ext
    building '_elkeid_queue' extension
    gcc -pthread -DNDEBUG -O2 -fPIC -I. -I/elkeid/hub/py/pypy/include -I/elkeid/hub/py/pypy3.7-v7.3.5-linux64/include -c _elkeid_queue.c -o ./_elkeid_queue.o -std=c99
    gcc -pthread -shared ./_elkeid_queue.o -lm -lrt -o ./_elkeid_queue.pypy37-pp73-x86_64-linux-gnu.so
    INFO:root:use plugin dir: /elkeid/hub/config/plugin
    INFO:root:zip_dir:/elkeid/hub/py/plugin_zip
    INFO:root:unzip_dir:/elkeid/hub/py/plugin_unzip
    INFO:root:load local plugin: /elkeid/hub/config/plugin/CompressAlert
    INFO:root:load local plugin: /elkeid/hub/config/plugin/DNSptr
    INFO:root:load local plugin: /elkeid/hub/config/plugin/SendToWeCom
    INFO:root:load local plugin: /elkeid/hub/config/plugin/SendToDingding
    INFO:root:load local plugin: /elkeid/hub/config/plugin/SendToLarkGroup
    INFO:root:load local plugin: /elkeid/hub/config/plugin/SendToTelegram
    INFO:root:load local plugin: /elkeid/hub/config/plugin/SendToLark
    INFO:root:{"Modify:CompressAlert": {"key": "Modify:CompressAlert", "name": "CompressAlert", "type": "Modify", "err": ""}, "Append:DNSptr": {"key": "Append:DNSptr", "name": "DNSptr", "type": "Append", "err": ""}, "Action:SendToWeCom": {"key": "Action:SendToWeCom", "name": "SendToWeCom", "type": "Action", "err": ""}, "Action:SendToDingding": {"key": "Action:SendToDingding", "name": "SendToDingding", "type": "Action", "err": ""}, "Action:SendToLarkGroup": {"key": "Action:SendToLarkGroup", "name": "SendToLarkGroup", "type": "Action", "err": ""}, "Action:SendToTelegram": {"key": "Action:SendToTelegram", "name": "SendToTelegram", "type": "Action", "err": ""}, "Action:SendToLark": {"key": "Action:SendToLark", "name": "SendToLark", "type": "Action", "err": ""}}
    INFO:root:{'Modify:CompressAlert': <bound method Plugin.plugin_exec of <CompressAlert.plugin.Plugin object at 0x0000000002a55b78>>, 'Append:DNSptr': <bound method Plugin.plugin_exec of <DNSptr.plugin.Plugin object at 0x0000000002f83e50>>, 'Action:SendToWeCom': <bound method Plugin.plugin_exec of <SendToWeCom.plugin.Plugin object at 0x000000000304a800>>, 'Action:SendToDingding': <bound method Plugin.plugin_exec of <SendToDingding.plugin.Plugin object at 0x000000000304a4f0>>, 'Action:SendToLarkGroup': <bound method Plugin.plugin_exec of <SendToLarkGroup.plugin.Plugin object at 0x000000000304a1a8>>, 'Action:SendToTelegram': <bound method Plugin.plugin_exec of <SendToTelegram.plugin.Plugin object at 0x000000000304aec8>>, 'Action:SendToLark': <bound method Plugin.plugin_exec of <SendToLark.plugin.Plugin object at 0x000000000304af00>>}
    INFO:root:{"Modify:CompressAlert": {"key": "Modify:CompressAlert", "name": "CompressAlert", "type": "Modify", "err": ""}, "Append:DNSptr": {"key": "Append:DNSptr", "name": "DNSptr", "type": "Append", "err": ""}, "Action:SendToWeCom": {"key": "Action:SendToWeCom", "name": "SendToWeCom", "type": "Action", "err": ""}, "Action:SendToDingding": {"key": "Action:SendToDingding", "name": "SendToDingding", "type": "Action", "err": ""}, "Action:SendToLarkGroup": {"key": "Action:SendToLarkGroup", "name": "SendToLarkGroup", "type": "Action", "err": ""}, "Action:SendToTelegram": {"key": "Action:SendToTelegram", "name": "SendToTelegram", "type": "Action", "err": ""}, "Action:SendToLark": {"key": "Action:SendToLark", "name": "SendToLark", "type": "Action", "err": ""}}
    INFO:root:{"Modify:CompressAlert": {"key": "Modify:CompressAlert", "name": "CompressAlert", "type": "Modify", "err": ""}, "Append:DNSptr": {"key": "Append:DNSptr", "name": "DNSptr", "type": "Append", "err": ""}, "Action:SendToWeCom": {"key": "Action:SendToWeCom", "name": "SendToWeCom", "type": "Action", "err": ""}, "Action:SendToDingding": {"key": "Action:SendToDingding", "name": "SendToDingding", "type": "Action", "err": ""}, "Action:SendToLarkGroup": {"key": "Action:SendToLarkGroup", "name": "SendToLarkGroup", "type": "Action", "err": ""}, "Action:SendToTelegram": {"key": "Action:SendToTelegram", "name": "SendToTelegram", "type": "Action", "err": ""}, "Action:SendToLark": {"key": "Action:SendToLark", "name": "SendToLark", "type": "Action", "err": ""}}
    

