___ ___
/ \ / \
\_ \ / __/
_\ \ / /__
\___ \____/ __/
\_ _/ __
| @ @ \____ ____ ___ ____/ /________
| / __ \/ _ \/ __ / ___/ __ \
_/ /\ / /_/ / __/ /_/ / / / /_/ /
/o) (o/\ \_ / .___/\___/\__,_/_/ \____/
\_____/ / /_/
\____/
Pedro is a lightweight security sensor and access control tool for Linux. It supports the Santa sync protocol generates detailed logs of system activity in the Parquet format.
This type of tool is sometimes known as EDR. Pedro is a unique type of EDR: unlike similar tools, Pedro is based on BPF LSM, which makes it faster, harder to bypass and more reliable. The trade-off is, that Pedro only supports modern Linux (currently meaning 6.2 and newer).
Unlike most EDRs, Pedro is almost entirely implemented in eBPF. Userspace programs only handle the initial load and syncing (of rules and logs). This has three important advantages:
- Pedro uses only minimal system resources.
- Pedro does not need to run as
root. - Pedro is fully extensible with eBPF plugins.
Pedro is under active development. A minimum-viable product is ready, and the author is happy to entertain feature requests.
| Category | Feature | Status |
|---|---|---|
| Access Control | Block executions by hash | ✅ Stable |
| Access Control | Block executions by signature | 📅 Planned |
| Access Control | Allowlist by hash or signature | 📅 Planned |
| Access Control | Block executions until interactive approval | ❌ Maybe later |
| Detailed telemetry (execve logs...) | Textual, debug logs | ✅ Stable |
| Detailed telemetry (execve logs...) | Log to a parquet file | ✅ Stable |
| Detailed telemetry (execve logs...) | Upload logs to S3 / GCP | 📅 Planned |
| Detailed telemetry (execve logs...) | Custom logs from plugins | 📅 Planned |
| Control Plane | Sync with a Santa server | 🛠️ Beta quality |
| Control Plane | Load local policy files | 📅 Planned |
| Extensibility | Private, closed-source plugins | ✅ Stable |
Notes:
- Examples of Santa servers include moroz and Rudolph.
- Pedro's Parquet schema is modeled after Santa and defined in
pedro/telemetry/schema.rs.
Pedro runs on Linux >6.5 on x86_64 (Intel) and aarch64 (ARM). It is tested agains the moroz sync server.
This table summarizes what integrations and their versions Pedro supports.
| Integration | Version | Support Model | Status |
|---|---|---|---|
| Linux | Intel > 6.2 | Supported | ✅ Verified |
| Linux | ARM > 6.5 | Supported | |
| Linux | ARM > 6.10 | Supported | ✅ Verified |
| moroz | 2.0.2 | Supported | ✅ Verified |
Pedro depends on BPF, LSM and IMA. In the future, it will optionally depend on FsVerity. The following boot commandline is sufficient:
# Put this in /etc/default/grub
GRUB_CMDLINE_LINUX="lsm=integrity,bpf ima_policy=tcb ima_appraise=fix"
# (Update GRUB with:)
> sudo update-grub && reboot
LSM is the mandatory access control (MAC) framework that SELinux and AppArmor are built on. LSM protects against common EDR weaknesses, such as TOCTOU attacks, local denial of service and others.
Historically, security tools couldn't be built on LSM, because LSM users like SELinux had to be compiled with the kernel. This has made Linux EDR unreliable, expensive to run and difficult to deploy. Pedro's novelty is using LSM through eBPF, which means it requires no patches or recompiling, only root access to the monitored computer.
eBPF (the "e" stands for "extended") is a mechanism for extending the Linux kernel at runtime, using (usually) a safe subset of the C programming language. eBPF was added to Linux in 2014, but only recently became powerful enough to write an LSM. Pedro is, to the author's best knowledge, the first open source tool using LSM in this way.
Pedro is an initialism of "Pipelined Endpoint Detection & Response Operation".
Pedro links with or includes code from other open source projects:
- Testing and benchmarking libraries from Google
- Google Abseil
- Apache Arrow
Pedro's telemetry schema is based on Santa's schema by Northpole.
Pedro relies heavily on the high quality work by the Kernel BPF contributors, especially:
- The initial BPF LSM patchset and many patches since by KP Singh.
- Foundational work on LLVM and GCC support, improvements to eBPF, sleepable hooks and lots more by Alexei Starovoitov.
- The BPF Ring Buffer patch set by Andrii Nakryiko
- Patchset enabling BPF ftrace on aarch64 by Florent Revest.
- Work on eBPF, the ring buffer and more by Brendan Jackman.