About safeguard

safeguard helps protect the Linux kernel and the OS based on eBPF by intercepting and auditing security operations. It uses the libbpfgo library and the Go language to implement top-level control. Currently, the project has been open-sourced and is maintained by openEuler sig-ebpf at https://gitee.com/openeuler/safeguard.

KRSI (eBPF+LSM)

Extended Berkeley Packet Filter (eBPF) is a technology that can run sandboxed programs in kernel space. It is used to efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. This has led to a wave of eBPF-based projects covering a wide array of use cases, including networking, observability, and security functionality.

The Linux Security Module (LSM) framework provides a mechanism for various security checks to be hooked by new kernel extensions.

eBPF and LSM can be combined to form an eBPF-based LSM extension called kernel runtime security instrumentation (KRSI). It allows users to use eBPF programs to implement and enforce custom security policies and audit rules at runtime. The kernel does not need to be modified or recompiled, and existing LSM modules do not need to be configured. It attaches eBPF programs to LSM hooks and then executes those programs in the call path to check and control access to system resources.

Features

• Audit: Records behavior within the scope of the configuration file and generates logs.
• Control: Secures access control for files, processes, and networks.
• Behavior analysis: Collects information and analyzes resources, hotspots, and exceptions.

Application Scenarios

safeguard is a Linux security audit and control solution based on KRSI, which is a combination of eBPF and LSM. safeguard ensures OS-wide comprehensive protection and monitoring. While able to fit into a wide range of scenarios, it mainly streamlines the following areas:

• Container security: Audits and controls behavior inside a container. For example, safeguard records the container process, file, and network activities, limits resources or ports available to the container, and detects abnormal container behavior. In this way, safeguard effectively protects the container against attacks or abuse, thereby improving the security and stability of the container.
• Cloud service security: Audits and controls the clients of cloud service providers. For example, safeguard records OSs, applications, and users of the clients, limits the commands and system calls available to the clients, and detects malicious behavior or exploitation of vulnerabilities. This helps cloud service providers protect resources and reputations and prevents the clients from being intruded upon or damaged.
• Security compliance: Audits and controls system security compliance. For example, safeguard records information about system configurations, permissions, and logs, prevents the system from modifying specific settings or files, and detects violations and abnormal events in the system. This ensures compliance with security standards and regulations and improves the credibility and legitimacy of the system.

Functions

Audit and Control

File safeguarding:

• Traces file system activities, including file open, close, reads/writes, and delete.
• Modifies the behavior of file systems through the interception of certain file operations and custom security policies. Security policies:
  1. Operations on files can be intercepted or redirected through eBPF. For example, read and write operations on sensitive files can be intercepted, and access to certain files can be redirected.
  2. Access control can be customized. eBPF checks the identity, permissions, and environment of a user who requests access to a file, and allows or denies the request based on custom rules.
  3. Audit and monitoring can be customized. For example, eBPF records the information about operations on certain files, such as the operator, time, and action, and outputs the information to the logs.

Process safeguarding:

• Traces the process life cycles, such as process creation, termination, scheduling, and context switching.
• Modifies the behavior of processes, such as injecting or modifying some system calls or implementing custom scheduling policies.

Network safeguarding:

• Traces network activities, such as sending, receiving, forwarding, and discarding network packets.
• Modifies the behavior of networks through filtering and rewriting of network packets and custom routing policies.

Feature List

Audit and Control for Files, Networks, and Processes

• Files

  Functions: List of allowed files. List of denied files and related operations to be blocked. File open logs, including operation commands, host names, PIDs, and UIDs.

  Affected operations: File or directory open operations, including the create, read, write, and execute modes. File or directory permission or attribute modifications. File or directory mapping to the memory.

• Networks

  Functions: Allowed and denied CIDRs. Allowed and denied domains. Allowed and denied operation commands. Allowed and denied UIDs. Allowed and denied GIDs. Network connection logs, including cgroup IDS, PIDs, host names, and operation commands.

  Affected operations: Operations related to network connections, for example, socket creation in the following scenarios: - A socket invokes the connect() or sendto() function, and the destination address is not NULL. - A socket invokes the accept() or recvfrom() function, and the source address is not NULL. - A socket invokes the getpeername() function, and the return address is not NULL.

• Processes

  Functions:

  Process creation logs, including PIDs, PPIDs, host names, and operation commands.

  Affected operations:

  Operations related to process creation, including fork, vfork, and clone.

Logs

Set the log format to JSON or TXT. Configure the log file output path. Configure the maximum size to rotate a log file. If the size of a log file exceeds the maximum, a new log file is automatically created. The default size is 100 MB. Configure the log file rotation time limit. After the time limit is exceeded, a new log file is automatically created. The default time limit is 365 days. Configure log tags. Configure log levels. The options are DEBUG (10), INFO (20), WARNING (30), ERROR (40), and CRITICAL (50).

Configurations

Enable or disable the file, process, network, and log modules, and configure the corresponding sub-modules. Configure the mode. Select monitor or block. Related operations (such as the list of denied files) are blocked only in block mode.