30 open-source projects similar to microsoft/procmon-for-linux, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best ProcMon For Linux alternative.
Tetragon is an eBPF-based runtime security and observability toolset designed for Linux and Kubernetes environments. It functions as a security policy manager, observability agent, and enforcement engine that hooks into kernel functions and tracepoints to detect privilege escalation, container escapes, and unauthorized system activity. The project distinguishes itself through its ability to perform real-time, in-kernel enforcement, allowing it to synchronously terminate malicious processes or modify function return values before a system call completes. It provides deep Kubernetes integration
The Missing Semester is a free, open-source educational curriculum designed to bridge the gap between theoretical computer science and the practical tooling every software engineer needs. Organized as a structured course, it covers Unix shell mastery, version control with Git, software debugging and profiling, system administration fundamentals, and computer security practices — the skills often left out of traditional degree programs. The project is maintained as a collaborative set of lecture notes, exercises, and guides that function as both a professional development tools course and a Uni
BCC is an eBPF development toolkit and tracing framework used for monitoring and analyzing the Linux kernel. It functions as a performance analysis tool and debugging utility to capture system events, measure kernel latency, and provide network observability. The project distinguishes itself by providing a build system that integrates with LLVM to compile C-like code into BPF bytecode at runtime. It utilizes BPF Type Format data for relocations to maintain cross-kernel compatibility and extracts kernel headers to ensure the generated programs match the specific kernel version. The toolkit co
Tracee is a cloud-native runtime security and forensics tool that uses eBPF to capture system calls and kernel events in real time. It operates as a standalone binary or a Helm-deployable agent for Kubernetes, normalizing system calls, network events, and container activities into a unified event pipeline for consistent analysis. The tool distinguishes itself through policy-driven event filtering using YAML-based rules, allowing users to target specific workloads and reduce noise during monitoring. It includes built-in threat detection signatures that flag suspicious behavioral patterns witho
OpenEDR is an endpoint detection and response platform designed to collect telemetry and monitor system activity to identify security breaches. It functions as a host-based intrusion detection system and telemetry collector, gathering detailed data on process, network, and file activity. The system includes a dockerized security stack that bundles search, logging, and visualization tools into containers for analyzing endpoint telemetry. It features a security event visualizer that maps process lineage and indexes logs to facilitate root-cause analysis of attacks. The platform provides capabi
Binsider is a collection of specialized toolsets for hexadecimal editing, ELF structural analysis, system call tracing, and execution performance profiling. It provides a suite of utilities designed for binary reverse engineering, encompassing both static structural analysis and dynamic runtime monitoring of compiled binaries. The project distinguishes itself by combining low-level binary manipulation, such as a hex editor for raw byte modification, with an ELF binary analysis tool for inspecting file structures and metadata. It also includes a Linux system call tracer for observing dynamic b
Blink is a JIT-based instruction emulator and x86-64 Linux emulator designed to run Linux binaries and ELF files across different host operating systems and architectures. It functions as a binary execution sandbox and system call simulator, providing a controlled environment for running programs. The project distinguishes itself with a terminal user interface for monitoring execution, managing breakpoints, and visualizing JIT compilation paths. It supports self-modifying code through a cache-invalidating memory model and provides execution environment isolation using restricted directory ove
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Ish is a Linux shell emulator for iOS that provides a local terminal environment for running shell commands and managing files. It functions as an instruction-level emulator that enables the execution of Linux binaries on mobile devices by simulating an Alpine Linux environment. The project distinguishes itself by combining user-mode Linux emulation with a virtual root filesystem. This allows the software to map Linux kernel system calls to host functions and execute scripts and toolsets directly on an iPhone or iPad. The emulator also provides low-level program debugging capabilities, inclu
