psc
psc (ps container) is a process scanner that uses eBPF iterators and Google CEL to query system state with precision and full container context.
psc requires root privileges to load eBPF programs.
The Problem
Traditional Linux tools like ps , lsof , and ss are powerful but inflexible. They output fixed formats that require extensive piping through grep , awk , and sed to extract useful information:
# Find all nginx processes owned by root ps aux | grep nginx | grep root | grep -v grep # With psc: psc ' process.name == "nginx" && process.user == "root" '
# Find processes with established connections on port 443 ss -tnp | grep ESTAB | grep :443 | awk ' {print $6} ' | cut -d ' " ' -f2 # With psc: psc ' socket.state == established && socket.dstPort == uint(443) '
# Find containerized processes ps aux | xargs -I{} sh -c ' cat /proc/{}/cgroup 2>/dev/null | grep -q docker && echo {} ' # With psc: psc ' container.runtime == docker '
These tools also read from /proc , a virtual filesystem that can be manipulated by userland rootkits. A compromised library loaded via LD_PRELOAD can intercept system calls and hide processes, network connections, or files from these traditional utilities.
How psc Works
... continue reading