README
¶
MxCwpp Platform Community Edition
English | 中文
An open-source, enterprise-grade host and container security management platform. Covers security baselines, asset management, vulnerability scanning, antivirus, runtime detection, and compliance auditing — providing a unified management view for security operations teams.
Community Edition
MxCwpp Platform Community Edition includes the complete platform framework and all core security capabilities, sharing the same architecture as the internal version. The Community Edition is fully free with no license required. Currently open-sourced capabilities include:
- Full on-device capabilities: Agent data collection, asset fingerprinting, eBPF runtime probes, baseline check plugins, etc.
- Full backend capabilities: AgentCenter, Manager, Consumer, service discovery — all horizontally scalable.
- Complete management console: Security overview, asset center, alert management, baseline checks, vulnerability management, container security, and more.
- Built-in detection rules: 212 CIS baseline rules, 80 container baseline rules, CEL runtime detection policy samples.
To build a more comprehensive security operations system, we recommend extending policies via the built-in CEL rule engine and integrating threat intelligence for secondary processing.
Function List
| Feature | Community Edition | Enterprise Edition |
|---|---|---|
| Linux data collection (eBPF) | ✅ | ✅ |
| Agent control plane (upgrade/config/task dispatch) | ✅ | ✅ |
| Host status and details | ✅ | ✅ |
| Asset collection (11 types) | ✅ | ✅ |
| Asset fingerprint (global view) | ✅ | ✅ |
| K8s cluster asset collection | ✅ | ✅ |
| Host/container intrusion detection | built-in samples |
✅ |
| Runtime detection (eBPF + CEL) | built-in samples |
✅ |
| K8s Audit intrusion detection | built-in samples |
✅ |
| Behavioral sequence detection | ❌ | ✅ |
| Alert whitelist | ✅ | ✅ |
| Alert aggregation and tracing | ✅ | ✅ |
| Threat response (kill/quarantine/network block) | ✅ | ✅ |
| File quarantine | ✅ | ✅ |
| Vulnerability detection (OSV.dev + CVSS) | ✅ | ✅ |
| Vulnerability intelligence hot-update | ❌ | ✅ |
| Baseline check (CIS Benchmark) | ✅ | ✅ |
| Baseline auto-remediation | ✅ | ✅ |
| Virus scanning (ClamAV + YARA-X) | ✅ | ✅ |
| File integrity monitoring (FIM) | ✅ | ✅ |
| Threat intelligence (MISP IOC) | ✅ | ✅ |
| Container CIS baseline (80 rules) | ✅ | ✅ |
| Audit log | ✅ | ✅ |
| Component management and plugin distribution | ✅ | ✅ |
| System monitoring (Prometheus) | ✅ | ✅ |
| Ops inspection and report export | ✅ | ✅ |
| Memory threat detection (memfd_exec / process hollowing / shellcode / LSASS dump) | ✅ | ✅ |
| AD / LDAP domain controller audit (7 rules: DCSync / Kerberoasting / brute force / etc.) | ✅ | ✅ |
| DKOM rootkit detection (hidden PID / kernel module / port / LD_PRELOAD) | ✅ | ✅ |
| Honeypot sensors (SSH / HTTP decoys + file decoy policy) | ✅ | ✅ |
| VEX vulnerability statement export (CycloneDX 1.5 / CSAF 2.0) | ✅ | ✅ |
| YARA-X malware signature library (73 rules / 50 families) | ✅ | ✅ |
| Threat hunting (SPL-like DSL → SQL transpiler) | ✅ | ✅ |
| Attack storyline (ATT&CK kill-chain timeline) | ✅ | ✅ |
| Behavior baseline detection (ML anomaly scoring) | ✅ | ✅ |
| Windows support | ❌ | 🚧 |
| Active defense (NPatch eBPF hot-patching) | built-in samples |
✅ |
| Cloud antivirus | ❌ | 🚧 |
✅ Supported
built-in samplesincludes sample rules ❌ Not supported 🚧 Planned
Features
| Module | Description |
|---|---|
| Security Baseline | 9 checkers, 212 rules covering CIS Benchmark core items, single-host and batch auto-remediation |
| Asset Center | 11 asset types (processes, ports, users, packages, containers, etc.), relationship mapping and export |
| Vulnerability Management | Package PURL collection + OSV.dev matching + CVSS v3.1 scoring + SBOM export |
| Antivirus | ClamAV + YARA-X dual-engine scanning, task management + quarantine |
| File Integrity | AIDE-based FIM checks with full-cycle policy, event, and task management |
| Runtime Detection | Tetragon/eBPF event collection + CEL rule engine + MITRE ATT&CK mapping |
| Container Security | K8s cluster management, container CIS baseline (80 rules), Audit Webhook integration |
| Alert Center | Alert aggregation, whitelisting, auto-response (kill/quarantine), tracing timeline |
| Threat Intelligence | MISP IOC import + Redis cache + CEL real-time matching |
| Memory Forensics | memfd_exec / process hollowing / shellcode injection / LSASS dump detection (EDR-3) |
| AD/LDAP Audit | 7 detection rules: DCSync, Kerberoasting, brute force, off-hour RDP, privilege assignment, etc. (EDR-4) |
| Honeypot Sensors | SSH/HTTP decoys + file decoys with whitelist for legitimate backup tools (C1) |
| Rootkit Detection | DKOM hidden PID / kernel module / port / LD_PRELOAD / /proc inconsistency (C2) |
| Threat Hunting | SPL-like DSL → SQL transpiler over ClickHouse event archive |
| VEX Export | CycloneDX VEX 1.5 + CSAF 2.0 for vendor vulnerability statements (B7) |
Screenshots
Security Overview — Real-time security posture scoring, alert trends, risk radar
Vulnerability Management — CVE scanning, CVSS scoring, patch prioritization
Baseline Remediation — CIS Benchmark auto-fix with one-click remediation
Vulnerability Bulletin — CVE intelligence tracking, SLA management
ML Anomaly Detection — Isolation Forest behavioral anomaly scoring
Component Management — Plugin distribution, version control, remote push
Architecture
Browser ─→ Nginx ─→ Manager ×N ─→ MySQL / Redis / ClickHouse / Prometheus
Agent ─→ gRPC(mTLS) ─→ AgentCenter ×N ─→ Kafka ─┬→ Consumer ×N ─→ Storage (persist)
└→ Engine ×N ─→ Alerts (detection)
Manager ──HTTP──→ LLMProxy ×N (multi-LLM gateway) VulnSync ×N ──Kafka──→ Manager/Engine
In v2.0 the backend is split into six microservices: Manager / AgentCenter / Consumer / Engine / LLMProxy / VulnSync. The control plane is fully stateless and scales horizontally. Kafka decouples data persistence from detection (two ConsumerGroups with independent offsets), Redis handles service discovery and distributed locks, and ClickHouse stores time-series analytics and event archives. VulnSync pulls OS vendor advisories and publishes them to Kafka, where the Manager consumer matches them against host software.
