pkgs/tools/security/tracee/default.nix at flake-libs

tjh.dev / nixpkgs
fork atom
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / pkgs / tools / security / tracee / default.nix
at flake-libs 129 lines 3.0 kB view raw
wrap content
  1{
  2  lib,
  3  buildGoModule,
  4  fetchFromGitHub,
  5
  6  clang,
  7  pkg-config,
  8
  9  zlib,
 10  elfutils,
 11  libbpf,
 12
 13  nixosTests,
 14  testers,
 15  tracee,
 16  makeWrapper,
 17}:
 18
 19buildGoModule rec {
 20  pname = "tracee";
 21  version = "0.20.0";
 22
 23  src = fetchFromGitHub {
 24    owner = "aquasecurity";
 25    repo = pname;
 26    # project has branches and tags of the same name
 27    tag = "v${version}";
 28    hash = "sha256-OnOayDxisvDd802kDKGctaQc5LyoyFfdfvC+2JpRjHY=";
 29  };
 30  vendorHash = "sha256-26sAKTJQ7Rf5KRlu7j5XiZVr6CkAC6fm60Pam7KH0uA=";
 31
 32  patches = [
 33    ./use-our-libbpf.patch
 34    # can not vendor dependencies with old pyroscope
 35    # remove once https://github.com/aquasecurity/tracee/pull/3927
 36    # makes it to a release
 37    ./update-pyroscope.patch
 38  ];
 39
 40  enableParallelBuilding = true;
 41  # needed to build bpf libs
 42  hardeningDisable = [ "stackprotector" ];
 43
 44  nativeBuildInputs = [
 45    pkg-config
 46    clang
 47  ];
 48  buildInputs = [
 49    elfutils
 50    libbpf
 51    zlib
 52  ];
 53
 54  makeFlags = [
 55    "VERSION=v${version}"
 56    "GO_DEBUG_FLAG=-s -w"
 57    # don't actually need git but the Makefile checks for it
 58    "CMD_GIT=echo"
 59  ];
 60
 61  buildPhase = ''
 62    runHook preBuild
 63    mkdir -p ./dist
 64    make $makeFlags ''${enableParallelBuilding:+-j$NIX_BUILD_CORES} bpf all
 65    runHook postBuild
 66  '';
 67
 68  # tests require a separate go module
 69  # integration tests are ran within a nixos vm
 70  # see passthru.tests.integration
 71  doCheck = false;
 72
 73  outputs = [
 74    "out"
 75    "lib"
 76    "share"
 77  ];
 78
 79  installPhase = ''
 80    runHook preInstall
 81
 82    mkdir -p $out/bin $lib/lib/tracee $share/share/tracee
 83
 84    mv ./dist/{tracee,signatures} $out/bin/
 85    mv ./dist/tracee.bpf.o $lib/lib/tracee/
 86    mv ./cmd/tracee-rules/templates $share/share/tracee/
 87
 88    runHook postInstall
 89  '';
 90
 91  passthru.tests = {
 92    integration = nixosTests.tracee;
 93    integration-test-cli = import ./integration-tests.nix { inherit lib tracee makeWrapper; };
 94    version = testers.testVersion {
 95      package = tracee;
 96      version = "v${version}";
 97      command = "tracee version";
 98    };
 99  };
100
101  meta = with lib; {
102    homepage = "https://aquasecurity.github.io/tracee/latest/";
103    changelog = "https://github.com/aquasecurity/tracee/releases/tag/v${version}";
104    description = "Linux Runtime Security and Forensics using eBPF";
105    mainProgram = "tracee";
106    longDescription = ''
107      Tracee is a Runtime Security and forensics tool for Linux. It is using
108      Linux eBPF technology to trace your system and applications at runtime,
109      and analyze collected events to detect suspicious behavioral patterns. It
110      is delivered as a Docker image that monitors the OS and detects suspicious
111      behavior based on a pre-defined set of behavioral patterns.
112    '';
113    license = with licenses; [
114      # general license
115      asl20
116      # pkg/ebpf/c/*
117      gpl2Plus
118    ];
119    maintainers = with maintainers; [ jk ];
120    platforms = [
121      "x86_64-linux"
122      "aarch64-linux"
123    ];
124    outputsToInstall = [
125      "out"
126      "share"
127    ];
128  };
129}