Skip to content

ErenAri/Aegis-BPF

v0.6.0 Feature

This release adds 5 notable features for engineering teams evaluating rollout.

Published 25d Network Security
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

bpf bpf-lsm cloud-native-security container-security ebpf helm
+9 more
incident-response kubernetes-security linux-kernel linux-security observability policy-enforcement prometheus runtime-security workload-securi

Affected surfaces

auth rbac

Summary

AI summary

Fixed optional BPF‑LSM hook attachment detection and added policy simulation, CEF output, event deduplication, starter rule packs, and DEB/RPM packaging.

Full changelog

AegisBPF v0.6.0

AegisBPF v0.6.0 is a pre-GA hardening release focused on enforcement correctness, operator safety, SIEM interoperability, packaging, and community rule distribution.

This release fixes optional LSM hook attachment behavior, adds policy simulation for file and network events, introduces CEF output for SIEM pipelines, adds bounded event deduplication, ships starter MITRE-tagged rule packs, and adds installable DEB/RPM packaging.

Highlights

  • Fixed optional BPF-LSM hook attachment detection for exec identity, runtime dependency, and network enforcement paths.
  • Added race-free OverlayFS copy-up denial for inode deny rules.
  • Added aegisbpf simulate for policy dry-run / would-break analysis.
  • Extended simulation to network events.
  • Added ArcSight CEF output for file and network block events.
  • Added OCSF File Activity and Network Activity formatting.
  • Added bounded event deduplication for file and network block events.
  • Added six starter community rule packs with MITRE/CIS-oriented metadata.
  • Added DEB/RPM packaging through CPack.
  • Added post-attach capability dropping.
  • Added opt-in Landlock self-sandboxing.
  • Added BTF fallback path support.

Upgrade notes

  • Run in audit mode first.
  • Use aegisbpf simulate against real audit logs before enabling enforcement.
  • Run aegisbpf probe or capabilities reporting on target kernels before enforcing policies that depend on optional hooks.
  • Validate generated package names and metadata before publishing DEB/RPM artifacts.
  • SIEM users can test --event-format=cef or OCSF output before switching production pipelines.

Known limitations

  • CEF and OCSF coverage is currently focused on file and network event classes.
  • 168-hour bare-metal soak evidence is still pending.
  • Third-party security audit is still pending.
  • Community rule packs are starter packs and should be reviewed before enforcement use.
  • Some enforcement surfaces depend on kernel hook availability.

Verification required before final release

  • Full CI green.
  • Release workflow green.
  • Packaging workflow green.
  • Rule-library workflow green.
  • Reproducible-build check green.
  • Security workflow green.
  • Kernel/e2e self-hosted jobs green where available.
  • Generated DEB/RPM artifacts show version 0.6.0, not 0.1.0.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ErenAri/Aegis-BPF

Get notified when new releases ship.

Sign up free

About ErenAri/Aegis-BPF

All releases →

Related context

Beta — feedback welcome: [email protected]