An eBPF-based syscall tracer with CO-RE (Compile Once, Run Everywhere) support.
-
Rust toolchains:
- Stable:
rustup toolchain install stable - Nightly:
rustup toolchain install nightly --component rust-src
- Stable:
-
eBPF development tools:
- clang/LLVM for compiling C eBPF programs
- libbpf development headers:
apt-get install libbpf-dev - just (command runner):
cargo install justor via package manager
-
Kernel requirements:
- Linux kernel 5.8+ with BTF enabled
- Verify BTF is available:
ls /sys/kernel/btf/vmlinux - CONFIG_DEBUG_INFO_BTF=y in kernel config
Build the project:
just build-releaseRun with root privileges (required for eBPF):
sudo ./target/release/sikte record --command lsOr use cargo directly:
cargo run --release --config 'target."cfg(all())".runner="sudo -E"' -- record --command lsThis project uses libbpf-rs and CO-RE, which means:
- A single compiled binary works across different kernel versions (5.8+)
- Automatic field offset relocations based on kernel BTF
- No need to recompile for different kernel configurations
The vmlinux.h header is sourced from libbpf's github repo
Cargo build scripts automatically:
- Compile C eBPF programs using clang
- Generate Rust skeleton bindings via libbpf-cargo
- Embed eBPF bytecode in the final binary
This project uses dual licensing due to Linux kernel compatibility requirements:
All Rust code in sikte/src/ (excluding sikte/src/bpf/) is licensed under:
- AGPL-3.0-or-later - GNU Affero General Public License v3.0 or later
eBPF programs in sikte/src/bpf/ must be GPL-compatible to load into the Linux kernel:
- GPL-2.0-or-later - GNU General Public License v2.0 or later
Each source file includes an SPDX license identifier header indicating which license applies. See LICENSE for the full AGPL-3.0 license text (userspace code).
For more information, check A Practical Guide to eBPF Licensing