Bombini: eBPF-based Security Monitoring and Sandboxing Agent

Bombini is an eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks. At its core, Bombini employs modular components called Detectors, each responsible for monitoring and reporting specific types of system events.

Getting Started

Please, check the compatibility issues first.

The most convenient way now is to pull Bombini image:

docker pull ghcr.io/bombinisecurity/bombini:v1.0.0

Run

You can easily run Bombini with this command:

docker run --pid=host --rm -it --privileged -v /sys/fs/bpf:/sys/fs/bpf bombini

By default Bombini sends event to stdout in JSON format and starts only ProcMon detector intercepting process execs and exits. To customize your Bombini setup, please, follow the configuration guide and mount config directory to the container:

docker run --pid=host --rm -it --privileged -v <your-config-dir>:/usr/local/lib/bombini/config:ro  -v /sys/fs/bpf:/sys/fs/bpf bombini

Build

To build Bombini from source, please, follow build guide.

Contributing

Please, check out CONTRIBUTING.md for the contributing guideline.