Vesuvius.
Making system activity visible.

Watch the system while it is running.

Vesuvius is my Master's thesis project at Politecnico di Torino, developed with a teammate and in collaboration with Rakuten. It records important process and network events while a Linux system is running, then turns them into structured data for security analysis.

I am responsible for process monitoring: when a process is created, starts a program, or exits. My teammate covers network connections. Combining the two views helps explain which program communicated with which endpoint.

Turn a system event into useful security data.

Small eBPF programs collect events inside the kernel. Shared maps remember process and container information, and a ring buffer sends each event to a Go application. The application converts the data to JSON so detection rules can use it.

Process lifecycle

• sched_process_fork establishes parent-child lineage.
• sched_process_exec captures the transition to a new executable image.
• sched_process_exit closes the lifecycle and supports state cleanup.

Test the real system, not just its version number.

The target reports Linux 4.18, which normally suggests that several modern eBPF features are unavailable. Rocky Linux, however, adds newer features to its older base kernel through vendor backports.

I wrote small tests for each capability we needed. BTF, portable CO-RE access, BPF LSM, ring buffers, and larger eBPF stacks all worked. Those results let us use a simpler modern architecture instead of building unnecessary compatibility code.

Keep kernel code small and responsibilities clear.

The kernel side only collects and transports essential data. More complex parsing and security decisions stay in the Go application, where the code is easier to test and change.

Process and network monitoring share the same event formats and state models. Feature branches and pull requests make changes to those shared contracts visible while the two parts are developed in parallel.