Name: execopen-tracer Version: 1.2.0 Release: 1%{?dist} Summary: eBPF Process and File Monitoring Tool License: Apache-2.0 URL: https://github.com/imcleod/execopen Source0: execopen-tracer-%{version}.tar.gz BuildRequires: clang >= 10.0.0 BuildRequires: llvm >= 10.0.0 BuildRequires: libbpf-devel >= 0.7.0 BuildRequires: bpftool BuildRequires: systemd-devel BuildRequires: kernel-headers BuildRequires: elfutils-libelf-devel BuildRequires: zlib-devel BuildRequires: make BuildRequires: gcc BuildRequires: kernel-automotive-devel Requires: libbpf >= 0.7.0 Requires: systemd Requires: kernel >= 4.15.0 # Kernel version and header detection %{!?kernel_version: %define kernel_version %(ls -1 /usr/src/kernels 2>/dev/null | head -1)} %{!?kernel_header: %define kernel_header %(if [ -n "%{kernel_version}" ] && [ -f "/usr/src/kernels/%{kernel_version}/vmlinux.h" ]; then echo "/usr/src/kernels/%{kernel_version}/vmlinux.h"; fi)} %description execopen-tracer provides tools for monitoring and analyzing system activity through runtime tracing and process inspection. execopen - Runtime Activity Tracer: Uses eBPF to trace all process execution and file access across the system in real-time. Captures execve/execveat syscalls, scheduler exec events, and openat/openat2 file operations with full path resolution. Buffers output in memory and dumps to /tmp on SIGTERM, making it suitable for boot-time tracing scenarios. Can run as an init replacement to capture system initialization. Includes statistics tracking to detect dropped events. procmap - Process and File Inspector: Enumerates all running userspace processes and their memory-mapped files by reading /proc/PID/map_files. Outputs process information (PID, PPID, command) and associated files in JSON format or as a plain file list. Supports flexible filtering to exclude processes by name, process trees, or parent processes. Useful for determining what files and libraries are actively in use on a running system for dependency analysis, compliance audits, or backup planning. Integration Features: - Dracut module for automatic inclusion in initramfs - Init replacement capability for boot-time system tracing - Systemd service units for runtime operation - Helper scripts for trace collection and analysis This RPM was compiled with the headers for the following kernel version: %{kernel_version} It will likely work with other closely related versions. However, if you get bogus output or errors, try recompiling the RPM on a system with the correct "-devel" kernel package. %prep %autosetup -n execopen-tracer-%{version} # Copy kernel header file if detected %if "%{?kernel_header}" != "" cp "%{kernel_header}" . %endif %build make %{?_smp_mflags} %install make install DESTDIR=%{buildroot} %post %systemd_post execopen.service %preun %systemd_preun execopen.service %postun %systemd_postun_with_restart execopen.service # Trigger dracut regeneration when the dracut module is installed/updated %transfiletriggerin -- /usr/lib/dracut/modules.d dracut -f 2>/dev/null || : %files %license LICENSE %doc README.md %{_bindir}/execopen %{_bindir}/procmap %{_bindir}/kill-tracer.sh %{_bindir}/execopen-init.sh %{_bindir}/execopen-chroot-signal.sh %{_unitdir}/execopen.service %{_unitdir}/kill-tracer.service %{_prefix}/lib/dracut/modules.d/99execopen/ %changelog * Wed Dec 24 2025 Ian McLeod - 1.2.0-1 - Rework to run before init - Add post-boot inspection to enumerate final safety runtime package scope * Fri Nov 21 2025 Ian McLeod - 1.1.0-1 - Rework to log to memory and then disk - Add scripts and examples of an image that traces and then shuts down * Wed Aug 20 2025 Ian McLeod - 1.0.0-1 - Initial RPM package for execopen-tracer - eBPF-based process and file monitoring tool - Includes systemd service and dracut module