This project is an educational resource providing a comprehensive development tutorial for writing and loading eBPF programs using C, Go, and Rust within the Linux kernel. It serves as a technical guide for developing custom logic to execute directly in the kernel. The materials cover specialized domains including kernel observability and tracing, security implementation for intrusion detection, and high-performance network engineering for packet filtering and load balancing. It also includes dedicated manuals for Linux kernel tracing and the use of kprobes, uprobes, and tracepoints. The pro
Sysdig is a Linux system observability tool and kernel event analyzer designed for capturing and analyzing kernel-level system calls and operating system events. It functions as a system call tracer and container security monitor, providing deep visibility into the activity of machines, virtual machines, and containers. The project specializes in non-invasive container inspection, allowing for the monitoring of container activity and resource usage without modifying the container environment or adding instrumentation. It enables the recording of detailed system traces into binary files for re
nextest is a high-performance test execution framework and Rust test runner designed to manage parallelism, retries, and timeouts. It serves as a test recording system that captures execution metadata and outputs into archives for later failure analysis and replay. The project distinguishes itself as a flakiness detection tool, identifying unstable tests through stress loops and automated retry policies. It also functions as a CI test orchestrator, capable of partitioning test suites across multiple workers and exporting results in standardized JUnit XML and JSON formats. The framework provi
Perfetto is a platform for system-level performance tracing and analysis on Linux and Android. It combines a high-throughput trace recorder, a SQL-based query engine, and a browser-based visualizer into a single toolchain. The platform covers CPU scheduling and call-stack profiling, native and Java heap memory allocation tracking, GPU and graphics events, and system-wide counters such as CPU frequency and power consumption. The architecture decouples trace recording from offline analysis, using a compact protobuf format for event encoding and columnar storage for efficient SQL queries. The we
Inspektor Gadget is an eBPF observability toolset and program framework designed for tracing Linux systems and debugging Kubernetes nodes. It provides a suite of tools to collect kernel-level telemetry and export system metrics via the OpenTelemetry standard. The project distinguishes itself by packaging inspection tools as OCI-compliant container images, allowing for standardized distribution and deployment across clusters and hosts. It employs a modular data processing pipeline that utilizes WebAssembly modules to transform and filter telemetry, and leverages Compile Once Run Everywhere for
This project is a specialized toolset for profiling kernel latency, analyzing tracepoint frequency, and monitoring system-wide performance data. It functions as a kernel performance profiler, tracepoint analyzer, and a collection of utilities for the Linux ftrace and perf_events subsystems. The toolkit provides high-level abstractions via shell-scripted wrappers to manage complex kernel tracing interfaces. It distinguishes itself through the use of bucket-based event histograms to visualize the distribution of kernel events and the ability to identify functions exceeding specific latency thre
Hubble is an eBPF-based Kubernetes observability platform designed for network monitoring, security auditing, and flow inspection. It provides deep visibility into containerized traffic and cluster security by utilizing kernel-level hooks to collect network events. The system features a service map for visualizing communication patterns and dependencies between microservices and external endpoints. It incorporates identity-based flow labeling to track network traffic using Kubernetes labels rather than volatile IP addresses. The platform covers a broad range of monitoring capabilities, inclu
This project is a comprehensive security hardening and privacy management guide for macOS. It provides a set of instructions and checklists for reducing the system attack surface through manual configuration, policy enforcement, and a layered defense strategy. The guide emphasizes a system auditing framework, using binary analysis, system logs, and packet inspection to verify that security controls and application sandboxing are functioning as intended. It offers tool-agnostic recommendations, defining security goals while allowing users to select their own third-party software for implementa
vtop is a terminal system monitor and interactive process manager that provides a real-time command line dashboard for tracking system resources. It displays CPU and memory activity through graphical charts and process lists. The tool features a customizable interface that supports predefined and custom visual theme files. It allows for the identification and termination of active system tasks and process groups using keyboard and mouse support.
