init: trace openat and unlinkat syscalls

Author: suchit07-git

README.md

@@ -0,0 +1,23 @@
+# Argus
+Argus is an eBPF-based File Integrity Monitoring (FIM) tool that provides real-time detection of unauthorized file modifications by leveraging eBPF to efficiently track file system events at the kernel level. 
+
+## Prerequisites:
+- Linux kernel version 5.7 or later
+- LLVM 11 or later
+- libbpf headers
+- Linux kernel headers
+- Go compiler version supported by ebpf-go's Go module
+- [ebpf-go library](https://github.com/cilium/ebpf)
+
+
+## How to run:
+```
+go generate
+go build (An executable named filemon will be generated if the build succeeds)
+sudo ./filemon
+```
+
+## Features:
+- Monitors file operations by tracing syscalls using eBPF
+- Currently traces openat and unlinkat syscalls
+- Reports PID, process name, operation type, and filename for each event

bpf/file_monitor.c

@@ -0,0 +1,76 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_tracing.h>
+#include <sys/syscall.h>
+
+char __license[] SEC("license") = "GPL";
+
+// Defined according to /sys/kernel/debug/tracing/events/syscalls/sys_enter_openat/format
+struct openat_ctx {
+    unsigned long pad;
+    __u64 __unsused_syscall_header;
+    int syscall_nr;
+    int dfd;
+    const char *filename;
+    int flags;
+    __u16 mode;
+};
+
+// Defined according to /sys/kernel/debug/tracing/events/syscalls/sys_enter_unlinkat/format
+struct unlinkat_ctx {
+    unsigned long pad;
+    __u64 __unused_syscall_header;
+    int syscall_nr;
+    int dfd;
+    const char *pathname;
+    int flag;
+};
+
+struct event {
+    __u32 pid;
+    char command[16];
+    char filename[256];
+    char op[10];
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(int));
+    __uint(value_size, sizeof(int));
+    __uint(max_entries, 1024);
+} events SEC(".maps");
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int trace_openat(struct openat_ctx *ctx) {
+    struct event event = {};
+
+    event.pid = bpf_get_current_pid_tgid() >> 32;
+    bpf_get_current_comm(&event.command, sizeof(event.command));
+
+    const char* filename = ctx->filename;
+    bpf_probe_read_user_str(event.filename, sizeof(event.filename), filename);
+
+    __builtin_memcpy(event.op, "OPEN", 5);
+
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
+                          sizeof(event));
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_unlinkat")
+int trace_unlinkat(struct unlinkat_ctx *ctx) {
+    struct event event = {};
+
+    event.pid = bpf_get_current_pid_tgid() >> 32;
+    bpf_get_current_comm(&event.command, sizeof(event.command));
+
+    const char* pathname = ctx->pathname;
+    bpf_probe_read_user_str(event.filename, sizeof(event.filename), pathname);
+
+    __builtin_memcpy(event.op, "DELETE", 7);
+
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
+                          sizeof(event));
+    return 0;
+}

go.mod

@@ -0,0 +1,8 @@
+module github.com/suchit07-git/filemon
+
+go 1.24.1
+
+require (
+	github.com/cilium/ebpf v0.17.3 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+)

go.sum

@@ -0,0 +1,4 @@
+github.com/cilium/ebpf v0.17.3 h1:FnP4r16PWYSE4ux6zN+//jMcW4nMVRvuTLVTvCjyyjg=
+github.com/cilium/ebpf v0.17.3/go.mod h1:G5EDHij8yiLzaqn0WjyfJHvRa+3aDlReIaLVRMvOyJk=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

main.go

@@ -0,0 +1,88 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/perf"
+)
+
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags "-O2 -g -Wall -Werror" bpf bpf/file_monitor.c
+
+type Event struct {
+	Pid      uint32
+	Command  [16]byte
+	Filename [256]byte
+	Op       [10]byte
+}
+
+func main() {
+	objs := bpfObjects{}
+	if err := loadBpfObjects(&objs, nil); err != nil {
+		log.Fatalf("loading objects: %v", err)
+	}
+	defer objs.Close()
+
+	openatTracepoint, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TraceOpenat, nil)
+	if err != nil {
+		log.Fatalf("opening tracepoint: %s", err)
+	}
+	defer openatTracepoint.Close()
+
+	unlinkatTracepoint, err := link.Tracepoint("syscalls", "sys_enter_unlinkat", objs.TraceUnlinkat, nil)
+	if err != nil {
+		log.Fatalf("opening tracepoint: %s", err)
+	}
+	defer unlinkatTracepoint.Close()
+
+	rd, err := perf.NewReader(objs.Events, os.Getpagesize())
+	if err != nil {
+		log.Fatalf("creating perf event reader: %s", err)
+	}
+	defer rd.Close()
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, os.Interrupt, syscall.SIGTERM)
+
+	fmt.Println("Monitoring file operartions...")
+
+	go func() {
+		for {
+			record, err := rd.Read()
+			if err != nil {
+				if errors.Is(err, perf.ErrClosed) {
+					return
+				}
+				log.Printf("reading from perf event reader: %s", err)
+				continue
+			}
+
+			if record.LostSamples != 0 {
+				log.Printf("lost %d samples", record.LostSamples)
+				continue
+			}
+
+			var event Event
+			if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil {
+				log.Printf("parsing perf event: %s", err)
+				continue
+			}
+
+			command := string(bytes.TrimRight(event.Command[:], "\x00"))
+			filename := string(bytes.TrimRight(event.Filename[:], "\x00"))
+			operation := string(bytes.TrimRight(event.Op[:], "\x00"))
+
+			log.Printf("PID: %d, Process: %s, Operation: %s, File: %s\n", event.Pid, command, operation, filename)
+		}
+	}()
+
+	<-sig
+	fmt.Println("\nExiting...")
+}