11# exectrace [ ![ Go Reference] ( https://pkg.go.dev/badge/github.com/coder/exectrace.svg )] ( https://pkg.go.dev/github.com/coder/exectrace )
22
3- Simple [ eBPF] ( https://ebpf.io/ ) -based exec snooping on Linux, packaged as a Go
3+ Simple [ eBPF] ( https://ebpf.io/ ) -based exec snooping on Linux packaged as a Go
44library.
55
6- exectrace loads a precompiled [ eBPF program] ( ./bpf/handler.c ) into the running
6+ exectrace loads a pre-compiled [ eBPF program] ( ./bpf/handler.c ) into the running
77kernel to receive details about the ` exec ` family of syscalls.
88
9- ## Installation
9+ ## Requirements
1010
11- exectrace only support Go 1.16+ and Linux kernel 5.8+ (due to use of
11+ exectrace only supports Go 1.16+ and Linux kernel 5.8+ (due to the use of
1212` BPF_MAP_TYPE_RINGBUF ` ).
1313
14- ```
14+ ## Installation
15+
16+ ``` console
1517$ go get -u github.com/coder/exectrace
1618```
1719
18- ## Quick Start
20+ ## Quickstart
1921
20- You will need root access, ` CAP_SYS_ADMIN ` or ` CAP_BPF ` to run eBPF programs on
22+ You will need root access, ` CAP_SYS_ADMIN ` or ` CAP_BPF ` , to run eBPF programs on
2123your system.
2224
23- > tip: you can use ` go run -exec sudo ./cmd/program ` to compile a program and
25+ > Use ` go run -exec sudo ./cmd/program ` to compile a program and
2426> start it with ` sudo `
2527
26- ```
28+ ``` console
2729$ go install -u github.com/coder/exectrace/cmd/exectrace
2830$ exectrace --help
2931...
@@ -36,12 +38,12 @@ $ sudo exectrace
3638
3739## Usage
3840
39- exectrace exposes a minimal API surface. Just call ` exectrace.New(nil) ` and then
40- you can immediately start ` tracer.Read() ` ing events from the returned ` tracer ` .
41+ exectrace exposes a minimal API surface. Call ` exectrace.New(nil) ` and then
42+ you can start ` tracer.Read() ` ing events from the returned ` Tracer ` .
4143
42- It is important that the tracer gets closed to avoid leaking kernel resources,
43- so implemeneting a simple signal handler like the one in the example below is
44- recommended.
44+ It is important that you close the tracer to avoid leaking kernel resources,
45+ so we recommend implementing a simple signal handler like the one in this
46+ example:
4547
4648``` go
4749package main
@@ -80,33 +82,35 @@ func main() {
8082}
8183```
8284
83- You can look at the example program [ exectrace ] ( ./cmd/exectrace/main.go ) for a
84- fully featured program using this library.
85+ > For a full usage example, refer to this [ comprehensive program ] ( ./cmd/exectrace/main.go )
86+ > that uses the library.
8587
8688## Development
8789
88- Since the eBPF program is packaged as a Go library, the program needs to be
89- compiled and included in the repo. If you make changes to files under the ` bpf `
90- directory, you should run ` make ` and include the ` .o ` files in that directory in
91- your commit if they changed. CI will ensure that this is done correctly.
92-
93- You will probably need the following tools:
90+ You will need the following:
9491
95- - Docker (clang is run within a Docker container for reproducibility)
92+ - Docker (the Makefile runs clang within a Docker container for reproducibility)
9693- ` golangci-lint `
9794- ` prettier `
9895- ` shellcheck `
9996
100- ## Status: In Development
97+ Since the eBPF program is packaged as a Go library, you need to compile the
98+ program and include it in the repo.
99+
100+ If you change the files in the ` bpf ` directory, run ` make ` and ensure that you
101+ include the ` .o ` files you changed in your commit (CI will verify that you've
102+ done this correctly).
103+
104+ ## Status: beta
101105
102- The library is currently under heavy development as we develop it out to suit
103- the needs of Coder's enterprise [ product] ( https://coder.com ) .
106+ This library is ready to use as-is, though it is under active development as we
107+ modify it to suit the needs of Coder's [ enterprise product] ( https://coder.com ) .
104108
105- We plan on changing the API to add more features and fields that can be read
106- from, and potentially adding easier methods for filtering events rather than
107- implementing filtering yourself.
109+ We plan on adding more features and fields that can be read from the API, as
110+ well as easier-to-use methods for filtering events (currently, you must
111+ implement additional filtering yourself) .
108112
109- ## See Also
113+ ## See also
110114
111115- [ ` canonical/etrace ` ] ( https://github.com/canonical/etrace ) - Go binary that
112116 uses ptrace and tracks the processes that a command launches for debugging and
0 commit comments