See Architecture Documentation for details.
Tech Stack
| Layer | Technology |
|---|---|
| Backend | Go 1.25+ (Gin / gRPC / Gorm / Zap) |
| Frontend | Next.js 15 + React 19 + TypeScript + TailwindCSS + Zustand + TanStack Query |
| Storage | MySQL 8.0+ / Redis 7 / ClickHouse 24 |
| Messaging | Kafka (KRaft mode, 7 Topics + DLQ) |
| Monitoring | Prometheus (sole data source for host metrics) |
| Communication | gRPC bidirectional streaming + mTLS + Protobuf |
| Deployment | Docker Compose / Systemd + Nginx |
Supported Platforms
Host OS: Rocky Linux 9/10, Oracle Linux 7/8/9, CentOS 7/8/9, Debian 10/11/12, Ubuntu 20.04/22.04
Runtime: Physical / Virtual machines, Docker container hosts, Kubernetes nodes and clusters
Quick Start
git clone https://github.com/matrixplusio/mxcwpp.git
cd mxcwpp/deploy
cp .env.example .env
vim .env # Edit SERVER_IP / JWT_SECRET / database passwords
# Start control plane (HA mode)
docker compose --env-file .env up -d \
--scale manager=2 --scale agentcenter=2 --scale consumer=2
Visit http://<SERVER_IP> to access the management console. Default credentials: admin / admin123.
See Deployment Documentation for detailed setup instructions.
Build Commands
make build-server # Build server
make build-consumer # Build consumer
make package-agent-all VERSION=1.0.0 SERVER_HOST=IP:6751 # Package agent (RPM/DEB)
make package-plugins-all VERSION=1.0.0 # Package plugins
make proto # Generate Protobuf code
make test # Run tests
make lint # Lint check
Project Structure
mxcwpp/
├── cmd/ # Entry points (agent + 6 server services + mxctl + tools)
│ ├── agent/ # Agent entry
│ └── server/ # manager / agentcenter / consumer / engine / llmproxy / vulnsync
├── internal/
│ ├── server/ # Server packages (manager / agentcenter / consumer / engine / llmproxy / vulnsync / common)
│ └── agent/ # Agent (connection / transport / plugin / heartbeat / edr 25+ submods)
├── plugins/ # 11 plugins (baseline / collector / fim / scanner / avscanner / remediation / rasp-go / rasp-java / rasp-python / rasp-php / rasp-node)
├── api/proto/ # Protobuf definitions
├── web/ # Frontend (Next.js 15 + React 19 + TypeScript)
├── configs/ # Config files (server.yaml / agent.yaml / rule files)
├── deploy/ # Docker Compose (dev / v2 / pret) + Nginx + systemd + prod cluster
├── scripts/ # Build and deployment scripts
└── docs/ # Documentation
Documentation
- Architecture - System topology, component responsibilities, data pipeline, HA design
- Deployment - Environment setup, single/cluster deployment, Agent installation, upgrades and backups
- Configuration - Server config, Agent config, environment variables
- API Reference - REST API endpoints, request/response formats, authentication
- FAQ - Common issues and troubleshooting
- Governance - Project governance model, decision process, security policy
- Contributing - Contribution guide, dev environment, code standards, submission process
Star History
Contributors
See CONTRIBUTORS.md.
