Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Built an eBPF debugger that answers “who changed what and when” on Linux

0
Medium
Published: 07/09/2026 (07/09/2026, 12:29:27 UTC)
Source: Reddit ExploitDev

Description

This is a newly developed Linux machine-history debugger named ltm that uses eBPF to record metadata about process, file, network, memory, and block I/O events. It enables querying of historical system activity such as who modified a file or what processes opened network ports. The tool is designed to provide a timeline and diff view of system events to aid debugging. It is still early in development and currently supports only x86_64 Linux systems. No vulnerabilities or exploits are reported in the provided information.

Reddit Discussion

r/ExploitDev·posted by u/BeautifulFeature3650
00

I kept running into the same Linux debugging pain: something broke on a box, but I had no history of what actually happened. journald helps a little. auditd is heavy. strace is too narrow. So I built ltm — a small machine-history debugger that records process/file/network metadata via eBPF and lets you query it like a timeline.

What it does:

• Attaches to syscall tracepoints (exec, open/write/rename/unlink, connect/bind, etc.)

• Stores metadata only (no file contents)

• Lets you do things like:

sudo ltm start --mode ebpf

ltm status

ltm timeline --since 1h

ltm diff --from "10m" --to now

ltm query "who modified /tmp/ltm-demo.txt?"

On a real VM run it recorded ~7k events with 0 drops, and the query returned the exact bash write events that touched the demo file.

There's also a demo mode so you can exercise the CLI/storage/diff/query path without root or BPF.

Stack is Go + embedded BPF ELF + cilium/ebpf. Local store is append-only JSONL. Ignore rules skip /proc, /sys, /dev, and common caches.

Repo: https://github.com/Agent-Hellboy/ltm

Still early. Useful next steps I'm considering:

  1. better diff/query formatting
  2. containerized eBPF integration test
  3. more query templates ("what opened this port?", "what restarted before X?")

Links cited in this discussion

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 12:03:15 UTC

Technical Analysis

The project 'ltm' is an eBPF-based debugger for Linux that records metadata from various syscall tracepoints (process execution, file operations, network connections, memory mappings, block I/O) and stores this data in a local SQLite database. It allows users to query historical system activity in plain English or SQL, providing a timeline and diff of events. It aims to address the lack of comprehensive historical debugging information on Linux systems. The tool requires root or specific capabilities to record events but querying can be done without elevated privileges. The repository and tool are publicly available, with no indication of security vulnerabilities or exploits associated with it.

Potential Impact

No direct security impact or vulnerability is described. The tool is intended for debugging and forensic analysis by recording system event metadata. There are no known exploits or malicious use cases reported. It does not capture file contents, only metadata, which limits exposure of sensitive data. The tool requires root privileges to record events, which is standard for eBPF-based tracing.

Mitigation Recommendations

No mitigation or patching is required as this is not a vulnerability or threat. The tool is a legitimate debugging utility. Users should apply standard security best practices when granting root or elevated capabilities to any software, including this tool.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
ExploitDev+pwned+hacking
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":35,"reasons":["external_link","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a50df7768715ace43866cec

Added to database: 07/10/2026, 12:03:03 UTC

Last enriched: 07/10/2026, 12:03:15 UTC

Last updated: 07/10/2026, 14:17:25 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses