Package: endura-sensor
Version: 0.35.0-1
Architecture: amd64
Maintainer: Infrared Security, LLC.
Installed-Size: 29715
Filename: ./endura-sensor_0.35.0-1_amd64.deb
Size: 4263020
MD5sum: 1db61bc1d437478a47e7373b8739c6a1
SHA1: 2f3f753a43115e9fc858a026d98c91209cf5bae6
SHA256: fa33dcebfe84da1d56be9b8f0047d3b75b21e0dfb04d6971073ec79e6d51f5c0
Section: Development
Priority: optional
Description: endura sensor
 # Endura Runtime Sensor
 .
 A Linux runtime security sensor that uses eBPF and LSM hooks to provide
 kernel-level security monitoring and policy enforcement for CI/CD pipelines and
 production deployments.
 .
 ## Overview
 .
 The Endura Runtime Sensor intercepts and validates security-relevant operations
 at the kernel level before they execute. It supports a deny-by-default policy
 model where operations not explicitly permitted are blocked when enforcement is
 enabled.
 .
 ### Key Capabilities
 .
 - **File System Monitoring** - Execution, file reads/writes/overwrites,
 creation, deletion, renaming, hard links, symbolic links, mounting, chroot,
 pivot root, disk quotas
 - **Network Monitoring** - TCP/IP bind/connect (IPv4/IPv6), Unix domain
 sockets, raw/packet sockets, netlink sockets, virtual sockets (vsock)
 - **Container Security** - Container image execution control, socket access
 restrictions
 - **Process Management** - Process termination, scheduling, resource limits,
 process groups
 - **Memory Protection** - Memory mapping control, W+X (write-execute) violation
 detection
 - **Kernel Operations** - eBPF program loading, kernel module loading, kernel
 memory access
 - **Privilege Escalation** - Linux capability monitoring (setuid, setgid,
 net_admin, sys_admin, etc.)
 - **IPC Monitoring** - System V shared memory and message queues
 .
 ### Architecture
 .
 The sensor operates in two layers:
 .
 1. **Kernel Space** (C/eBPF) - LSM and fentry hooks intercept security
 operations, evaluate policies via BPF hash maps, and emit events through BPF
 ring buffers
 2. **User Space** (Rust) - Processes events from ring buffers, manages jobs and
 policies, reports violations to the Endura Team Server
 .
 Each hook has both LSM and fentry variants for maximum kernel compatibility
 (5.11+). Some hooks cover both legacy and modern kernel APIs (e.g.,
 `security_sb_mount` and `security_move_mount` for mount operations).
 .
 ### Policy Enforcement
 .
 Policies are JSON documents that define permitted runtime operations:
 .
 - **Derive** - Monitor behavior and auto-generate policy rules
 - **Observe** - Log violations without blocking
 - **Enforce** - Block unauthorized operations
 .
 Policy rules use pipe-delimited expressions with support for wildcards (`all`),
 brace expansion (`{a,b}`), and workspace variables (`%workspace%`).
 .
 ## Building
 .
 Builds require a privileged container with eBPF toolchain support:
 .
 ```bash
 make bootstrap  # Install system dependencies
 make lint       # Run cargo fmt and clippy
 make build      # Build release binary
 make test       # Run integration tests
 make world      # Full pipeline: clean, lint, build, test, package
 ```
 .
 ## Testing
 .
 ```bash
 # Run all integration tests (requires privileged container)
 make test
 .
 # Run a specific policy test
 make -C ./tests/policy/path_rename
 ```
 .
 ## License
 .
 Copyright Endura Security. All rights reserved.