License
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
agent
command
Package main 是 Agent 主程序入口
|
Package main 是 Agent 主程序入口 |
|
server/agentcenter
command
Package main 是 AgentCenter 主程序入口
|
Package main 是 AgentCenter 主程序入口 |
|
server/consumer
command
Package main 是 Consumer 主程序入口 Consumer 订阅 Kafka Topic,将消息路由写入 MySQL / ClickHouse
|
Package main 是 Consumer 主程序入口 Consumer 订阅 Kafka Topic,将消息路由写入 MySQL / ClickHouse |
|
server/engine
command
Package main 是 Engine 主程序入口。
|
Package main 是 Engine 主程序入口。 |
|
server/llmproxy
command
Package main 是 LLMProxy 主程序入口。
|
Package main 是 LLMProxy 主程序入口。 |
|
server/manager
command
Package main 是 Manager HTTP API Server 主程序入口
|
Package main 是 Manager HTTP API Server 主程序入口 |
|
server/scanner
command
Package main 是独立镜像扫描服务入口。
|
Package main 是独立镜像扫描服务入口。 |
|
server/vulnsync
command
Package main 是 VulnSync 主程序入口。
|
Package main 是 VulnSync 主程序入口。 |
|
tools/advisory-replay-verify
command
Command advisory-replay-verify 验证「VulnSync→Kafka→Manager consumer」新路径与旧 「manager syncCoreAdvisories 自拉」路径产出的 host_vuln 集合等价(S2 红线门)。
|
Command advisory-replay-verify 验证「VulnSync→Kafka→Manager consumer」新路径与旧 「manager syncCoreAdvisories 自拉」路径产出的 host_vuln 集合等价(S2 红线门)。 |
|
tools/baseline-import
command
Package main 将 Elkeid baseline yaml 转成 mxcwpp baseline JSON。
|
Package main 将 Elkeid baseline yaml 转成 mxcwpp baseline JSON。 |
|
tools/etl-alerts-vulns-ch
command
Command etl-alerts-vulns-ch 一次性把 MySQL 的 alerts / vulnerabilities / host_vulnerabilities 三张表全量迁到 ClickHouse 对应表。
|
Command etl-alerts-vulns-ch 一次性把 MySQL 的 alerts / vulnerabilities / host_vulnerabilities 三张表全量迁到 ClickHouse 对应表。 |
|
tools/etl-audit-log
command
Command etl-audit-log 一次性把 MySQL audit_logs 历史数据迁到 ClickHouse mxcwpp.audit_log。
|
Command etl-audit-log 一次性把 MySQL audit_logs 历史数据迁到 ClickHouse mxcwpp.audit_log。 |
|
tools/etl-host-metrics
command
Command etl-host-metrics 把 MySQL host_metrics 全表迁到 ClickHouse mxcwpp.host_metrics。
|
Command etl-host-metrics 把 MySQL host_metrics 全表迁到 ClickHouse mxcwpp.host_metrics。 |
|
tools/etl-storyline-events
command
Command etl-storyline-events 一次性把 MySQL storyline_events 全表迁到 ClickHouse mxcwpp.storyline_events。
|
Command etl-storyline-events 一次性把 MySQL storyline_events 全表迁到 ClickHouse mxcwpp.storyline_events。 |
|
tools/kms-gen-kek
command
Package main 生成 mxcwpp KMS 主密钥 (KEK), 一次性初次部署用。
|
Package main 生成 mxcwpp KMS 主密钥 (KEK), 一次性初次部署用。 |
|
tools/migrate-metrics
command
migrate-metrics 将 MySQL host_metrics 历史数据迁移到 ClickHouse
|
migrate-metrics 将 MySQL host_metrics 历史数据迁移到 ClickHouse |
|
tools/mxctl
command
|
|
|
tools/ruletest
command
Package main 提供检测规则测试 CLI 工具 用法:go run ./cmd/tools/ruletest --rules rules/ --tests testcases/
|
Package main 提供检测规则测试 CLI 工具 用法:go run ./cmd/tools/ruletest --rules rules/ --tests testcases/ |
|
tools/stress
command
stress 是 MxCwpp AgentCenter 压测工具 模拟 N 个 Agent 并发通过 gRPC BiDi 流发送心跳,验证 AC → Kafka → Consumer 链路
|
stress 是 MxCwpp AgentCenter 压测工具 模拟 N 个 Agent 并发通过 gRPC BiDi 流发送心跳,验证 AC → Kafka → Consumer 链路 |
|
tools/stress-http
command
stress-http 是 MxCwpp Manager HTTP API 压测工具 模拟 N 个并发用户持续请求 Manager API,验证读链路(MySQL/ClickHouse → Manager)
|
stress-http 是 MxCwpp Manager HTTP API 压测工具 模拟 N 个并发用户持续请求 Manager API,验证读链路(MySQL/ClickHouse → Manager) |
|
configs
|
|
|
agent-rules
Package agentrules 提供内嵌的 Agent YAML 检测规则
|
Package agentrules 提供内嵌的 Agent YAML 检测规则 |
|
rules
Package rules 提供内置检测规则的嵌入数据
|
Package rules 提供内置检测规则的嵌入数据 |
|
internal
|
|
|
agent/buffer
Package buffer 提供 Agent 数据传输的环形缓冲区
|
Package buffer 提供 Agent 数据传输的环形缓冲区 |
|
agent/cache
Package cache 提供本地缓存功能,用于断网时暂存数据
|
Package cache 提供本地缓存功能,用于断网时暂存数据 |
|
agent/cli
Package cli 实现 Agent 辅助命令行子功能(--status / --logs / --config / --diag)
|
Package cli 实现 Agent 辅助命令行子功能(--status / --logs / --config / --diag) |
|
agent/config
Package config 提供配置引导功能
|
Package config 提供配置引导功能 |
|
agent/connection
Package connection 提供连接管理功能(服务发现、mTLS)
|
Package connection 提供连接管理功能(服务发现、mTLS) |
|
agent/dependency
Package dependency 管理 Agent 端外部依赖的安装、卸载和状态检测
|
Package dependency 管理 Agent 端外部依赖的安装、卸载和状态检测 |
|
agent/edr
Package edr implements the built-in EDR engine for the MxCwpp Agent.
|
Package edr implements the built-in EDR engine for the MxCwpp Agent. |
|
agent/edr/antidebug
Package antidebug 实现 Agent 自我加固 (M1-6)。
|
Package antidebug 实现 Agent 自我加固 (M1-6)。 |
|
agent/edr/av/clamav
Package clamav — clamd UDS / TCP 客户端 (B8).
|
Package clamav — clamd UDS / TCP 客户端 (B8). |
|
agent/edr/bde
Package bde implements the Behavior Detection Engine (BDE) profiler.
|
Package bde implements the Behavior Detection Engine (BDE) profiler. |
|
agent/edr/canary
Package canary — 反勒索 / 反横移 蜜罐诱饵文件 (B9).
|
Package canary — 反勒索 / 反横移 蜜罐诱饵文件 (B9). |
|
agent/edr/collector
Package collector defines the interface and mode detection for EDR event collectors.
|
Package collector defines the interface and mode detection for EDR event collectors. |
|
agent/edr/container
Package container provides container metadata resolution for EDR events.
|
Package container provides container metadata resolution for EDR events. |
|
agent/edr/elfparse
Package elfparse — ELF 二进制解析 + strings 抽取 + entropy 反混淆 (C8).
