Linux Code Review Hub

Oct 29, 2024 · Information Security

How to Audit and Intercept File Read/Write Operations Using eBPF

This guide explains how to leverage eBPF’s Kprobe, Tracepoint, and LSM features to audit file read/write activity, extract process and file details, and optionally block operations using helpers like bpf_send_signal or bpf_override_return, with complete code examples and configuration steps.