diff --git a/README.md b/README.md
index 2b533a06aa42a7c4ff055c939e399685d0766450..2efc2b68f9f338f3f3e8fc362ec58ae282e4fb24 100644
--- a/README.md
+++ b/README.md
@@ -71,16 +71,9 @@ secDetector在架构上分为四个部分：SDK、Service、检测特性集合ca
 
 
 ## 安装教程
-
-
-
-\1.  xxxx
-
-\2.  xxxx
-
-\3.  xxxx
-
-
+1. yum install clang libbpf-devel bpftool grpc-devel cmake
+2. mkdir -p observer_agent/build && cd observer_agent/build
+3. cmake .. && make
 
 ## 使用说明
 
@@ -161,4 +154,4 @@ secDetector在架构上分为四个部分：SDK、Service、检测特性集合ca
 
 \5.  Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
 
-\6.  Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
\ No newline at end of file
+\6.  Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)
diff --git a/observer_agent/CMakeLists.txt b/observer_agent/CMakeLists.txt
index 16100843e39889be8f85e00bc766901c6156488a..60be81bbba1178574b10bd7ceff2300d82e9c160 100644
--- a/observer_agent/CMakeLists.txt
+++ b/observer_agent/CMakeLists.txt
@@ -1,5 +1,6 @@
 cmake_minimum_required(VERSION 3.1)
 
+add_subdirectory(ebpf)
 set(CMAKE_CXX_STANDARD 11)
 project(observer_agent VERSION 1.0 LANGUAGES CXX)
 set(GRPC_PATH ${CMAKE_CURRENT_SOURCE_DIR}/grpc_comm)
diff --git a/observer_agent/ebpf/CMakeLists.txt b/observer_agent/ebpf/CMakeLists.txt
new file mode 100644
index 0000000000000000000000000000000000000000..dab70e56514122b5fadabefcbcc044b98ae34e2c
--- /dev/null
+++ b/observer_agent/ebpf/CMakeLists.txt
@@ -0,0 +1,14 @@
+# SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+
+cmake_minimum_required(VERSION 3.16)
+project(ebpf)
+add_custom_target(ebpf ALL
+	COMMAND mkdir -p ${CMAKE_CURRENT_BINARY_DIR}/.output
+	COMMAND bpftool btf dump file /sys/kernel/btf/vmlinux format c > ${CMAKE_CURRENT_BINARY_DIR}/.output/vmlinux.h
+	COMMAND clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -c ${CMAKE_CURRENT_SOURCE_DIR}/fentry.bpf.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.bpf.o
+	COMMAND bpftool gen skeleton ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.bpf.o > ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.skel.h
+	COMMAND cc -g -Wall -I${CMAKE_CURRENT_BINARY_DIR}/.output -I${CMAKE_CURRENT_SOURCE_DIR} -c ${CMAKE_CURRENT_SOURCE_DIR}/fentry.c -o ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.o
+	COMMAND cc -g -Wall ${CMAKE_CURRENT_BINARY_DIR}/.output/fentry.o /usr/lib64/libbpf.a   -lelf -lz -o fentry
+)
+
+
diff --git a/observer_agent/ebpf/fentry.bpf.c b/observer_agent/ebpf/fentry.bpf.c
new file mode 100644
index 0000000000000000000000000000000000000000..d99988171025d64dcaaf409a3a9716d849229cc3
--- /dev/null
+++ b/observer_agent/ebpf/fentry.bpf.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+/* Copyright (c) 2021 Sartura */
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+SEC("lsm/task_free")
+int BPF_PROG(do_bprm_check, struct task_struct *task)
+{
+	char buf[16];	
+	__u32 pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_get_current_comm(buf, sizeof(buf));
+	bpf_printk("bprm_check: pid = %d, comm = %d", pid, buf);
+
+	return 0;
+}
+
+SEC("fentry/do_unlinkat")
+int BPF_PROG(do_unlinkat, int dfd, struct filename *name)
+{
+	pid_t pid;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_printk("fentry: pid = %d, filename = %s\n", pid, name->name);
+	return 0;
+}
+
+SEC("fexit/do_unlinkat")
+int BPF_PROG(do_unlinkat_exit, int dfd, struct filename *name, long ret)
+{
+	pid_t pid;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_printk("fexit: pid = %d, filename = %s, ret = %ld\n", pid, name->name, ret);
+	return 0;
+}
+
+
diff --git a/observer_agent/ebpf/fentry.c b/observer_agent/ebpf/fentry.c
new file mode 100644
index 0000000000000000000000000000000000000000..9daa67f4feae49ac19e2b55c3b9a6818b7765691
--- /dev/null
+++ b/observer_agent/ebpf/fentry.c
@@ -0,0 +1,64 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+/* Copyright (c) 2021 Sartura
+ * Based on minimal.c by Facebook */
+
+#include <stdio.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/resource.h>
+#include <bpf/libbpf.h>
+#include "fentry.skel.h"
+
+static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
+{
+	return vfprintf(stderr, format, args);
+}
+
+static volatile sig_atomic_t stop;
+
+void sig_int(int signo)
+{
+	stop = 1;
+}
+
+int main(int argc, char **argv)
+{
+	struct fentry_bpf *skel;
+	int err;
+
+	/* Set up libbpf errors and debug info callback */
+	libbpf_set_print(libbpf_print_fn);
+
+	/* Open load and verify BPF application */
+	skel = fentry_bpf__open_and_load();
+	if (!skel) {
+		fprintf(stderr, "Failed to open BPF skeleton\n");
+		return 1;
+	}
+
+	/* Attach tracepoint handler */
+	err = fentry_bpf__attach(skel);
+	if (err) {
+		fprintf(stderr, "Failed to attach BPF skeleton\n");
+		goto cleanup;
+	}
+
+	if (signal(SIGINT, sig_int) == SIG_ERR) {
+		fprintf(stderr, "can't set signal handler: %s\n", strerror(errno));
+		goto cleanup;
+	}
+
+	printf("Successfully started! Please run `sudo cat /sys/kernel/debug/tracing/trace_pipe` "
+	       "to see output of the BPF programs.\n");
+
+	while (!stop) {
+		fprintf(stderr, ".");
+		sleep(1);
+	}
+
+cleanup:
+	fentry_bpf__destroy(skel);
+	return -err;
+}