|
Package elfparse — ELF 二进制解析 + strings 抽取 + entropy 反混淆 (C8). |
|
agent/edr/event
Package event defines unified EDR event types for process, file, and network events.
|
Package event defines unified EDR event types for process, file, and network events. |
|
agent/edr/fanotify
Package fanotify 实现 Agent 端 fanotify 文件监控 (P3-2).
|
Package fanotify 实现 Agent 端 fanotify 文件监控 (P3-2). |
|
agent/edr/forensics
Package forensics — Memory Forensics: live mem dump + volatility 集成 (EDR-3).
|
Package forensics — Memory Forensics: live mem dump + volatility 集成 (EDR-3). |
|
agent/edr/honeypot
Package honeypot — SSH/HTTP 假回应蜜罐 (C1).
|
Package honeypot — SSH/HTTP 假回应蜜罐 (C1). |
|
agent/edr/ioc
Package ioc provides an in-memory IOC (Indicator of Compromise) store for the EDR engine.
|
Package ioc provides an in-memory IOC (Indicator of Compromise) store for the EDR engine. |
|
agent/edr/isolate
Package isolate provides host network isolation via iptables.
|
Package isolate provides host network isolation via iptables. |
|
agent/edr/lsm
loader_linux.go — BPF LSM 用户态 (C10 骨架).
|
loader_linux.go — BPF LSM 用户态 (C10 骨架). |
|
agent/edr/memfd
detector_linux.go — memfd_create→execveat 用户态事件 (C9).
|
detector_linux.go — memfd_create→execveat 用户态事件 (C9). |
|
agent/edr/npatch
dirtypipe_pwnkit_linux.go — Userspace loader / event consumer for DirtyPipe + PwnKit eBPF probes (P4-9).
|
dirtypipe_pwnkit_linux.go — Userspace loader / event consumer for DirtyPipe + PwnKit eBPF probes (P4-9). |
|
agent/edr/npatch/afpacket
Package afpacket — AF_PACKET v3 (TPACKET_V3) mmap ring buffer reader (P3-K').
|
Package afpacket — AF_PACKET v3 (TPACKET_V3) mmap ring buffer reader (P3-K'). |
|
agent/edr/npatch/probe
Package probe — kernel 特性探测 (P3-K').
|
Package probe — kernel 特性探测 (P3-K'). |
|
agent/edr/quarantine
Package quarantine 实现 Agent 端 文件隔离箱 (M1-8)。
|
Package quarantine 实现 Agent 端 文件隔离箱 (M1-8)。 |
|
agent/edr/rootkit
dkom_linux.go — DKOM (Direct Kernel Object Manipulation) rootkit 检测 (C2).
|
dkom_linux.go — DKOM (Direct Kernel Object Manipulation) rootkit 检测 (C2). |
|
agent/edr/rule
Package rule implements the agent-side YAML rule engine for EDR event detection.
|
Package rule implements the agent-side YAML rule engine for EDR event detection. |
|
agent/edr/storyline
Package storyline implements the Agent-side CausalTracker for attack storyline correlation.
|
Package storyline implements the Agent-side CausalTracker for attack storyline correlation. |
|
agent/edr/weakpass
Package weakpass 实现 Agent 端弱口令检测 (P2-19).
|
Package weakpass 实现 Agent 端弱口令检测 (P2-19). |
|
agent/edr/yara
Package yara provides an async YARA-X scanner for the EDR engine.
|
Package yara provides an async YARA-X scanner for the EDR engine. |
|
agent/forensics
Package forensics provides remote forensic capabilities for the Agent.
|
Package forensics provides remote forensic capabilities for the Agent. |
|
agent/gctune
Package gctune — Agent 端 GC 调优 (P3-B).
|
Package gctune — Agent 端 GC 调优 (P3-B). |
|
agent/heartbeat
Package heartbeat 提供心跳上报功能
|
Package heartbeat 提供心跳上报功能 |
|
agent/id
Package id 提供 Agent ID 管理功能
|
Package id 提供 Agent ID 管理功能 |
|
agent/logger
Package logger 提供结构化日志功能(基于 Zap) 默认配置:按天轮转,保留30天
|
Package logger 提供结构化日志功能(基于 Zap) 默认配置:按天轮转,保留30天 |
|
agent/metrics
Package metrics 实现 Agent /metrics Prometheus 暴露 (P2-5)。
|
Package metrics 实现 Agent /metrics Prometheus 暴露 (P2-5)。 |
|
agent/plugin
Package plugin 提供插件生命周期管理和 Pipe 通信功能
|
Package plugin 提供插件生命周期管理和 Pipe 通信功能 |
|
agent/resource
Package resource 提供资源监控功能(CPU、内存、磁盘、网络)
|
Package resource 提供资源监控功能(CPU、内存、磁盘、网络) |
|
agent/runtime
Package runtime 提供运行时环境检测功能(容器/VM/K8s) 全局单例:检测一次,Agent 全生命周期复用
|
Package runtime 提供运行时环境检测功能(容器/VM/K8s) 全局单例:检测一次,Agent 全生命周期复用 |
|
agent/transport
Package transport 提供 gRPC 传输功能(双向流)
|
Package transport 提供 gRPC 传输功能(双向流) |
|
agent/updater
Package updater 实现 Agent 自更新功能 selfupdate.go 提供 CLI 主动更新能力(mxcwpp-agent --update)
|
Package updater 实现 Agent 自更新功能 selfupdate.go 提供 CLI 主动更新能力(mxcwpp-agent --update) |
|
agent/wal
Package wal provides a Write-Ahead Log for EDR events.
|
Package wal provides a Write-Ahead Log for EDR events. |
|
common/certissue
Package certissue 提供按 AgentID 在线签发单机客户端证书的能力。
|
Package certissue 提供按 AgentID 在线签发单机客户端证书的能力。 |
|
common/compressor
Package compressor 提供 gRPC 流压缩支持
|
Package compressor 提供 gRPC 流压缩支持 |
|
common/fileutil
Package fileutil 提供通用文件工具函数
|
Package fileutil 提供通用文件工具函数 |
|
common/jsonx
Package jsonx — JSON 热点高性能替代 (P3-A).
