at 23.11-beta 113 lines 2.7 kB view raw
1{ lib 2, buildGoModule 3, fetchFromGitHub 4 5, clang 6, pkg-config 7 8, zlib 9, elfutils 10, libbpf 11 12, nixosTests 13, testers 14, tracee 15}: 16 17buildGoModule rec { 18 pname = "tracee"; 19 version = "0.13.1"; 20 21 src = fetchFromGitHub { 22 owner = "aquasecurity"; 23 repo = pname; 24 rev = "v${version}"; 25 hash = "sha256-YO5u/hE5enoqh8niV4Zi+NFUsU+UXCCxdqvxolZImGk="; 26 }; 27 vendorHash = "sha256-swMvJe+Dz/kwPIStPlQ7d6U/UwXSMcJ3eONxjzebXCc="; 28 29 patches = [ 30 ./use-our-libbpf.patch 31 ]; 32 33 enableParallelBuilding = true; 34 # needed to build bpf libs 35 hardeningDisable = [ "stackprotector" ]; 36 37 nativeBuildInputs = [ pkg-config clang ]; 38 buildInputs = [ elfutils libbpf zlib ]; 39 40 makeFlags = [ 41 "VERSION=v${version}" 42 "GO_DEBUG_FLAG=-s -w" 43 # don't actually need git but the Makefile checks for it 44 "CMD_GIT=echo" 45 ]; 46 47 buildPhase = '' 48 runHook preBuild 49 mkdir -p ./dist 50 make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} bpf-core all 51 runHook postBuild 52 ''; 53 54 # tests require a separate go module 55 # integration tests are ran within a nixos vm 56 # see passthru.tests.integration 57 doCheck = false; 58 59 outputs = [ "out" "lib" "share" ]; 60 61 installPhase = '' 62 runHook preInstall 63 64 mkdir -p $out/bin $lib/lib/tracee $share/share/tracee 65 66 mv ./dist/tracee $out/bin/ 67 mv ./dist/tracee.bpf.core.o $lib/lib/tracee/ 68 mv ./cmd/tracee-rules/templates $share/share/tracee/ 69 70 runHook postInstall 71 ''; 72 73 doInstallCheck = true; 74 installCheckPhase = '' 75 runHook preInstallCheck 76 77 $out/bin/tracee --help 78 $out/bin/tracee --version | grep "v${version}" 79 80 runHook postInstallCheck 81 ''; 82 83 passthru.tests = { 84 integration = nixosTests.tracee; 85 version = testers.testVersion { 86 package = tracee; 87 version = "v${version}"; 88 command = "tracee --version"; 89 }; 90 }; 91 92 meta = with lib; { 93 homepage = "https://aquasecurity.github.io/tracee/latest/"; 94 changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}"; 95 description = "Linux Runtime Security and Forensics using eBPF"; 96 longDescription = '' 97 Tracee is a Runtime Security and forensics tool for Linux. It is using 98 Linux eBPF technology to trace your system and applications at runtime, 99 and analyze collected events to detect suspicious behavioral patterns. It 100 is delivered as a Docker image that monitors the OS and detects suspicious 101 behavior based on a pre-defined set of behavioral patterns. 102 ''; 103 license = with licenses; [ 104 # general license 105 asl20 106 # pkg/ebpf/c/* 107 gpl2Plus 108 ]; 109 maintainers = with maintainers; [ jk ]; 110 platforms = [ "x86_64-linux" "aarch64-linux" ]; 111 outputsToInstall = [ "out" "share" ]; 112 }; 113}