kunai
Threat-hunting tool for Linux
GPL-3.0 License
Bot releases are visible (Hide)
Published by qjerome 25 days ago
What's Changed
- feat: new write_and_close event by @qjerome in https://github.com/kunai-project/kunai/pull/101
- enhance: faster EventProducer implementation by @qjerome in https://github.com/kunai-project/kunai/pull/102
- feat: integrate community-id by @qjerome in https://github.com/kunai-project/kunai/pull/103
Full Changelog: https://github.com/kunai-project/kunai/compare/v0.3.0-alpha.1...v0.3.0-alpha.2
Published by qjerome about 1 month ago
New Features
- new CLI
- new
killevent generated when a process attempt at killing another - harden mode: prevent kunai from being tampered with by other processes
- action handling: detection rules can be configured with actions to take after detection
-
kill: kill the process triggering the detection rules -
scan-files: scan any file path contained in event with Yara rules
-
- new
file_scanevent: generated when ascan-filesaction is run - IoC now contain severity information: allow to attribute more or less importance to some IoC sources/types
Notable fix
- High memory consumption on the long run or when kunai runs under stress conditions
What's Changed
- feat: new CLI by @qjerome in https://github.com/kunai-project/kunai/pull/85
- fix: tokio task panic propagation by @qjerome in https://github.com/kunai-project/kunai/pull/86
- fix: broken clippy command for eBPF by @qjerome in https://github.com/kunai-project/kunai/pull/87
- feat: new kill event + hardened mode through LSM by @qjerome in https://github.com/kunai-project/kunai/pull/89
- feat: implement handling action in detection rules + yara-x integration by @qjerome in https://github.com/kunai-project/kunai/pull/91
- fix: high memory consumption issue by @qjerome in https://github.com/kunai-project/kunai/pull/95
- fix #70: making IoC severity configurable by @qjerome in https://github.com/kunai-project/kunai/pull/97
- fix: namespace cache by @qjerome in https://github.com/kunai-project/kunai/pull/98
- chore: prepare new release by @qjerome in https://github.com/kunai-project/kunai/pull/99
- fix: aarch64 build by @qjerome in https://github.com/kunai-project/kunai/pull/100
Full Changelog: https://github.com/kunai-project/kunai/compare/v0.2.4...v0.3.0-alpha.1
Features
- enhanced rules conditions, now support:
none of them,none of $VAR_PREFIX,any of them,any of $VAR_PREFIX,all of them,all of $VAR_PREFIX,N of themandN of $VAR_PREFIX - enhanced event selection, now support
-(minus) in front of event-ids to filter them out.
Fix
-
aarch64compatibility is fixed and working - fixed hidden verifier error
Changelog
ef65e98 - chg: [ebpf] moved remaining CORE field accesses to use core_read_kernel macro + renamed error to be more generic
ed60416 - fix #71: aarch64 compatibility
dd119e3 - chg: [ebpf] removed unused import
65ea2bc - Merge pull request #78 from kunai-project/fix-aarch64-compat
424314f - fix: [kunai] run error never shown
565caa5 - Merge pull request #79 from kunai-project/fix-run-error
f5a075b - fix: [kunai] remove unused import + deny(unused_import)
e578608 - fix: [kunai-common] deny(unused_import)
797633c - fix: [ebpf] deny(unused_import)
3a79a29 - chg: [common] removed useless commands in shim.c
f428a67 - chg: [all] deny(warnings)
e4cf307 - chg: update gene to 0.2.0
1b1f321 - fix:[ci] take vmlinuz from alpine
bfcbadb - fix:[ci] wrong if in test_kernel.sh
d3574f8 - Merge pull request #81 from kunai-project/fix-imports
68612c8 - chore: Release
a68fefc - chg: [ebpf] rm Cargo.lock + add .gitignore