|
Package jsonx — JSON 热点高性能替代 (P3-A). |
|
common/signing
Package signing 提供 Ed25519 签名和验证功能
|
Package signing 提供 Ed25519 签名和验证功能 |
|
common/ssrf
Package ssrf 提供防 SSRF 的 URL 校验与安全 HTTP 客户端。
|
Package ssrf 提供防 SSRF 的 URL 校验与安全 HTTP 客户端。 |
|
server/agentcenter/commandsub
Package commandsub 是 AC 的 Engine 命令订阅器。
|
Package commandsub 是 AC 的 Engine 命令订阅器。 |
|
server/agentcenter/httptrans
Package httptrans 提供 AgentCenter HTTP 管理接口 供 Manager 的服务发现模块调用,用于:健康探测、连接统计、命令下发
|
Package httptrans 提供 AgentCenter HTTP 管理接口 供 Manager 的服务发现模块调用,用于:健康探测、连接统计、命令下发 |
|
server/agentcenter/init
Package init 提供 AgentCenter 服务的初始化逻辑
|
Package init 提供 AgentCenter 服务的初始化逻辑 |
|
server/agentcenter/metrics
Package metrics 提供 AgentCenter 侧的 Prometheus Gauge 指标导出 与 Elkeid 架构一致:AC 收到心跳后更新 in-process Gauge, Prometheus 通过 /metrics 端点抓取,无需额外 Kafka 路径。
|
Package metrics 提供 AgentCenter 侧的 Prometheus Gauge 指标导出 与 Elkeid 架构一致:AC 收到心跳后更新 in-process Gauge, Prometheus 通过 /metrics 端点抓取,无需额外 Kafka 路径。 |
|
server/agentcenter/scheduler
Package scheduler 提供任务调度器
|
Package scheduler 提供任务调度器 |
|
server/agentcenter/sdclient
Package sdclient 实现 AgentCenter 向 Manager SD 模块注册/心跳/注销的客户端
|
Package sdclient 实现 AgentCenter 向 Manager SD 模块注册/心跳/注销的客户端 |
|
server/agentcenter/server
Package server 提供 gRPC Server 创建和配置
|
Package server 提供 gRPC Server 创建和配置 |
|
server/agentcenter/service
Package service 提供 AgentCenter 的业务逻辑服务
|
Package service 提供 AgentCenter 的业务逻辑服务 |
|
server/agentcenter/setup
Package setup 提供 AgentCenter 服务的初始化逻辑
|
Package setup 提供 AgentCenter 服务的初始化逻辑 |
|
server/agentcenter/transfer
Package transfer 实现 Transfer gRPC 服务
|
Package transfer 实现 Transfer gRPC 服务 |
|
server/common/canary
Package canary 提供统一的灰度发布抽象, 让"Agent 升级 / 规则推送 / 基线修复 / 漏洞修复 / 病毒处置 / 配置变更" 6 类写操作共享同一份"分批 → 健康检查 → 失败回滚"调度逻辑。
|
Package canary 提供统一的灰度发布抽象, 让"Agent 升级 / 规则推送 / 基线修复 / 漏洞修复 / 病毒处置 / 配置变更" 6 类写操作共享同一份"分批 → 健康检查 → 失败回滚"调度逻辑。 |
|
server/common/config
Package config 统一 6 微服务 (Manager/AgentCenter/Consumer/Engine/VulnSync/LLMProxy) 配置加载。
|
Package config 统一 6 微服务 (Manager/AgentCenter/Consumer/Engine/VulnSync/LLMProxy) 配置加载。 |
|
server/common/gctune
Package gctune — Go GC + 内存上限统一调优 (P3-B).
|
Package gctune — Go GC + 内存上限统一调优 (P3-B). |
|
server/common/gmcrypt
Package gmcrypt 实现国密 SM2/SM3/SM4 算法 (P3-12).
|
Package gmcrypt 实现国密 SM2/SM3/SM4 算法 (P3-12). |
|
server/common/kms
Package kms 实现 Manager 内嵌的 envelope encryption KMS。
|
Package kms 实现 Manager 内嵌的 envelope encryption KMS。 |
|
server/common/mode
Package mode 提供 v2.0 observe/protect 双运行模式的状态机与决策抽象。
|
Package mode 提供 v2.0 observe/protect 双运行模式的状态机与决策抽象。 |
|
server/common/mode/gate
Package gate 实现 observe → protect 切换的 6 门槛准入校验 (G1-G6)。
|
Package gate 实现 observe → protect 切换的 6 门槛准入校验 (G1-G6)。 |
|
server/common/observability
Package observability 提供 OpenTelemetry 追踪初始化与 Tracer 全局访问。
|
Package observability 提供 OpenTelemetry 追踪初始化与 Tracer 全局访问。 |
|
server/common/otel
Package otel — 5 微服务统一分布式追踪 + metrics 初始化 (B2).
