Skip to content

ErenAri/Aegis-BPF

v0.3.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 3mo Network Security
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

bpf bpf-lsm cloud-native-security container-security ebpf helm
+9 more
incident-response kubernetes-security linux-kernel linux-security observability policy-enforcement prometheus runtime-security workload-securi

Affected surfaces

auth rbac

Summary

AI summary

Policy v5 introduces IMA appraisal gating with fail‑closed enforcement and updates the capability report schema to 1.2.0.

Full changelog

Summary

v0.3.0 adds enterprise posture hardening for VERIFIED_EXEC deployments by introducing IMA appraisal gating and extending machine-readable capability contracts.

What’s New

  • Added policy version=5 support.
  • New policy section: [require_ima_appraisal].
  • Added kernel feature detection for:
    • features.ima
    • features.ima_appraisal
  • Enforce gating now handles missing IMA appraisal explicitly:
    • default fail-closed when enforce is requested
    • optional audit fallback with --enforce-gate-mode=audit-fallback
  • New runtime reason/blocker code: IMA_APPRAISAL_UNAVAILABLE.
  • Capability report schema updated to schema_semver: 1.2.0.
  • capabilities.json now includes IMA fields in:
    • features
    • policy
    • requirements
    • requirements_met
  • Posture evaluator updated to include IMA checks and Kubernetes label output.
  • Docs/man pages updated for policy v5 and IMA gating semantics.
  • Tests added for parser, kernel feature probing, capability artifact fields, and fail-closed daemon behavior.

Compatibility

  • Policy versions 14 continue to work unchanged.
  • version=5 is required only when using [require_ima_appraisal].
  • Consumers of capabilities.json should accept schema_semver: 1.2.0 and the new required fields.

Example (v5)

version=5

[protect_connect]
[protect_runtime_deps]
[require_ima_appraisal]

[protect_path]
/etc/shadow
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ErenAri/Aegis-BPF

Get notified when new releases ship.

Sign up free

About ErenAri/Aegis-BPF

All releases →

Related context

Beta — feedback welcome: [email protected]