BitBlazr open source sensor harnesses the power of eBPF to fortify IoT and other Linux runtimes against potential threats. Blending features from Mandatory Access Controls (MAC) and eBPF-based monitoring programs, the sensor offers a kernel-level rule system for policy enforcement, as well as configurable logging targets, empowering users with robust filtering logic and clear delineation between events, alerts, and informational messages.

BitBlazr boasts a lightweight and secure architecture, rendering it more streamlined and deployable compared to traditional agents. By plugging directly into the kernel via eBPF, it optimizes resource utilization, circumventing the need for excessive context switches between user and kernel space. During testing on Arm64 IoT systems, it exhibited minimal CPU consumption, consuming less than 5% of a single core. 

Primarily a security sensor, BitBlazr is not tuned for monitoring all eBPF calls. At this time, the sensor watches for the following actions: 

• Executables being launched. 
• Executables exiting.
• Files being opened, with monitored locations restricted to those posing a security risk. 
• New network ports being opened. 
• Egress connections. 

The sensor has two main objectives:  

1. Catching clear-cut intrusion attempts or pivoting attempts by malicious users by matching against kernel rules defined in the rules.json5 file. 
2. Pushing events not covered by the rules but included in the logging logic as defined in the logs.json5 file to the cloud. Here, they can be integrated with a SIEM system and examined by engineers or analyzed by an AI-powered analytics engine, as is the case with the ZioSec SaaS solution. 

It's worth noting that not all Linux kernels will have all the eBPF-related features built in, especially in the IoT world where minimal kernel features are desired to preserve system resources. 

For rule enforcement, the sensor will plug into the Linux Security Module (LSM) interface via eBPF. However, for monitoring, Btf tracepoints are preferred. If they are not available, the sensor will fall back to monitoring raw system calls. 

• Getting Started
• Main Configuration File  
• Blocking Rules 
• Monitoring Rules 

​

Github repository for the project can be found here: https://github.com/auseckas/bitblazr