|
Package otel — 5 微服务统一分布式追踪 + metrics 初始化 (B2). |
|
server/common/tenant
Package tenant 提供多租户上下文与 GORM 行级隔离支持。
|
Package tenant 提供多租户上下文与 GORM 行级隔离支持。 |
|
server/config
Package config 提供 Server 配置管理
|
Package config 提供 Server 配置管理 |
|
server/consumer
Package consumer 实现 Kafka Consumer 服务 从各 Topic 消费 MQMessage,路由到 MySQL / ClickHouse 写入器
|
Package consumer 实现 Kafka Consumer 服务 从各 Topic 消费 MQMessage,路由到 MySQL / ClickHouse 写入器 |
|
server/consumer/gcppubsub
Package gcppubsub 实现 GCP Pub/Sub 消费者,从 Cloud Logging 接收 GKE 审计日志
|
Package gcppubsub 实现 GCP Pub/Sub 消费者,从 Cloud Logging 接收 GKE 审计日志 |
|
server/consumer/metrics
Package metrics 提供 Consumer 进程的 Prometheus 指标暴露。
|
Package metrics 提供 Consumer 进程的 Prometheus 指标暴露。 |
|
server/consumer/sanitize
Package sanitize 提供事件字段脱敏功能 在事件数据写入存储前,对 cmdline 等敏感字段进行凭据遮蔽
|
Package sanitize 提供事件字段脱敏功能 在事件数据写入存储前,对 cmdline 等敏感字段进行凭据遮蔽 |
|
server/consumer/siem
Package siem provides SIEM integration via Syslog CEF (Common Event Format).
|
Package siem provides SIEM integration via Syslog CEF (Common Event Format). |
|
server/consumer/writer
Package writer 实现 ClickHouse 批量写入(Phase 4)
|
Package writer 实现 ClickHouse 批量写入(Phase 4) |
|
server/database
Package database 提供 ClickHouse 客户端初始化
|
Package database 提供 ClickHouse 客户端初始化 |
|
server/engine
Package engine 是 v2.0 六微服务架构中检测引擎的实现。
|
Package engine 是 v2.0 六微服务架构中检测引擎的实现。 |
|
server/engine/adaudit
Package adaudit — AD / LDAP 域控审计 (EDR-4).
|
Package adaudit — AD / LDAP 域控审计 (EDR-4). |
|
server/engine/anomaly
Package anomaly implements server-side ML anomaly detection.
|
Package anomaly implements server-side ML anomaly detection. |
|
server/engine/baseline
Package baseline implements the Server-side Behavior Detection Engine (BDE) baseline.
|
Package baseline implements the Server-side Behavior Detection Engine (BDE) baseline. |
|
server/engine/celengine
Package celengine 实现基于 CEL-Go 的实时检测规则引擎 支持从数据库加载 CEL 表达式规则,对 Kafka 消费事件进行实时评估并生成告警
|
Package celengine 实现基于 CEL-Go 的实时检测规则引擎 支持从数据库加载 CEL 表达式规则,对 Kafka 消费事件进行实时评估并生成告警 |
|
server/engine/honeypot
Package honeypot 实现反勒索 honeypot 服务端检测逻辑。
|
Package honeypot 实现反勒索 honeypot 服务端检测逻辑。 |
|
server/engine/intrusion
Package intrusion 实现入侵检测六件套:
|
Package intrusion 实现入侵检测六件套: |
|
server/engine/kube
Package kube — Pod Security Standards 检查器 (B10).
|
Package kube — Pod Security Standards 检查器 (B10). |
|
server/engine/microseg
Package microseg 实现微隔离 (Microsegmentation) 流量观察 + 策略推荐 + Enforcement。
|
Package microseg 实现微隔离 (Microsegmentation) 流量观察 + 策略推荐 + Enforcement。 |
|
server/engine/ml
Package ml 是 Engine 的本地机器学习推理抽象。
|
Package ml 是 Engine 的本地机器学习推理抽象。 |
|
server/engine/rasp
Package rasp 实现 RASP (Runtime Application Self-Protection) 服务端事件接收与检测。
|
Package rasp 实现 RASP (Runtime Application Self-Protection) 服务端事件接收与检测。 |
|
server/engine/rollout
Package rollout — 规则灰度推送 (B6).
|
Package rollout — 规则灰度推送 (B6). |
|
server/engine/ruleimport
Package ruleimport 把 Falco / Sigma / Tetragon 规则转成 mxcwpp CEL 规则。
|
Package ruleimport 把 Falco / Sigma / Tetragon 规则转成 mxcwpp CEL 规则。 |
|
server/engine/rulesync
Package rulesync 实现基于 Git 仓库的检测规则同步 定期从远程 Git 仓库拉取规则 YAML,增量同步到 detection_rules 表
|
Package rulesync 实现基于 Git 仓库的检测规则同步 定期从远程 Git 仓库拉取规则 YAML,增量同步到 detection_rules 表 |
|
server/engine/scheduler
Package scheduler 是 v2.0 Engine 服务的调度器集合,承担:
|
Package scheduler 是 v2.0 Engine 服务的调度器集合,承担: |
|
server/engine/storyline
Package storyline aggregates Agent-side story_id-tagged events into attack storylines on the Server.
|
Package storyline aggregates Agent-side story_id-tagged events into attack storylines on the Server. |
|
server/hunting/mql
Package mql implements the MxCwpp Query Language compiler.
|
Package mql implements the MxCwpp Query Language compiler. |
|
server/llmproxy
Package biz - C2: LLM 告警辅助分析
|
Package biz - C2: LLM 告警辅助分析 |
|
server/llmproxy/audit
Package audit 把 LLM 调用日志推到 Kafka mxcwpp.llm.audit Topic。
|
Package audit 把 LLM 调用日志推到 Kafka mxcwpp.llm.audit Topic。 |
|
server/llmproxy/cache
Package cache 是 LLMProxy 的 Redis 24h 入参缓存。
|
Package cache 是 LLMProxy 的 Redis 24h 入参缓存。 |
|
server/llmproxy/provider
Package provider 定义 LLM Provider 抽象与多厂商适配实现。
|
Package provider 定义 LLM Provider 抽象与多厂商适配实现。 |
|
server/llmproxy/quota
Package quota 提供租户级 LLM 月度 USD 配额检查与累积。
|
Package quota 提供租户级 LLM 月度 USD 配额检查与累积。 |
|
server/llmproxy/redact
Package redact 提供发往外部 LLM 前的数据脱敏与本地端点判定(批4 合规)。
|
Package redact 提供发往外部 LLM 前的数据脱敏与本地端点判定(批4 合规)。 |
|
server/llmproxy/router
Package router 是 LLMProxy 的场景路由器。
|
Package router 是 LLMProxy 的场景路由器。 |
|
server/logger
Package logger 提供 Server 结构化日志功能(基于 Zap)
|
Package logger 提供 Server 结构化日志功能(基于 Zap) |
|
server/manager/api
Package api — AD / LDAP 域控审计 HTTP handler (EDR-4).