    ruleset

    <rule rule_id="rule_test_detect" author="Elkeid" type="Detection">
            <rule_name>rule_test_detect</rule_name>
            <alert_data>True</alert_data>
            <harm_level>high</harm_level>
            <desc kill_chain_id="evasion" affected_target="host_process">rule_test</desc>
            <filter part="data_type">59</filter>
            <check_list>
                    <check_node type="INCL" part="exe">/bin/id</check_node>
            </check_list>
            <node_designate></node_designate>
            <del />
            <action />
            <modify>CompressAlert</modify>
            <append type="static" append_field_name="alert_type_us">evasion</append>
            <append type="static" append_field_name="compress_flag">nodename_argv</append>
            <append type="static" append_field_name="rule_name">rule_test_detect</append>
        </rule>
    

    插件代码

    from cacheout import LRUCache
    
    class Plugin(object):
        def __init__(self):
            self.name = None
            self.type = None
            self.log = None
            self.redis = None
            self.cache = LRUCache(maxsize=1024 * 1024)
    
        def plugin_exec(self, arg, config):
            result = dict()
            '''
            "compress_flag": "nodename_argv"
            '''
            cache_key = "{}_{}".format(arg['SMITH_INPUT'], arg['SMITH_KEY'])
            result["flag"] = False
            result["msg"] = ""
    
            if "compress_flag" in arg.keys():
                key_list = arg.get('compress_flag').split("_")
                cache_key = "_".join([arg[k] for k in key_list])
    
            cache_result = self.cache.get(cache_key)
            if cache_result is None:
                self.cache.set(cache_key, arg, ttl=60)
                result["flag"] = True
                result["msg"] = arg
                self.log.info(result)
                return result
            self.log.info(result)
            return result
    
  • scanner  build  failed  , failed to run custom build command for `yara-sys v0.6.2

    scanner build failed , failed to run custom build command for `yara-sys v0.6.2

    希望出个 编译scanner, scanner_clamav 的详细文档,两个都编译报错

    error: failed to run custom build command for yara-sys v0.6.2

    error occurred: Command "cc" "-O3" "-ffunction-sections" "-fdata-sections" "-fPIC" "-m64" "-static" "-I" "/root/.cargo/registry/src/rsproxy.cn-8f6827c7555bfaf8/yara-sys-0.6.2/yara/libyara" "-I" "/root/.cargo/registry/src/rsproxy.cn-8f6827c7555bfaf8/yara-sys-0.6.2/yara/libyara/include" "-Wall" "-Wextra" "-DDEX_MODULE=" "-DDOTNET_MODULE=" "-DMACHO_MODULE=" "-DNDEBUG=1" "-DUSE_LINUX_PROC=" "-DPOSIX=" "-o" "/root/Elkeid/plugins/scanner/target/x86_64-unknown-linux-gnu/release/build/yara-sys-74ecbb8fd7eab15b/out/ahocorasick.o" "-c" "/root/.cargo/registry/src/rsproxy.cn-8f6827c7555bfaf8/yara-sys-0.6.2/yara/libyara/ahocorasick.c" with args "cc" did not execute successfully (status code exit status: 1).

