This is a private repository. Enter the PIN to view the project summary.
From kernel tracepoint to boardroom-ready report in under 2 seconds
Four tracepoints capture syscalls in real time: sys_enter_execve, sys_enter_openat (with O_FLAGS), sys_enter_connect, and sys_exit_connect. Two uprobes hook SSL_write/SSL_read in libssl.so for OpenSSL TLS plaintext capture. One uprobe hooks crypto/tls.(*Conn).Write for Go binaries. Events flow through a BPF ring buffer to userspace — zero copy, no packet loss.
Complementary capture path for rustls, BoringSSL, GnuTLS, and other TLS libraries that uprobes can't hook. Container-egress iptables redirect routes HTTPS traffic through a TLS-terminating proxy with an injected CA certificate. Events flow into the same detector pipeline as uprobe-captured payloads. Two capture paths, one unified analysis.
Before tracepoints attach, audit.Provision() seeds 18 unique markers across 9 files and 8 environment variables. Each marker is freshly minted via crypto/rand — two simultaneous audits never share a marker. Files include /root/.aws/credentials, /root/.ssh/id_rsa, /root/.pgpass, browser cookie databases, and a fake customer PII document. The JWT marker has a real eyJ base64 prefix to survive casual format checks.
Events fan out to all detectors via a mutex-protected pipeline. Each detector implements the audit.Detector interface and processes events as they arrive — no batching, no delay. Findings are emitted as JSON lines tagged "kind":"finding" in the event stream. Stateful detectors (beaconing, PII) guard internal state with mutexes for thread safety.
After the trace ends, every unique destination IP is enriched via Team Cymru's DNS-based WHOIS: reverse DNS (PTR), ASN number, AS organization name, and country code. 8-way concurrent with a 30-second budget. Post-enrichment detectors (KnownBadASN, KnownBadDomain, GeoPolicy) then run against the enriched data — they need the full picture that only exists at end-of-run.
Findings are grouped by severity, deduplicated, and rendered into Markdown + HTML reports with a recommended verdict (REJECT / REVIEW / APPROVE WITH CONDITIONS / APPROVE). Each report includes a provenance block with run ID, target SHA-256, manifest hash, tracer version, and detector list. A SHA-256 sidecar file is written alongside the report — the verify-report CLI recomputes the hash for tamper detection.
ptrace is single-threaded, stop-the-world, and the target knows it's being traced (PTRACE_TRACEME detection). eBPF is invisible to the target, handles multi-threaded targets natively, and has near-zero overhead.
strace is a ptrace wrapper with the same limitations. It also can't capture TLS plaintext — it sees encrypted bytes on the wire, not the HTTP request body containing your stolen API key.
Kernel modules crash the host if buggy and require root to load. eBPF programs are verified by the kernel before execution — they can't crash, can't loop infinitely, and can't write to arbitrary memory. Safe by design.
Packet capture (tcpdump, Wireshark) sees encrypted TLS traffic but can't attribute it to a process or read the plaintext. app-audit captures at the library boundary — after decryption, before the application sees the data. Process attribution is native via PID/comm from the kernel.
Static tools analyze code structure but can't detect runtime behavior: a binary that looks clean in Ghidra can dynamically load a second-stage payload, read your credentials, and exfiltrate them over TLS. Static analysis answers "what could it do?" — dynamic analysis answers "what did it do?"
Services like VirusTotal and Joe Sandbox run malware and report behavior — but they run YOUR binary on THEIR infrastructure. app-audit runs on your hardware, in your datacenter, with your policy. The binary never leaves your environment.
app-audit reports map to these framework controls:
Every detector, every edge case — Luhn all-same-digit filtering, RFC1918 skip for VendorDiff, mutex safety under race detector, FindingKey stability for baseline diffs. Race detector on by default.
End-to-end: build the Docker image, run both the misbehaving target and a clean-target control, grep the JSON event stream and rendered reports for expected findings and expected non-findings. Zero false positives on the clean target.
Dedicated suite that verifies detectors don't fire on benign behavior: legitimate DNS lookups, reading /etc/hostname, standard library file opens, non-periodic network activity. Because a tool that cries wolf is worse than no tool.