|
Package api — AD / LDAP 域控审计 HTTP handler (EDR-4). |
|
server/manager/api/admission
Package admission 实现 K8s ValidatingAdmissionWebhook v1。
|
Package admission 实现 K8s ValidatingAdmissionWebhook v1。 |
|
server/manager/biz
Package biz — host OS-specific fixed_version lookup
|
Package biz — host OS-specific fixed_version lookup |
|
server/manager/biz/audit
Package audit 实现 AuditLog 多维 enrichment (P4-5).
|
Package audit 实现 AuditLog 多维 enrichment (P4-5). |
|
server/manager/biz/billing
Package billing — 配额 80% 预警 worker (B4).
|
Package billing — 配额 80% 预警 worker (B4). |
|
server/manager/biz/federation
Package federation — 多集群联邦管理骨架 (C3).
|
Package federation — 多集群联邦管理骨架 (C3). |
|
server/manager/biz/graphql
Package graphql 给 mxcwpp API 暴露 GraphQL 入口 (P4-7).
|
Package graphql 给 mxcwpp API 暴露 GraphQL 入口 (P4-7). |
|
server/manager/biz/honeypot
Package honeypot 实现 Server 端 honeypot 策略管理与白名单过滤。
|
Package honeypot 实现 Server 端 honeypot 策略管理与白名单过滤。 |
|
server/manager/biz/hunting
Package hunting — Threat Hunting DSL (SPL-like) (C4).
|
Package hunting — Threat Hunting DSL (SPL-like) (C4). |
|
server/manager/biz/imagescan
Package imagescan 实现镜像/文件 Secret 检测 + Dockerfile lint 等深度扫描。
|
Package imagescan 实现镜像/文件 Secret 检测 + Dockerfile lint 等深度扫描。 |
|
server/manager/biz/mlmodel
Package mlmodel 实现 ML 模型分发管理 (复用 component 包体上传/CDN 通道)。
|
Package mlmodel 实现 ML 模型分发管理 (复用 component 包体上传/CDN 通道)。 |
|
server/manager/biz/mssp
Package mssp 实现 MSSP (Managed Security Service Provider) 父子租户视图 (P2-11).
|
Package mssp 实现 MSSP (Managed Security Service Provider) 父子租户视图 (P2-11). |
|
server/manager/biz/npatch
Package npatch 是 mxcwpp 的虚拟补丁规则模型 (对标青藤云幕 NPatch)。
|
Package npatch 是 mxcwpp 的虚拟补丁规则模型 (对标青藤云幕 NPatch)。 |
|
server/manager/biz/outbound
Package outbound 实现告警/事件外发到 SIEM/SOC 系统 (P2-3)。
|
Package outbound 实现告警/事件外发到 SIEM/SOC 系统 (P2-3)。 |
|
server/manager/biz/pocvalidation
Package pocvalidation 实现 PoC (Proof of Concept) 自动验证 (P2-13)。
|
Package pocvalidation 实现 PoC (Proof of Concept) 自动验证 (P2-13)。 |
|
server/manager/biz/sbom
Package sbom 实现 SBOM CycloneDX 1.5 生成 (P2-4)。
|
Package sbom 实现 SBOM CycloneDX 1.5 生成 (P2-4)。 |
|
server/manager/biz/soar
SOAR ApprovalChecker 实际实现 (P3-14).
|
SOAR ApprovalChecker 实际实现 (P3-14). |
|
server/manager/biz/vex
Package vex — VEX (Vulnerability Exploitability eXchange) 生成器 (B7).
|
Package vex — VEX (Vulnerability Exploitability eXchange) 生成器 (B7). |
|
server/manager/client
Package client — Manager 跨进程调用 Engine/VulnSync/LLMProxy 的抽象接口 (A8 接口骨架).
|
Package client — Manager 跨进程调用 Engine/VulnSync/LLMProxy 的抽象接口 (A8 接口骨架). |
|
server/manager/handler
Package handler 给 manager HTTP 注册 GraphQL endpoint (P4-7).
|
Package handler 给 manager HTTP 注册 GraphQL endpoint (P4-7). |
|
server/manager/init
Package init 提供 Manager 服务的初始化逻辑
|
Package init 提供 Manager 服务的初始化逻辑 |
|
server/manager/middleware
Package middleware 提供 HTTP 中间件
|
Package middleware 提供 HTTP 中间件 |
|
server/manager/router
Package router 提供 HTTP 路由配置
|
Package router 提供 HTTP 路由配置 |
|
server/manager/scheduler
Package scheduler 提供任务调度器
|
Package scheduler 提供任务调度器 |
|
server/manager/sd
Package sd 实现 Manager 内嵌的服务发现模块 负责 AgentCenter 实例的注册、心跳维护、主动健康探测和路由选择
|
Package sd 实现 Manager 内嵌的服务发现模块 负责 AgentCenter 实例的注册、心跳维护、主动健康探测和路由选择 |
|
server/manager/setup
Package setup 提供 Manager 服务的初始化逻辑
|
Package setup 提供 Manager 服务的初始化逻辑 |
|
server/metrics
Package metrics 提供 Prometheus 指标导出
|
Package metrics 提供 Prometheus 指标导出 |
|
server/migration
Package migration 提供数据库迁移功能
|
Package migration 提供数据库迁移功能 |
|
server/migration/mvp1
Package mvp1 提供 MVP1 → MVP2 数据迁移能力
|
Package mvp1 提供 MVP1 → MVP2 数据迁移能力 |
|
server/model
Package model — AD / LDAP 域控审计事件 + 告警 (EDR-4).