  • 使用elkeidup部署时报错

    使用elkeidup部署时报错

    Describe the bug 在一台全新的ubuntu2004机器上使用elkeidup做本地单机部署,只修改了elkeid_server.yaml中的ip地址,执行部署时报错: when deploying, an error occurred: Agent Center installed faield: AgentCenter test Failed, Host 192.168.186.135, Url http://192.168.186.135:8088/registry/detail?name=hids_svr_grpc, Error {"data":[],"msg":"ok"}

  • server端下发插件配置后导致agent报错结束进程

    server端下发插件配置后导致agent报错结束进程

    Describe the bug 安装启动agent无问题,装载driver驱动无问题,但是服务端下发插件(/createTask/config)并运行后(/controlTask),导致agent出现报错并结束进程,测试区有2台机器出现类似现象。 root@sec-tes (11:35:33) driver # insmod hids_driver-latest.ko root@sec-tes (11:35:41) driver # dmesg 此处省略xxxxxx To Reproduce [30570201.271796] [ELKEID] ANTI_ROOTKIT_CHECK: 1 [30570201.543459] [ELKEID] uninstall_kprobe success [30570201.543504] hids_driver: destroy 34 print event class [30570513.805567] hids_driver: create 34 print event class [30570513.808048] [ELKEID] Filter Init Success [30570513.904521] [ELKEID] do_init_module register_kprobe failed, returned -2 [30570513.913196] [ELKEID] SANDBOX: 0 [30570513.913267] [ELKEID] register_kprobe success: connect_hook: 1,load_module_hook: 1,execve_hook: 1,call_usermodehekoer_hook: 0,bind_hook: 1,create_file_hook: 1,ptrace_hook: 1, update_cred_hook: 1, dns_hook: 0, accept_hook:0, mprotect_hook: 0,link_hook: 1, memfd_create: 1, rename_hook: 1,setsid_hook:1, prctl_hook:1, open_hook:0, nanosleep_hook:0, kill_hook: 0, rm_hook: 0, EXIT_HOOK: 0, EXIT_PROTECT: 0 [30570513.934363] [ELKEID] ANTI_ROOTKIT_CHECK: 1 root@sec-tes (11:35:43) driver # cd ../../ root@sec-tes (11:35:48) elkeid # ./elkeid-agent & [1] 8829 root@sec-tes (11:35:56) elkeid # ps -ef | grep elkeid-agent root 8829 8434 0 11:35 pts/0 00:00:00 ./elkeid-agent root 8841 8434 0 11:36 pts/0 00:00:00 grep --color=auto elkeid-agent root@sec-tes (11:36:04) elkeid # cat agent-id 3793d5e9-f3f0-40ea-96e9-113cceef0113root@sec-tes (11:36:09) elkeid # 然后服务端下发配置插件下载地址并运行。 root@sec-tes (11:36:56) elkeid # ps -ef | grep elkeid-agent root 8829 8434 0 11:35 pts/0 00:00:00 ./elkeid-agent root 8867 8434 0 11:37 pts/0 00:00:00 grep --color=auto elkeid-agent root@sec-tes (11:37:38) elkeid # ps -ef | grep elkeid-agent panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x98a9bd]