pwndbg is a GDB plugin and binary analysis framework designed for reverse engineering, exploit development, and low-level program analysis. It extends the core functionality of the debugger to provide advanced memory inspection and automation tools. The project distinguishes itself with specialized capabilities for heap analysis across glibc, jemalloc, and musl, as well as a comprehensive kernel debugging toolkit for inspecting Linux kernel tasks and slab allocators. It includes an integrated ROP gadget searcher for constructing exploit chains and an LLM-powered debugging assistant that provi
This project is a comprehensive educational resource and curriculum focused on site reliability engineering, distributed systems, and infrastructure operations. It provides technical guides, a systems engineering course, and instructional manuals designed to teach the principles of managing large-scale computing environments. The curriculum covers high-level architectural design for scalability and resilience, including fault-tolerant infrastructure, high-availability patterns, and microservices decomposition. It emphasizes the practical application of site reliability engineering through the
Asterinas is a memory-safe operating system kernel designed to prevent data races and memory corruption. It functions as a Linux-ABI compatible kernel, enabling the execution of existing Linux binaries and container workloads while providing a declarative operating system distribution model. The project distinguishes itself by acting as a virtual machine container host and a confidential computing guest OS, allowing it to run within hardware-isolated Trusted Execution Environments such as Intel TDX. It implements a minimal trusted computing base by isolating unsafe low-level operations and se
This project is a reactive, offline-first NoSQL database engine designed for JavaScript applications. It provides a robust framework for managing application state by synchronizing data across browsers, mobile devices, and server-side runtimes. By treating local storage as the primary source of truth, it enables applications to remain functional without network connectivity, automatically reconciling changes with remote backends once a connection is restored. The database distinguishes itself through a modular architecture that supports cross-environment synchronization and high-performance d
This project is an application framework and boilerplate for enterprise web applications based on ASP.NET Core. It provides a foundation for building large-scale business applications by implementing a domain-driven design framework that organizes application logic into decoupled layers and modules. The framework distinguishes itself through built-in support for multi-tenant software-as-a-service architectures, providing primitives for data, configuration, and interface isolation for multiple customers within a single instance. It also includes an integrated identity management system featuri
Grist is a relational spreadsheet platform that combines the flexibility of a spreadsheet with the power of a relational database. At its core, it manages structured data across multiple linked tables, using a relational database engine to organize information while providing a familiar grid interface. The platform supports Python-based formulas for complex calculations and data transformations, with automatic recalculation when referenced cells change. The system is designed for self-hosted deployment, storing data in either portable SQLite files or enterprise-grade PostgreSQL databases. It
Seer is a graphical frontend for GDB that provides a visual interface for inspecting variables, managing breakpoints, and stepping through code. It functions as a low-level debugger visualizer with specialized tools for call stack inspection and register visualization. The project distinguishes itself by integrating low-level program analysis directly into the visual experience, featuring a synchronized assembly overlay that maps CPU registers and assembly instructions to source code lines. It also includes memory bug detection capabilities by randomizing the program starting address during t
Eladmin is a backend management system and administrative framework built with Spring Boot and Vue. It provides a complete infrastructure for creating administration panels, combining a Java Persistence API backend scaffold with a management interface to monitor system performance and log user activities. The project features automated code generation to produce frontend and backend source code and CRUD operations. It employs a role-based access control system to manage users and organizational structures, while utilizing dynamic route management to update navigation menus from the backend wi
DetectionLab is a reproducible Windows Active Directory security lab designed for testing detection capabilities. It uses an automation framework based on Vagrant and Packer to provision virtualized networks across multiple hypervisors and cloud platforms. The project utilizes Ansible for the declarative installation and configuration of domain services and endpoint security tools. It incorporates a browser-based remote access interface via Apache Guacamole to manage laboratory hosts without requiring standalone remote desktop clients. The environment includes a telemetry pipeline that aggre
Windows Hardening is a PowerShell-based automation framework designed for security assessment and configuration management within Windows environments. It provides a suite of administrative utilities to enforce industry-standard security benchmarks, audit system compliance, and reduce the overall attack surface of host machines. The project distinguishes itself by offering specialized capabilities for enterprise-wide configuration management, including the ability to transform security findings into deployable group policy objects. It also integrates system state management, allowing administ