|
Package model — AD / LDAP 域控审计事件 + 告警 (EDR-4). |
|
server/notify
Package notify 提供告警/事件通知派发(邮件/Webhook/Lark),跨服务共享。
|
Package notify 提供告警/事件通知派发(邮件/Webhook/Lark),跨服务共享。 |
|
server/prometheus
Package prometheus 提供 Prometheus 查询客户端
|
Package prometheus 提供 Prometheus 查询客户端 |
|
server/remediation
Package remediation 提供漏洞修复任务派发与 Agent 结果/进度处理,跨服务共享。
|
Package remediation 提供漏洞修复任务派发与 Agent 结果/进度处理,跨服务共享。 |
|
server/scanner
Package scanner 是独立镜像扫描服务的核心:从 scan_jobs 队列认领任务, 调用 trivy 扫描镜像,结果写回 image_scans / image_vulnerabilities。
|
Package scanner 是独立镜像扫描服务的核心:从 scan_jobs 队列认领任务, 调用 trivy 扫描镜像,结果写回 image_scans / image_vulnerabilities。 |
|
server/vulnsync
Package vulnsync 是 v2.0 漏洞情报融合服务的实现。
|
Package vulnsync 是 v2.0 漏洞情报融合服务的实现。 |
|
server/vulnsync/advisory
Package advisory 提供商业级 CWPP 漏洞数据多源接入。
|
Package advisory 提供商业级 CWPP 漏洞数据多源接入。 |
|
server/vulnsync/integrity
Package integrity 提供漏洞情报数据源的完整性校验,防供应链投毒(批4)。
|
Package integrity 提供漏洞情报数据源的完整性校验,防供应链投毒(批4)。 |
|
server/vulnsync/leader
Package leader 提供 VulnSync 服务的 Redis-based Leader Election。
|
Package leader 提供 VulnSync 服务的 Redis-based Leader Election。 |
|
server/vulnsync/publisher
Package publisher 把 advisory.AdvisoryMessage 推送到 Kafka mxcwpp.vuln.advisory。
|
Package publisher 把 advisory.AdvisoryMessage 推送到 Kafka mxcwpp.vuln.advisory。 |
|
server/vulnsync/ti
Package ti 实现 STIX/TAXII 2.x 威胁情报订阅 (P2-6)。
|
Package ti 实现 STIX/TAXII 2.x 威胁情报订阅 (P2-6)。 |
|
pkg
|
|
|
util/strutil
Package strutil 给项目集中字符串助手 (A10 审计修复).
|
Package strutil 给项目集中字符串助手 (A10 审计修复). |
|
util/worker
Package worker — 后台周期任务统一 RunLoop (A10 审计修复).
|
Package worker — 后台周期任务统一 RunLoop (A10 审计修复). |
|
plugins
|
|
|
avscanner
command
av-scanner 插件: 反勒索 honeypot + 文件扫描 (Sprint 4 脚手架)
|
av-scanner 插件: 反勒索 honeypot + 文件扫描 (Sprint 4 脚手架) |
|
avscanner/engine
Package engine 实现 av-scanner 插件核心逻辑:
|
Package engine 实现 av-scanner 插件核心逻辑: |
|
baseline
command
Package main 是 Baseline Plugin 的主程序入口 Baseline Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信
|
Package main 是 Baseline Plugin 的主程序入口 Baseline Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信 |
|
baseline/engine
Package engine 提供基线检查器实现
|
Package engine 提供基线检查器实现 |
|
collector
command
Package main 是 Collector Plugin 的主程序入口 Collector Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信 负责周期性采集主机资产信息(进程、端口、账户等)并上报到 Server
|
Package main 是 Collector Plugin 的主程序入口 Collector Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信 负责周期性采集主机资产信息(进程、端口、账户等)并上报到 Server |
|
collector/engine
Package engine 提供采集引擎的核心功能
|
Package engine 提供采集引擎的核心功能 |
|
collector/engine/handlers
Package handlers 提供各类资产采集器的实现
|
Package handlers 提供各类资产采集器的实现 |
|
fim
command
Package main 是 FIM Plugin 的主程序入口 FIM Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信
|
Package main 是 FIM Plugin 的主程序入口 FIM Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信 |
|
fim/engine
Package engine 提供 FIM 插件的核心引擎
|
Package engine 提供 FIM 插件的核心引擎 |
|
lib/go
Package plugins 提供插件 SDK,用于插件与 Agent 之间的通信 插件通过 Pipe(文件描述符 3/4)与 Agent 进行双向通信
|
Package plugins 提供插件 SDK,用于插件与 Agent 之间的通信 插件通过 Pipe(文件描述符 3/4)与 Agent 进行双向通信 |
|
rasp-go/mxcwpprasp
Package mxcwpprasp 提供 Go 应用程序的 RASP 观察 SDK (P4-14).
|
Package mxcwpprasp 提供 Go 应用程序的 RASP 观察 SDK (P4-14). |
|
remediation
command
Package main 是 Remediation Plugin 的主程序入口 Remediation Plugin 作为 Agent 的子进程运行,接收修复命令并执行
|
Package main 是 Remediation Plugin 的主程序入口 Remediation Plugin 作为 Agent 的子进程运行,接收修复命令并执行 |
|
scanner
command
Package main 是 Scanner Plugin 的主程序入口 Scanner Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信 提供 ClamAV + YARA-X 双引擎恶意文件扫描和文件隔离功能
|
Package main 是 Scanner Plugin 的主程序入口 Scanner Plugin 作为 Agent 的子进程运行,通过 Pipe 与 Agent 通信 提供 ClamAV + YARA-X 双引擎恶意文件扫描和文件隔离功能 |
|
scanner/engine
Package engine 提供扫描引擎的核心功能
|
Package engine 提供扫描引擎的核心功能 |
Click to show internal directories.
Click to hide internal directories.