    goroutine 38 [running]: github.com/bytedance/Elkeid/agent/plugin.(*Plugin).Connect(0xc000126360, 0x22a4, 0xc0005162a0, 0x6, 0xc0005162a6, 0x7, 0xbdf4b0, 0xc0000100c0, 0x0, 0x0) /tmp/Elkeid/agent/plugin/plugin.go:131 +0x15d github.com/bytedance/Elkeid/agent/plugin.Run.func2(0xbdf4b0, 0xc0000100c0, 0xc0000bd200) /tmp/Elkeid/agent/plugin/server.go:133 +0x305 created by github.com/bytedance/Elkeid/agent/plugin.Run /tmp/Elkeid/agent/plugin/server.go:117 +0xa8 ^C [1]+ Exit 2 ./elkeid-agent root@sec-tes (11:37:58) elkeid # root@sec-tes (11:38:09) elkeid # cat plugin/driver/driver_rCURRENT.log [2021-05-11 11:37:40.104004 +08:00] INFO [driver] src/main.rs:32: Crash check passed [2021-05-11 11:37:40.105144 +08:00] INFO [driver] src/main.rs:40: Kernel version check passed [2021-05-11 11:37:40.257631 +08:00] INFO [driver::prepare] src/prepare.rs:133: Last version is the same version [2021-05-11 11:37:40.386619 +08:00] INFO [driver::prepare] src/prepare.rs:115: insmod hids_driver success [2021-05-11 11:37:40.386775 +08:00] ERROR [driver] src/main.rs:88: IO error while reading marker: failed to fill whole buffer [2021-05-11 11:37:41.739446 +08:00] WARN [driver] src/main.rs:18: Safety exit root@sec-tes (11:38:21) elkeid # cat plugin/driver/driver.stderr root@sec-tes (11:55:18) elkeid # cat plugin/driver/driver.stdout Log send failed:Send error. Must exit. root@sec-tes (11:55:23) elkeid #

  • arm环境下/proc/elkeid-endpoint无数据

    arm环境下/proc/elkeid-endpoint无数据

    arm安装driver后,采集不到驱动数据。 系统内核版本:5.4.18-53-generic 经debug,内核函数可以hook成功,hook函数中可打印日志。 image 在读数据时,返回非-EBUSY `static ssize_t trace_read_pipe(struct file *filp, char __user * ubuf, size_t cnt, loff_t * ppos) { ssize_t sret; struct print_event_iterator iter = filp->private_data; static DEFINE_MUTEX(access_lock); / * Avoid more than one consumer on a single file descriptor * This is just a matter of traces coherency, the ring buffer itself * is protected. */ mutex_lock(&iter->mutex);

    sret = trace_seq_to_user_sym(&iter->seq, ubuf, cnt);
    if (sret != -EBUSY){
       goto out;
    }
    

    ` /proc/elkeid-endpoint是非阻塞的,怀疑数据没有写入成功。

  • allowlist driver is in: /dev/hids_driver_allowlist

    allowlist driver is in: /dev/hids_driver_allowlist

        allowlist driver is in: /dev/hids_driver_allowlist
    

    Originally posted by @EBWi11 in https://github.com/bytedance/Elkeid/issues/362#issuecomment-1324644807

  • [RASP]Go Inspect little bug

    [RASP]Go Inspect little bug

    Describe the bug librasp 代码的 go探测有个panic错误

    Screenshots image

    OS information (please complete the following information):

    • Distribution: Ubuntu
    • Version [20.04.2 LTS]
    • Kernel info [5.4.0-74-generic]

    Additional context Add any other context about the problem here.

  • docker部署elkeid 1.9.1,agent安装报错

    docker部署elkeid 1.9.1,agent安装报错

    Describe the bug 安装1.9.1版本,修改docker run的宿主机端口,agent安装出现报错:desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority

