nixpkgs/pkgs/tools/security/tracee/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

113 lines
2.6 KiB
Nix
Raw Normal View History

2022-05-21 12:39:32 +00:00
{ lib
, buildGoModule
, fetchFromGitHub
, llvmPackages_13
, pkg-config
, zlib
, elfutils
, libbpf
, nixosTests
, testers
, tracee
2022-05-21 12:39:32 +00:00
}:
let
inherit (llvmPackages_13) clang;
in
buildGoModule rec {
pname = "tracee";
version = "0.9.2";
2022-05-21 12:39:32 +00:00
src = fetchFromGitHub {
owner = "aquasecurity";
repo = pname;
rev = "v${version}";
sha256 = "sha256-w/x7KhopkADKvpDc5TE5Kf34pRY6HP3kX1Lqujnl0b8=";
2022-05-21 12:39:32 +00:00
};
vendorSha256 = "sha256-5RXNRNoMydFcemNGgyfqcUPtfMVgMYdiyWo/sZi8GQw=";
patches = [
./use-our-libbpf.patch
];
2022-05-21 12:39:32 +00:00
enableParallelBuilding = true;
# needed to build bpf libs
hardeningDisable = [ "stackprotector" ];
2022-05-21 12:39:32 +00:00
nativeBuildInputs = [ pkg-config clang ];
buildInputs = [ elfutils libbpf zlib ];
2022-05-21 12:39:32 +00:00
makeFlags = [
"VERSION=v${version}"
"GO_DEBUG_FLAG=-s -w"
2022-05-21 12:39:32 +00:00
# don't actually need git but the Makefile checks for it
"CMD_GIT=echo"
];
buildPhase = ''
runHook preBuild
mkdir -p ./dist
make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} bpf-core all
2022-05-21 12:39:32 +00:00
runHook postBuild
'';
# tests require a separate go module
# integration tests are ran within a nixos vm
# see passthru.tests.integration
2022-05-21 12:39:32 +00:00
doCheck = false;
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/tracee}
cp ./dist/tracee-ebpf $out/bin
cp ./dist/tracee-rules $out/bin
cp -r ./dist/rules $out/share/tracee/
cp -r ./cmd/tracee-rules/templates $out/share/tracee/
runHook postInstall
'';
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
$out/bin/tracee-ebpf --help
$out/bin/tracee-ebpf --version | grep "v${version}"
$out/bin/tracee-rules --help
runHook postInstallCheck
'';
passthru.tests = {
integration = nixosTests.tracee;
version = testers.testVersion {
package = tracee;
version = "v${version}";
command = "tracee-ebpf --version";
};
};
2022-05-21 12:39:32 +00:00
meta = with lib; {
homepage = "https://aquasecurity.github.io/tracee/latest/";
changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}";
description = "Linux Runtime Security and Forensics using eBPF";
longDescription = ''
Tracee is a Runtime Security and forensics tool for Linux. It is using
Linux eBPF technology to trace your system and applications at runtime,
and analyze collected events to detect suspicious behavioral patterns. It
is delivered as a Docker image that monitors the OS and detects suspicious
behavior based on a pre-defined set of behavioral patterns.
'';
license = licenses.asl20;
maintainers = with maintainers; [ jk ];
platforms = [ "x86_64-linux" ];
};
}