# Hades-Linux **Repository Path**: the-sec-hunter/Hades-Linux ## Basic Information - **Project Name**: Hades-Linux - **Description**: Hades is a Host-Based Intrusion Detection System based on both eBPF(kernel) and netlink/cn_proc(userspace). - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: dev-win-plugins-rs - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2025-02-07 - **Last Updated**: 2025-04-07 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README

# Hades Hades 是一个基于 eBPF 的主机入侵检测系统，同时兼容低版本下通过 netlink(cn_proc) 进行事件审计。申明：本项目借鉴了 [Tracee](https://github.com/aquasecurity/tracee) 以及 [Elkeid](https://github.com/bytedance/Elkeid) 中的代码以及思路等 ## 概览 > 后台逐步开发中

## 架构 > 注: Agent 部分基本参照 Elkeid 1.7 部分重构 ### Agent ![data](https://github.com/chriskaliX/Hades/blob/main/imgs/agent.png) ### 数据处理流程 ![data](https://github.com/chriskaliX/Hades/blob/main/imgs/data_analyze.png) ## 插件列表 - [EDriver](https://github.com/chriskaliX/Hades/tree/main/plugins/edriver) - [Collector](https://github.com/chriskaliX/Hades/tree/main/plugins/collector) - [Eguard](https://github.com/chriskaliX/Hades/tree/main/plugins/eguard) - [NCP](https://github.com/chriskaliX/Hades/tree/main/plugins/ncp) - Scanner - Logger ## 采集能力 --- ### EDriver > 支持 `21` 种 Hook，涵盖大部分安全审计检测需求，采集字段基本和 Elkeid 相同 [Hook](https://github.com/chriskaliX/Hades/tree/main/plugins/edriver) 详情查看

eBPF driver 插件 Hook 事件详情

| Hook | :--------------------------- | tracepoint/syscalls/sys_enter_execve | tracepoint/syscalls/sys_enter_execveat | tracepoint/syscalls/sys_ente | tracepoint/syscalls/sys_enter_prctl | tracepoint/syscalls/sys_enter_ptrace | kprobe/security_socket_connect | kprobe/security_socket_bind | kprobe/commit_creds | k(ret)probe/udp_recvmsg | kprobe/do_init_module | kprobe/security_kernel_read_file | kprobe/security_inode_create | kprobe/security_sb_mount | kprobe/call_usermodehelper | kprobe/security_inode_rename | kprobe/security_inode_link | uprobe/trigger_sct_scan | uprobe/trigger_idt_scan | kprobe/security_file_permission | uprobe/trigger_module_scan | kprobe/security_bpf | Status & Description | ID | -------------- | :------------------------------------ | :--- | | ON | 700 | | ON | 698 | r_memfd_create | ON | 614 | | ON(PR_SET_NAME & PR_SET_MM) | 1020 | | ON(PTRACE_PEEKTEXT & PTRACE_POKEDATA) | 1021 | | ON | 1022 | | ON | 1024 | | ON | 1011 | | ON(53/5353 for dns data) | 1025 | | ON | 1026 | | ON | 1027 | | ON | 1028 | | ON | 1029 | | ON | 1030 | | ON | 1031 | | ON | 1032 | | ON | 1200 | | ON | 1201 | | ON | 1202 | | ON | 1203 | | ON | 1204 |

--- ### Collector > S 代表异步采集，P 代表周期采集，C 代表触发采集

collector 插件 hook 详情

| Event | Type | ID | | :-------: | :--: | :-: | | processes | P | 1001 | | crontab | P | 2001 | |sshdconfig | P | 3002 | | ssh login | S | 3003 | | user | P | 3004 | | sshconfig | P | 3005 | | yum | P | 3006 | |host detect| C | 3007 | | apps | P | 3008 | | kmod | P | 3009 | | disk | P | 3010 | | systemd | P | 3011 | | interface | P | 3012 | | iptable | P | 3013 | |bpf_program| P | 3014 | | jar | P | 3015 | | dpkg | P | 3016 | | rpm | P | 3017 | | container | P | 3018 | | socket | P | 5001 |

### NCP --- > Netlink CN_PROC 事件采集 ___ ## 联系 & 交流输入 `Hades` 获取相关群二维码

## 404 星链计划

Hades 现已加入 [404 星链计划](https://github.com/knownsec/404StarLink)