    To Reproduce

    1. docker run命令: docker run -d --name elkeid_community --restart=unless-stopped -v /sys/fs/cgroup:/sys/fs/cgroup:ro -p 7071:8071 -p 7072:8072 -p 7080:8080 -p 7081:8081 -p 7082:8082 -p 7089:8080 -p 7090:8090 --privileged elkeid/all-in-one:v1.9.1
    2. docker 初始化agent:./elkeidup public {宿主机ip}
    3. 安装部署页,端口不是run中的7080, image 自我修改为:bash -c "if (command -v curl); then (curl -sS http://192.168.10.45:7080/agent/install.sh | bash);else (wget -q -O - http://192.168.10.45:7080/agent/install.sh | bash); fi"
    4. 可以正常安装agent
    image 5. 但是cat /etc/elkeid/log/elkeid-agent.log出现如下错误 2022-12-14T19:28:29.747+0800 WARN transport/transfer.go:52 wait to get next connection for 5 seconds, current retry times: 0, context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:28:37.751+0800 WARN transport/transfer.go:52 wait to get next connection for 5 seconds, current retry times: 1, context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:28:45.754+0800 WARN transport/transfer.go:52 wait to get next connection for 5 seconds, current retry times: 2, context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:28:53.757+0800 WARN transport/transfer.go:52 wait to get next connection for 5 seconds, current retry times: 3, context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:29:01.759+0800 WARN transport/transfer.go:52 wait to get next connection for 5 seconds, current retry times: 4, context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:29:09.764+0800 WARN transport/transfer.go:52 wait to get next connection for 5 seconds, current retry times: 5, context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:29:17.767+0800 ERROR transport/transfer.go:49 transfer will shutdown because of no avaliable connections: context deadline exceeded: connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"[email protected]\")" 2022-12-14T19:29:17.768+0800 INFO plugin/plugin.go:181 context has been canceled, will shutdown all plugins 2022-12-14T19:29:17.768+0800 INFO plugin/plugin.go:194 shutdown all plugins done 2022-12-14T19:29:17.768+0800 INFO plugin/plugin.go:196 plugin daemon will exit 2022-12-14T19:29:17.768+0800 INFO elkeid-agent-src/main.go:150 ++++++++++++++++++++++++++++++exit++++++++++++++++++++++++++++++ 6. 管理端,主机列表无agent
  • v1.18.6集群已采集 Audit Logs 到系统后端,但根据“插件安装指引”5个步骤执行完成,安全组件状态一直显示“未安装”

    v1.18.6集群已采集 Audit Logs 到系统后端,但根据“插件安装指引”5个步骤执行完成,安全组件状态一直显示“未安装”

    平台版本:Community Edition v1.9.1 k8s集群版本:v1.18.6

    1、在master节点已经开启audit log并输出到后端: [root@k8s-master policy]# tail -n 20 /var/log/kubernetes/audit/audit.log {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"395fc91a-f9b8-4d1f-9169-909e1ba56a13","stage":"ResponseStarted","requestURI":"/api/v1/limitranges?allowWatchBookmarks=true\u0026resourceVersion=8468\u0026timeout=5m39s\u0026timeoutSeconds=339\u0026watch=true","verb":"watch","user":{"username":"system:apiserver","uid":"0d380e87-bc76-4ff1-a20b-af64de5f3df6","groups":["system:masters"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-apiserver/v1.18.6 (linux/amd64) kubernetes/dff82dc","objectRef":{"resource":"limitranges","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2022-12-09T09:26:52.134158Z","stageTimestamp":"2022-12-09T09:27:08.323495Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}} {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Request","auditID":"395fc91a-f9b8-4d1f-9169-909e1ba56a13","stage":"ResponseComplete","requestURI":"/api/v1/limitranges?allowWatchBookmarks=true\u0026resourceVersion=8468\u0026timeout=5m39s\u0026timeoutSeconds=339\u0026watch=true","verb":"watch","user":{"username":"system:apiserver","uid":"0d380e87-bc76-4ff1-a20b-af64de5f3df6","groups":["system:masters"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-apiserver/v1.18.6 (linux/amd64) kubernetes/dff82dc","objectRef":{"resource":"limitranges","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2022-12-09T09:26:52.134158Z","stageTimestamp":"2022-12-09T09:27:08.323505Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}} {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d59fc1b2-1420-4510-be78-6edf9ca94b3a","stage":"ResponseStarted","requestURI":"/api/v1/secrets?allowWatchBookmarks=true\u0026resourceVersion=8468\u0026timeout=7m14s\u0026timeoutSeconds=434\u0026watch=true","verb":"watch","user":{"username":"system:apiserver","uid":"0d380e87-bc76-4ff1-a20b-af64de5f3df6","groups":["system:masters"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-apiserver/v1.18.6 (linux/amd64) kubernetes/dff82dc","objectRef":{"resource":"secrets","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2022-12-09T09:26:52.135269Z","stageTimestamp":"2022-12-09T09:27:08.323527Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}} {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"d59fc1b2-1420-4510-be78-6edf9ca94b3a","stage":"ResponseComplete","requestURI":"/api/v1/secrets?allowWatchBookmarks=true\u0026resourceVersion=8468\u0026timeout=7m14s\u0026timeoutSeconds=434\u0026watch=true","verb":"watch","user":{"username":"system:apiserver","uid":"0d380e87-bc76-4ff1-a20b-af64de5f3df6","groups":["system:masters"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-apiserver/v1.18.6 (linux/amd64) kubernetes/dff82dc","objectRef":{"resource":"secrets","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Success","message":"Connection closed early","code":200},"requestReceivedTimestamp":"2022-12-09T09:26:52.135269Z","stageTimestamp":"2022-12-09T09:27:08.323541Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}

