Skip to content

raffi-ant/pedro

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

815 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pedro (Pet EDR Operation)

  ___            ___  
 /   \          /   \ 
 \_   \        /  __/ 
  _\   \      /  /__  
  \___  \____/   __/  
      \_       _/                        __         
        | @ @  \____     ____  ___  ____/ /________ 
        |               / __ \/ _ \/ __  / ___/ __ \
      _/     /\        / /_/ /  __/ /_/ / /  / /_/ /
     /o)  (o/\ \_     / .___/\___/\__,_/_/   \____/ 
     \_____/ /       /_/                            
       \____/         

Pedro is a lightweight security sensor and access control tool for Linux. It supports the Santa sync protocol generates detailed logs of system activity in the Parquet format.

What Makes Pedro Different?

This type of tool is sometimes known as EDR. Pedro is a unique type of EDR: unlike similar tools, Pedro is based on BPF LSM, which makes it faster, harder to bypass and more reliable. The trade-off is, that Pedro only supports modern Linux (currently meaning 6.2 and newer).

Unlike most EDRs, Pedro is almost entirely implemented in eBPF. Userspace programs only handle the initial load and syncing (of rules and logs). This has three important advantages:

  1. Pedro uses only minimal system resources.
  2. Pedro does not need to run as root.
  3. Pedro is fully extensible with eBPF plugins.

Key Features & Maturity

Pedro is under active development. A minimum-viable product is ready, and the author is happy to entertain feature requests.

Category Feature Status
Access Control Block executions by hash ✅ Stable
Access Control Block executions by signature 📅 Planned
Access Control Allowlist by hash or signature 📅 Planned
Access Control Block executions until interactive approval ❌ Maybe later
Detailed telemetry (execve logs...) Textual, debug logs ✅ Stable
Detailed telemetry (execve logs...) Log to a parquet file ✅ Stable
Detailed telemetry (execve logs...) Upload logs to S3 / GCP 📅 Planned
Detailed telemetry (execve logs...) Custom logs from plugins 📅 Planned
Control Plane Sync with a Santa server 🛠️ Beta quality
Control Plane Load local policy files 📅 Planned
Extensibility Private, closed-source plugins ✅ Stable

Notes:

  • Examples of Santa servers include moroz and Rudolph.
  • Pedro's Parquet schema is modeled after Santa and defined in pedro/telemetry/schema.rs.

Platform & Integration Support

Pedro runs on Linux >6.5 on x86_64 (Intel) and aarch64 (ARM). It is tested agains the moroz sync server.

This table summarizes what integrations and their versions Pedro supports.

Integration Version Support Model Status
Linux Intel > 6.2 Supported ✅ Verified
Linux ARM > 6.5 Supported ⚠️ Pending
Linux ARM > 6.10 Supported ✅ Verified
moroz 2.0.2 Supported ✅ Verified

Pedro depends on BPF, LSM and IMA. In the future, it will optionally depend on FsVerity. The following boot commandline is sufficient:

# Put this in /etc/default/grub
GRUB_CMDLINE_LINUX="lsm=integrity,bpf ima_policy=tcb ima_appraise=fix"

# (Update GRUB with:)
> sudo update-grub && reboot

Context & Background

LSM is the mandatory access control (MAC) framework that SELinux and AppArmor are built on. LSM protects against common EDR weaknesses, such as TOCTOU attacks, local denial of service and others.

Historically, security tools couldn't be built on LSM, because LSM users like SELinux had to be compiled with the kernel. This has made Linux EDR unreliable, expensive to run and difficult to deploy. Pedro's novelty is using LSM through eBPF, which means it requires no patches or recompiling, only root access to the monitored computer.

eBPF (the "e" stands for "extended") is a mechanism for extending the Linux kernel at runtime, using (usually) a safe subset of the C programming language. eBPF was added to Linux in 2014, but only recently became powerful enough to write an LSM. Pedro is, to the author's best knowledge, the first open source tool using LSM in this way.

Pedro is an initialism of "Pipelined Endpoint Detection & Response Operation".

Development Documentation

Acknowledgements & Thanks

Pedro links with or includes code from other open source projects:

Pedro's telemetry schema is based on Santa's schema by Northpole.

Pedro relies heavily on the high quality work by the Kernel BPF contributors, especially:

About

Pet EDR Operation - A lightweight, open source EDR for Linux

Resources

License

Contributing

Security policy

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages

  • Rust 66.1%
  • C++ 18.3%
  • Shell 7.7%
  • C 4.0%
  • Starlark 3.9%