ErenAri/Aegis-BPF

v0.8.0 Feature

This release adds 5 notable features for engineering teams evaluating rollout.

Published 10d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

bpf bpf-lsm cloud-native-security container-security ebpf helm

+9 more

incident-response kubernetes-security linux-kernel linux-security observability policy-enforcement prometheus runtime-security workload-securi

Affected surfaces

auth rbac deps

ReleasePort's take

Light signal

editorial:auto 10d

AegisBPF v0.8.0 introduces Ed25519 signature verification for BPF object files and adds CEF event output, among other new features.

Why it matters: Enables cryptographic integrity checks of loaded BPF objects via AEGIS_REQUIRE_BPF_SIGNATURE=1; consider enabling before deploying updates.

Summary

AI summary

AegisBPF v0.8.0 adds Ed25519 BPF object signing, CEF event output, a Community Rule Library with 25 packs, BTFhub auto-download, Operator production readiness enhancements, Enforcement upgrades, and several bug fixes.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Adds Ed25519 signature verification for BPF object files via AEGIS_REQUIRE_BPF_SIGNATURE=1 Adds Ed25519 signature verification for BPF object files via AEGIS_REQUIRE_BPF_SIGNATURE=1 Source: llm_adapter@2026-05-24 Confidence: high	—
Feature	Medium	Adds CEF (ArcSight Common Event Format) output via --event-format=cef Adds CEF (ArcSight Common Event Format) output via --event-format=cef Source: llm_adapter@2026-05-24 Confidence: high	—
Feature	Medium	Adds 19 new MITRE ATT&CK‑tagged rule packs, total 25 shipped packs Adds 19 new MITRE ATT&CK‑tagged rule packs, total 25 shipped packs Source: llm_adapter@2026-05-24 Confidence: high	—
Feature	Medium	Adds btfgen.sh --auto to download BTF blobs from BTFhub‑archive for supported distros Adds btfgen.sh --auto to download BTF blobs from BTFhub‑archive for supported distros Source: llm_adapter@2026-05-24 Confidence: high	—
Feature	Medium	Adds SSE broker for real‑time UI updates from operator reconcilers Adds SSE broker for real‑time UI updates from operator reconcilers Source: llm_adapter@2026-05-24 Confidence: high	—
Feature	Medium	Adds deny_comm full‑stack support to block processes by command name Adds deny_comm full‑stack support to block processes by command name Source: llm_adapter@2026-05-24 Confidence: high	—
Feature	Medium	Adds EnforceCapable node probing to auto‑detect BPF LSM availability per node Adds EnforceCapable node probing to auto‑detect BPF LSM availability per node Source: llm_adapter@2026-05-24 Confidence: low	—
Feature	Medium	Adds validating webhook with field‑level policy validation for the operator Adds validating webhook with field‑level policy validation for the operator Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Medium	Adds high‑availability leader election support to the operator Adds high‑availability leader election support to the operator Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Provides backward-compatible hash-only verification as default for BPF objects Provides backward-compatible hash-only verification as default for BPF objects Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Enables opportunistic Ed25519 signature logging when signatures are present but not required Enables opportunistic Ed25519 signature logging when signatures are present but not required Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Introduces File Activity and Network Activity event classes with full field mapping for CEF Introduces File Activity and Network Activity event classes with full field mapping for CEF Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Each community rule pack includes threat model, MITRE coverage, false‑positive vectors, and install instructions Each community rule pack includes threat model, MITRE coverage, false‑positive vectors, and install instructions Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Supports opt‑in runtime auto‑download of BTF blobs via AEGIS_BTF_AUTO_DOWNLOAD=1 environment variable Supports opt‑in runtime auto‑download of BTF blobs via AEGIS_BTF_AUTO_DOWNLOAD=1 environment variable Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Hardens RBAC with least‑privilege ClusterRole for the operator Hardens RBAC with least‑privilege ClusterRole for the operator Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Provides cert‑manager zero‑config webhook TLS for the operator Provides cert‑manager zero‑config webhook TLS for the operator Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Adds policy search and filter capabilities in the web console Adds policy search and filter capabilities in the web console Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Feature	Low	Wires rate‑limit verdict to all LSM hook return paths for enforcement throttling Wires rate‑limit verdict to all LSM hook return paths for enforcement throttling Source: granite4.1:30b@2026-05-24-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fixes undeclared identifier cmd_policy_load in aegis‑next main.cpp Fixes undeclared identifier cmd_policy_load in aegis‑next main.cpp Source: llm_adapter@2026-05-24 Confidence: high	—
Bugfix	Medium	Fixes ConfigMap assertion and namespace race condition in e2e tests Fixes ConfigMap assertion and namespace race condition in e2e tests Source: llm_adapter@2026-05-24 Confidence: high	—
Bugfix	Medium	Fixes version=4 requirement enforcement for all [protect_path] rule packs Fixes version=4 requirement enforcement for all [protect_path] rule packs Source: llm_adapter@2026-05-24 Confidence: high	—
Bugfix	Low	Corrects clang-format violations in bpf_signing.cpp Corrects clang-format violations in bpf_signing.cpp Source: granite4.1:30b@2026-05-24-audit Confidence: low	—