    2、根据“插件安装引导”的5个步骤进行配置,apiserver重启后,仍然显示未安装 image

    3、kubelet日志 Dec 09 18:46:25 k8s-master kubelet[22128]: E1209 18:46:25.635989 22128 kubelet.go:1682] Unable to attach or mount volumes for pod "kube-apiserver-k8s-master_kube-system(6b85f2658963975952798b7a0c9d967d)": unmounted volumes=[elkeid-audit ca-certs etc-pki k8s-certs audit-policy audit-logs], unattached volumes=[elkeid-audit ca-certs etc-pki k8s-certs audit-policy audit-logs]: timed out waiting for the condition; skipping pod Dec 09 18:46:25 k8s-master kubelet[22128]: E1209 18:46:25.636027 22128 pod_workers.go:191] Error syncing pod 6b85f2658963975952798b7a0c9d967d ("kube-apiserver-k8s-master_kube-system(6b85f2658963975952798b7a0c9d967d)"), skipping: unmounted volumes=[elkeid-audit ca-certs etc-pki k8s-certs audit-policy audit-logs], unattached volumes=[elkeid-audit ca-certs etc-pki k8s-certs audit-policy audit-logs]: timed out waiting for the condition Dec 09 18:46:25 k8s-master kubelet[22128]: E1209 18:46:25.639342 22128 kubelet.go:1682] Unable to attach or mount volumes for pod "kube-apiserver-k8s-master_kube-system(aa90a386ac227d65ee93459091f86adf)": unmounted volumes=[etc-pki k8s-certs audit-policy audit-logs elkeid-audit ca-certs], unattached volumes=[etc-pki k8s-certs audit-policy audit-logs elkeid-audit ca-certs]: timed out waiting for the condition; skipping pod Dec 09 18:46:25 k8s-master kubelet[22128]: E1209 18:46:25.639369 22128 pod_workers.go:191] Error syncing pod aa90a386ac227d65ee93459091f86adf ("kube-apiserver-k8s-master_kube-system(aa90a386ac227d65ee93459091f86adf)"), skipping: unmounted volumes=[etc-pki k8s-certs audit-policy audit-logs elkeid-audit ca-certs], unattached volumes=[etc-pki k8s-certs audit-policy audit-logs elkeid-audit ca-certs]: timed out waiting for the condition

Next generation distributed, event-driven, parallel config management!
Next generation distributed, event-driven, parallel config management!

mgmt: next generation config management! About: Mgmt is a real-time automation tool. It is familiar to existing configuration management software, but

Dec 26, 2022
Cloudpods is a cloud-native open source unified multi/hybrid-cloud platform developed with Golang
Cloudpods is a cloud-native open source unified multi/hybrid-cloud platform developed with Golang

Cloudpods is a cloud-native open source unified multi/hybrid-cloud platform developed with Golang, i.e. Cloudpods is a cloud on clouds. Cloudpods is able to manage not only on-premise KVM/baremetals, but also resources from many cloud accounts across many cloud providers. It hides the differences of underlying cloud providers and exposes one set of APIs that allow programatically interacting with these many clouds.

Jan 11, 2022
A Cloud Native Buildpack that contributes SDKMAN and uses it to install dependencies like the Java Virtual Machine

gcr.io/paketo-buildpacks/sdkman A Cloud Native Buildpack that contributes SDKMAN and uses it to install dependencies like the Java Virtual Machine. Be

Jan 8, 2022
A Cloud Native Buildpack for Go

The Go Paketo Buildpack provides a set of collaborating buildpacks that enable the building of a Go-based application.

