Name: execopen-tracer Version: 1.2.0 Release: 1%{?dist} Summary: eBPF Process and File Monitoring Tool License: Apache-2.0 URL: https://gitlab.com/imcleod1/execopen Source0: execopen-tracer-%{version}.tar.gz BuildRequires: clang >= 10.0.0 BuildRequires: llvm >= 10.0.0 BuildRequires: libbpf-devel >= 0.7.0 BuildRequires: bpftool BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros BuildRequires: kernel-headers BuildRequires: elfutils-libelf-devel BuildRequires: zlib-devel BuildRequires: make BuildRequires: gcc Requires: libbpf >= 0.7.0 %{?systemd_requires} Requires: kernel >= 4.15.0 %description execopen-tracer provides tools for monitoring and analyzing system activity through runtime tracing and process inspection. execopen - Runtime Activity Tracer: Uses eBPF to trace all process execution and file access across the system in real-time. Captures execve/execveat syscalls, scheduler exec events, and openat/openat2 file operations with full path resolution. Buffers output in memory and dumps to /tmp on SIGTERM, making it suitable for boot-time tracing scenarios. Can run as an init replacement to capture system initialization. Includes statistics tracking to detect dropped events. procmap - Process and File Inspector: Enumerates all running userspace processes and their memory-mapped files by reading /proc/PID/map_files. Outputs process information (PID, PPID, command) and associated files in JSON format or as a plain file list. Supports flexible filtering to exclude processes by name, process trees, or parent processes. Useful for determining what files and libraries are actively in use on a running system for dependency analysis, compliance audits, or backup planning. Integration Features: - Dracut module for automatic inclusion in initramfs - Init replacement capability for boot-time system tracing - Systemd service units for runtime operation - Helper scripts for trace collection and analysis The eBPF program is built using BTF from the running kernel or from kernel-headers. It will likely work with other closely related kernel versions. If you get bogus output or errors, try recompiling the RPM on a system with the correct kernel-devel package. %package -n execopen-report Summary: Report generator for execopen trace analysis BuildArch: noarch Requires: python3 %description -n execopen-report Report generator for analyzing execopen trace data. Produces detailed reports showing all spawned processes with their executable paths, PIDs, PPIDs, and RPM package information. For each process, lists the files accessed along with their associated RPM packages. Useful for understanding system behavior during boot or runtime and identifying package dependencies. %prep %autosetup -n execopen-tracer-%{version} # Copy vmlinux.h from kernel headers if not already present if [ ! -f vmlinux.h ]; then KVER=$(ls -1 /usr/src/kernels 2>/dev/null | head -1) if [ -n "$KVER" ] && [ -f "/usr/src/kernels/$KVER/vmlinux.h" ]; then cp "/usr/src/kernels/$KVER/vmlinux.h" . fi fi %build make %{?_smp_mflags} %install make install DESTDIR=%{buildroot} %post %systemd_post execopen.service %preun %systemd_preun execopen.service %postun %systemd_postun_with_restart execopen.service # Trigger dracut regeneration when the dracut module is installed/updated %transfiletriggerin -- /usr/lib/dracut/modules.d dracut -f 2>/dev/null || : %files %license LICENSE %doc README.md %{_bindir}/execopen %{_bindir}/procmap %dir %{_libexecdir}/execopen-tracer %{_libexecdir}/execopen-tracer/kill-tracer.sh %{_libexecdir}/execopen-tracer/execopen-init.sh %{_libexecdir}/execopen-tracer/execopen-chroot-signal.sh %{_unitdir}/execopen.service %{_unitdir}/kill-tracer.service %{_unitdir}/execopen-enable-sshd.service %{_prefix}/lib/dracut/modules.d/99execopen/ %files -n execopen-report %license LICENSE %{_bindir}/generate-execopen-report.py %changelog * Fri Mar 6 2026 Juanje Ojeda - 1.2.0-1 - Refactor - Add testing - Fix minor bugs * Fri Nov 21 2025 Ian McLeod - 1.1.0-1 - Rework to log to memory and then disk - Add scripts and examples of an image that traces and then shuts down * Wed Aug 20 2025 Ian McLeod - 1.0.0-1 - Initial RPM package for execopen-tracer - eBPF-based process and file monitoring tool - Includes systemd service and dracut module