55

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

you are viewing a single comment's thread
view the rest of the comments
[-] lemmyuser@programming.dev 5 points 6 days ago* (last edited 6 days ago)

Yes you can -send-sigstop to SIGSTOP the process and then do whatever you'd like on your -on-touched-exe such as attach via ptrace, dump all memory, etc. My current one will send a notification and dump the memory of the offending process.

Definitely pay attention to the warning about running this on a server. With a KVM attached in a home lab you should be able to easily recover I guess. I think you could also set yourself up a little UDP service to SIGUSR1 the daemon since incoming packets are not dropped, but I haven't tested that.

[Note: intelligent malware can handle the SIGSTOP fairly easily. You could try to move the process to a new cgroup and then freeze the cgroup, as well, but there is a lot to consider here obviously]

this post was submitted on 25 Jun 2026
55 points (100.0% liked)

Linux

14137 readers
127 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS