Skip to content



security_socket_accept - An event capturing details when a socket accepts an incoming connection.


This event is triggered whenever a socket accepts a connection request. The eBPF program hooks into the kernel's security_socket_accept function, extracting details about the socket involved and the accepted connection's local address.

Monitoring the acceptance of incoming connections can provide insights into the activity of servers and applications, shedding light on potential threats or irregular behaviors.


  1. sockfd (int): The file descriptor referring to the socket accepting the connection.
  2. local_addr (struct sockaddr*): A pointer to the structure holding the local address details of the accepted connection.




Kprobe (using kprobe/security_socket_accept).


To observe and gather data whenever a socket accepts an incoming connection. The captured data gets saved into a buffer, which is subsequently submitted to user-space for further analysis or logging.

Example Use Case

A server application could utilize this event to maintain a log of all incoming connections, ensuring awareness of all entities connecting to the server. This can be crucial for security, especially in scenarios where unauthorized access might occur. Diagnostics tools might also employ this event to troubleshoot network connectivity issues.

  • security_socket_create
  • security_socket_listen
  • security_socket_connect
  • security_socket_bind
  • security_socket_setsockopt

Note: This document was generated by OpenAI with a human review process.