docs/defense-detection.md
eCapture is a powerful security auditing tool. Like any security tool, it can be misused. This document provides guidance for security teams on how to detect unauthorized use of eCapture (or similar eBPF-based tools) and implement appropriate defenses.
# List all loaded eBPF programs (requires root)
sudo bpftool prog list
# Look for uprobe-type programs targeting SSL/TLS libraries
sudo bpftool prog list | grep -i uprobe
eCapture loads uprobe programs attached to functions like SSL_read, SSL_write, SSL_do_handshake in libraries such as libssl.so. Any unexpected uprobe programs targeting these functions should be investigated.
# Check registered uprobe events
sudo cat /sys/kernel/debug/tracing/uprobe_events
# Look for probes on SSL/TLS library functions
sudo cat /sys/kernel/debug/tracing/uprobe_events | grep -E "ssl|SSL|gnutls|nspr"
# List perf event arrays used by eBPF
sudo bpftool map list | grep -i perf
# Check for running eCapture processes
ps aux | grep ecapture
# Use auditd to monitor execution of eCapture
sudo auditctl -w /usr/local/bin/ecapture -p x -k ecapture_exec
# Monitor bpf() system calls (catches any eBPF tool)
sudo auditctl -a always,exit -F arch=b64 -S bpf -k bpf_activity
# List privileged containers (eCapture requires --privileged or specific capabilities)
docker ps --format '{{.Names}}' | xargs -I {} docker inspect --format='{{.Name}}: Privileged={{.HostConfig.Privileged}}' {}
On systems where eBPF-based capture is not needed:
# Restrict unprivileged BPF (sysctl)
sudo sysctl -w kernel.unprivileged_bpf_disabled=1
# Make it persistent
echo "kernel.unprivileged_bpf_disabled=1" | sudo tee /etc/sysctl.d/99-disable-bpf.conf
# Create an AppArmor profile that denies bpf() access
cat << 'EOF' > /etc/apparmor.d/deny-bpf
#include <tunables/global>
profile deny-bpf flags=(attach_disconnected) {
# Deny BPF system call
deny capability sys_admin,
deny capability bpf,
deny capability perfmon,
}
EOF
# Audit BPF usage via SELinux
# Check for BPF-related AVC denials
ausearch -m AVC -ts today | grep bpf
Create comprehensive audit rules for eBPF activity:
cat << 'EOF' > /etc/audit/rules.d/ebpf-monitor.rules
# Monitor bpf() system calls
-a always,exit -F arch=b64 -S bpf -k ebpf_usage
# Monitor perf_event_open (used by eBPF perf buffers)
-a always,exit -F arch=b64 -S perf_event_open -k perf_event
# Monitor access to tracing filesystem
-w /sys/kernel/debug/tracing/ -p rwa -k tracing_access
# Monitor uprobe registration
-w /sys/kernel/debug/tracing/uprobe_events -p wa -k uprobe_modification
EOF
sudo augenrules --load
⚠️ Warning: Running eCapture with
docker run --privileged=truegrants the container full host access. This is a significant security risk in production environments.
Instead of --privileged, use specific capabilities:
# Minimum capabilities for eCapture in Docker
docker run --rm \
--cap-add=SYS_ADMIN \
--cap-add=BPF \
--cap-add=PERFMON \
--cap-add=NET_ADMIN \
--pid=host \
--net=host \
-v /sys/kernel/debug:/sys/kernel/debug:ro \
-v /sys/fs/bpf:/sys/fs/bpf \
gojue/ecapture:latest tls
Note: On kernel versions < 5.8,
CAP_SYS_ADMINis required asCAP_BPFandCAP_PERFMONare not yet available.
If eCapture is configured to forward events over the network (e.g., to eCaptureQ GUI), monitor for:
28256)# Check for eCapture's default listening port
ss -tlnp | grep 28256
--pid flag instead of capturing all traffic