Dec 14, 2022
cloud-native local storage management system
cloud-native local storage management system

Open-Local是由多个组件构成的本地磁盘管理系统,目标是解决当前 Kubernetes 本地存储能力缺失问题。通过Open-Local,使用本地存储会像集中式存储一样简单。

Dec 30, 2022
Nocalhost is Cloud Native Dev Environment.
Nocalhost is Cloud Native Dev Environment.

Most productive way to build cloud-native applications. Nocalhost The term Nocalhost originates from No Local, which is a cloud-native development too

Dec 29, 2022
A Cloud Native Buildpack that provides the Open Liberty runtime

gcr.io/paketo-buildpacks/open-liberty The Paketo Open Liberty Buildpack is a Cloud Native Buildpack that contributes Open Liberty for Java EE support.

Dec 21, 2022
cloneMAP: cloud-native Multi-Agent Platform
cloneMAP: cloud-native Multi-Agent Platform

cloneMAP: cloud-native Multi-Agent Platform cloneMAP is a multi-agent platform (MAP) that is designed to run in a cloud environment based on Kubernete

Nov 18, 2022
A Cloud Native Buildpack that contributes the Syft CLI which can be used to generate SBoM information

gcr.io/paketo-buildpacks/syft The Paketo Syft Buildpack is a Cloud Native Buildpack that contributes the Syft CLI which can be used to generate SBoM i

Dec 14, 2022
Contentrouter - Protect static content via Firebase Hosting with Cloud Run and Google Cloud Storage

contentrouter A Cloud Run service to gate static content stored in Google Cloud

Jan 2, 2022
TurtleDex is a decentralized cloud storage platform that radically alters the landscape of cloud storage.

TurtleDex is a decentralized cloud storage platform that radically alters the landscape of cloud storage. By leveraging smart contracts, client-side e

Feb 17, 2021
An edge-native container management system for edge computing
An edge-native container management system for edge computing

SuperEdge is an open source container management system for edge computing to manage compute resources and container applications in multiple edge regions. These resources and applications, in the current approach, are managed as one single Kubernetes cluster. A native Kubernetes cluster can be easily converted to a SuperEdge cluster.

Dec 29, 2022
Cloud cost estimates for Terraform in your CLI and pull requests 💰📉
Cloud cost estimates for Terraform in your CLI and pull requests 💰📉

Infracost shows cloud cost estimates for Terraform projects. It helps developers, devops and others to quickly see the cost breakdown and compare different options upfront.

Jan 2, 2023
Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.
Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload.

Fleex allows you to create multiple VPS on cloud providers and use them to distribute your workload. Run tools like masscan, puredns, ffuf, httpx or anything you need and get results quickly!

Jan 6, 2023
☁️🏃 Get up and running with Go on Google Cloud.

Get up and running with Go and gRPC on Google Cloud Platform, with this lightweight, opinionated, batteries-included service SDK.

Dec 20, 2022
Sample apps and code written for Google Cloud in the Go programming language.
Sample apps and code written for Google Cloud in the Go programming language.

Google Cloud Platform Go Samples This repository holds sample code written in Go that demonstrates the Google Cloud Platform. Some samples have accomp

Jan 9, 2023
Use Google Cloud KMS as an io.Reader and rand.Source.

Google Cloud KMS Go io.Reader and rand.Source This package provides a struct that implements Go's io.Reader and math/rand.Source interfaces, using Goo

Dec 1, 2022
A Cloud Foundry cli plugin that offers a faster and customizable alternative for cf apps

Panzer cf cli plugin A plugin for faster interaction (less API calls) with Cloud Foundry, and choose the columns you want in your output. Instead of "

Feb 14, 2022
Lightweight Cloud Instance Contextualizer
Lightweight Cloud Instance Contextualizer

Flamingo Flamingo is a lightweight contextualization tool that aims to handle initialization of cloud instances. It is meant to be a replacement for c

Jun 18, 2022