2022-06-16 17:23:12 +00:00
|
|
|
{ lib
|
|
|
|
, buildGoModule
|
|
|
|
, fetchFromGitHub
|
|
|
|
|
|
|
|
, llvmPackages_13
|
|
|
|
, pkg-config
|
|
|
|
|
|
|
|
, zlib
|
2022-10-21 18:38:19 +00:00
|
|
|
, elfutils
|
|
|
|
, libbpf
|
|
|
|
|
|
|
|
, nixosTests
|
|
|
|
, testers
|
|
|
|
, tracee
|
2022-06-16 17:23:12 +00:00
|
|
|
}:
|
|
|
|
|
|
|
|
let
|
|
|
|
inherit (llvmPackages_13) clang;
|
|
|
|
in
|
|
|
|
buildGoModule rec {
|
|
|
|
pname = "tracee";
|
2022-10-21 18:38:19 +00:00
|
|
|
version = "0.8.3";
|
2022-06-16 17:23:12 +00:00
|
|
|
|
|
|
|
src = fetchFromGitHub {
|
|
|
|
owner = "aquasecurity";
|
|
|
|
repo = pname;
|
|
|
|
rev = "v${version}";
|
2022-10-21 18:38:19 +00:00
|
|
|
sha256 = "sha256-VxTJcl7gHRZEXpFbxU4iMwqxuR1r0BNSseWQ5ijWHU4=";
|
2022-06-16 17:23:12 +00:00
|
|
|
};
|
2022-10-21 18:38:19 +00:00
|
|
|
vendorSha256 = "sha256-szPoJUtzya3+8dOnkDxHEs3+a1LTVoMMLjUSrUlfiGg=";
|
2022-06-16 17:23:12 +00:00
|
|
|
|
|
|
|
enableParallelBuilding = true;
|
2022-10-21 18:38:19 +00:00
|
|
|
# needed to build bpf libs
|
|
|
|
hardeningDisable = [ "stackprotector" ];
|
2022-06-16 17:23:12 +00:00
|
|
|
|
2022-10-21 18:38:19 +00:00
|
|
|
nativeBuildInputs = [ pkg-config clang ];
|
|
|
|
# ensure libbpf version exactly matches the version added as a submodule
|
|
|
|
buildInputs = [ libbpf zlib elfutils ];
|
2022-06-16 17:23:12 +00:00
|
|
|
|
|
|
|
makeFlags = [
|
|
|
|
"VERSION=v${version}"
|
2022-10-21 18:38:19 +00:00
|
|
|
"GO_DEBUG_FLAG=-s -w"
|
2022-06-16 17:23:12 +00:00
|
|
|
# don't actually need git but the Makefile checks for it
|
|
|
|
"CMD_GIT=echo"
|
|
|
|
];
|
|
|
|
|
2022-10-21 18:38:19 +00:00
|
|
|
# TODO: patch tracee to take libbpf.a and headers via include path
|
|
|
|
preBuild = ''
|
|
|
|
mkdir -p 3rdparty/libbpf/src
|
|
|
|
mkdir -p ./dist
|
|
|
|
cp -r ${libbpf}/lib ./dist/libbpf
|
|
|
|
chmod +w ./dist/libbpf
|
|
|
|
cp -r ${libbpf}/include/bpf ./dist/libbpf/
|
|
|
|
'';
|
2022-06-16 17:23:12 +00:00
|
|
|
buildPhase = ''
|
|
|
|
runHook preBuild
|
2022-10-21 18:38:19 +00:00
|
|
|
make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} bpf-core all
|
2022-06-16 17:23:12 +00:00
|
|
|
runHook postBuild
|
|
|
|
'';
|
|
|
|
|
2022-10-21 18:38:19 +00:00
|
|
|
# tests require a separate go module
|
|
|
|
# integration tests are ran within a nixos vm
|
|
|
|
# see passthru.tests.integration
|
2022-06-16 17:23:12 +00:00
|
|
|
doCheck = false;
|
|
|
|
|
|
|
|
installPhase = ''
|
|
|
|
runHook preInstall
|
|
|
|
|
|
|
|
mkdir -p $out/{bin,share/tracee}
|
|
|
|
|
|
|
|
cp ./dist/tracee-ebpf $out/bin
|
|
|
|
cp ./dist/tracee-rules $out/bin
|
|
|
|
|
|
|
|
cp -r ./dist/rules $out/share/tracee/
|
|
|
|
cp -r ./cmd/tracee-rules/templates $out/share/tracee/
|
|
|
|
|
|
|
|
runHook postInstall
|
|
|
|
'';
|
|
|
|
|
|
|
|
doInstallCheck = true;
|
|
|
|
installCheckPhase = ''
|
|
|
|
runHook preInstallCheck
|
|
|
|
|
|
|
|
$out/bin/tracee-ebpf --help
|
|
|
|
$out/bin/tracee-ebpf --version | grep "v${version}"
|
|
|
|
|
|
|
|
$out/bin/tracee-rules --help
|
|
|
|
|
|
|
|
runHook postInstallCheck
|
|
|
|
'';
|
|
|
|
|
2022-10-21 18:38:19 +00:00
|
|
|
passthru.tests = {
|
|
|
|
integration = nixosTests.tracee;
|
|
|
|
version = testers.testVersion {
|
|
|
|
package = tracee;
|
|
|
|
version = "v${version}";
|
|
|
|
command = "tracee-ebpf --version";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-06-16 17:23:12 +00:00
|
|
|
meta = with lib; {
|
|
|
|
homepage = "https://aquasecurity.github.io/tracee/latest/";
|
|
|
|
changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}";
|
|
|
|
description = "Linux Runtime Security and Forensics using eBPF";
|
|
|
|
longDescription = ''
|
|
|
|
Tracee is a Runtime Security and forensics tool for Linux. It is using
|
|
|
|
Linux eBPF technology to trace your system and applications at runtime,
|
|
|
|
and analyze collected events to detect suspicious behavioral patterns. It
|
|
|
|
is delivered as a Docker image that monitors the OS and detects suspicious
|
|
|
|
behavior based on a pre-defined set of behavioral patterns.
|
|
|
|
'';
|
|
|
|
license = licenses.asl20;
|
|
|
|
maintainers = with maintainers; [ jk ];
|
|
|
|
platforms = [ "x86_64-linux" ];
|
|
|
|
};
|
|
|
|
}
|