Welcome to Jibril project! Jibril is a runtime security tool capable of not only monitoring, but also enforcing application behavior. It is designed to be lightweight, efficient, and easy to use. Jibril is a powerful tool that can be used to monitor and enforce security policies in real-time, providing a high level of protection for your applications.
- Made by a team of experts, including former Tracee and Falco core engineers.
- Differently than other similar projects, Jibril can deal with any type of workload.
- No events, no losses. No events, no delays.
- No performance impact, tiny memory footprint.
- Easy to use.
Read about the theory and history behind it.
- There is a single eBPF loader that contains extensions easily added to the build tree.
- There are multiple extensions providing different application like functionalities.
- Each extension can have multiple plugins providing different features.
- The Jibril extension is the main extension of the Jibril project and why it was created.
- Jibril extension has libraries to talk to eBPF programs and to the kernel.
- Jibril works with plugins like
config,simple,procfs,netflowsanddetections. - Both
configandsimpleplugins are for internal use. - The
githubplugin is used to interact with the ListenDev API. - The
simpleplugin provides a stdout printer (beautified events). - The
netflowsprovides an event callednetflow(tasks network flows). - The
detectionsplugin provides many different events related to security detections.
Best way to try Jibril out, for now, is to use the provided docker container image, like described below, and check the stdout file (/var/log/jibril/jibril.log) for the detections output.
curl -s https://listendev.github.io/jibril/dev/jibril.sh | shYou can also give it a try (as an action) with the GitHub integration support at:
Jibril is the tool in charge of https://www.listen.dev/ dynamic runtime analysis feature.