Full changelog

AegisBPF v0.8.0 — Feature Complete

This release closes every major feature gap in the comparison table and marks AegisBPF as feature-complete for v1.0. The remaining milestones are non-code: third-party security audit, production adopters, and CNCF Sandbox submission.

Highlights

Ed25519 BPF Object Signing

Full Ed25519 signature verification for BPF object files via AEGIS_REQUIRE_BPF_SIGNATURE=1
Backward-compatible: hash-only verification remains the default
Opportunistic signature verification with advisory logging when signatures are present but not required

CEF Event Format

ArcSight Common Event Format (CEF) output via --event-format=cef
File Activity and Network Activity event classes with full field mapping
Joins OCSF 1.1.0 and ECS as the third supported SIEM schema

Community Rule Library (25 packs)

19 new MITRE ATT&CK-tagged rule packs, bringing the total to 25 shipped packs
New packs: container-escape, reverse-shell, persistence-cron, persistence-systemd, persistence-shell, log-tampering, credential-access, package-manager, dns-hijack, web-shell, privilege-escalation, data-exfiltration, runtime-protection, cloud-metadata, k8s-secrets, network-tools, malware-staging, file-integrity, pam-backdoor
Every pack includes threat model, MITRE coverage, false-positive vectors, and install instructions
CI-validated: aegisbpf policy validate runs on all 25 packs in the rule-library workflow

BTFhub Auto-Download

scripts/btfgen.sh --auto downloads matching BTF blobs from BTFhub-archive
Supports Ubuntu, Debian, Fedora, RHEL, CentOS, Amazon Linux, Oracle, SLES, openSUSE, Arch
Opt-in runtime auto-download via AEGIS_BTF_AUTO_DOWNLOAD=1 environment variable

Operator Production Readiness

Validating webhook with field-level policy validation
RBAC hardening with least-privilege ClusterRole
High-availability leader election support
cert-manager zero-config webhook TLS

Console & Observability

SSE (Server-Sent Events) broker wired to operator reconcilers for real-time UI updates
Policy search and filter in the web console

Enforcement Enhancements

deny_comm full-stack support — block processes by command name
EnforceCapable node probing — auto-detect BPF LSM availability per node
Rate-limit verdict wired to all LSM hook return paths

Documentation

aegis-next HARDENING.md, ARCHITECTURE.md, and ROADMAP status table
BPF map schema reference updated with deny_comm_map
aegis-next prototype section added to root README

Bug Fixes

Fix cmd_policy_load undeclared identifier in aegis-next main.cpp
Fix ConfigMap assertion and namespace race condition in e2e tests
Fix clang-format violations in bpf_signing.cpp
Fix version=4 requirement for all [protect_path] rule packs

Comparison Table Status

| Capability | Status |
|---|---|
| BPF LSM enforcement (15 hooks) | ✅ |
| Signed BPF objects (Ed25519) | ✅ |
| OCSF / ECS / CEF event schema | ✅ |
| Community rule library (25 packs) | ✅ |
| BTFhub fallback + auto-download | ✅ |
| Kubernetes CRD + operator | ✅ |
| Signed policies (Ed25519) | ✅ |
| SBOM (SPDX + CycloneDX) | ✅ |
| SLSA L3 build provenance | ✅ |
| Prometheus + OTLP metrics | ✅ |

What's Next (non-code)

Third-party security audit (NCC Group / Trail of Bits / Cure53)
CNCF Sandbox application
Production adopter program

Full Changelog: https://github.com/ErenAri/Aegis-BPF/compare/v0.7.0...v0.8.0

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ErenAri/Aegis-BPF

Get notified when new releases ship.

About ErenAri/Aegis-BPF

All releases →