6d80ae5 - chore: Release kunai-ebpf version 0.2.5
Published by qjerome 3 months ago
Features
- Log rotation with maximum size and compression
Improvements
- Upgrade of gene (log matching engine)
- Build process simplified -> no need to compile LLVM anymore
- Upgrade Rust nightly toolchain for eBPF
- eBPF probes improvements
Changelog
894d331 - chg: [kunai] removed useless comment
9ebaea9 - chg: [kunai] info message location for probe loading
0201214 - fix: [kunai-common] fix verifier errors when compiling eBPF with latest nightly
5c1e2a3 - chg: [kunai-common] remove unused imports in eBPF
26ced3d - fix: BPF verifier issues with latest nightly
dd3678c - chg: [kunai-ebpf] bump toolchain
f013333 - fix: [xtask] remove build-tools related code
f99ecd0 - chg: [workflow] cleanup not to use build tools
74dd203 - add: [workflow] test for LTS kernel 6.6
db23181 - fix: [workflow] install bpf-linker after cache retrieval
ef0c776 - chg:[readme] updated with simplified build process
a731d85 - Merge pull request #75 from kunai-project/wip-simplify-build
80a289d - fix #72: bug trying to matcher container type in rule
38ba081 - Merge pull request #76 from kunai-project/bug-fix-72
0a20bd4 - chg: update gene-rs
c10d632 - fix #73: [kunai] implement log rotation
5b3caaf - Merge pull request #77 from kunai-project/impl-log-rotation
767c541 - chore: Release
fdcf374 - chg: [kunai-ebpf] cargo.lock
2192f1a - chore: Release kunai-ebpf version 0.2.4
Published by qjerome 4 months ago
0da4c4c - fix #65: issue with send_data probe
e642d12 - chg: make send_data trigger configurable + probe improvement
f13aab1 - chg:[kunai-ebpf] comment in send_data.rs
d47e7ea - chg: [kunai-ebpf] consistent IpPort APIs
fb41cfc - chg: [kunai] remove debug message of dns packet
e2fc29a - chg: [kunai] update gene crates
801f869 - fix: [kunai] ancestor resolution
7f283b8 - chg: [kunai] handle stdin in kunai replay
2d268a0 - chg: update README.md
69ea3ce - chg: [kunai] refactored var names in main.rs
7556dfe - chg: [kunai-ebpf] early return if event is disabled in high throughput probes
d486a59 - chg: [kunai] use tokio tasks for all workers
503ef09 - chg: [kunai] reworked sysconf call + fn to get PAGE_SIZE and PAGE_SHIFT
4c1c841 - chg: [kunai-common][ebpf] handle bio_vec in iov_iter
3c5656a - chg: [kunai-common] uniformize Buffer methods
403e0a5 - chg: [xtask] process workspace before eBPF in release command
Published by qjerome 5 months ago
0e826d8 - fix #64: clone event has wrong information
Published by qjerome 5 months ago
fa2fdc7 - fix #63: inode struct change in 6.7
Published by qjerome 5 months ago
f743f01 - chg: updated authors
5d23f98 - add: Config::stdout_output
f6b9203 - chg: events custom serde fields
c5c7b99 - feat: added replay command
754b1f3 - Merge pull request #59 from kunai-project/feat-replay
0a1fe18 - chg: userland toolchain upgrade -> 1.77
1e3bbe8 - chg: [xtask] use cargo clippy in xtask check
c766611 - fix: [kunai-common] clippy warnings
3e7126f - fix: [kunai] clippy warnings
bfd630e - fix: [kunai-ebpf] clippy warnings
f9f38ea - chg: added funding section in README.md
8a710d2 - chg: [kunai] refactored internal function names to be in line with others
e3140cb - add: new msghdr shim
9fcdad6 - chg: [kunai] refactored event producer/consumer
0fbdc17 - chg: [kunai-common] removed useless code and comments
cc1665e - fix: [xtask] slowness in build/check
f8dec76 - fix #61: issue with kretprobe not surviving to suspend/resume cycle
b0f477a - Merge pull request #62 from kunai-project/enhancements
Published by qjerome 6 months ago
Changelog:
e8c60be - improved xtask and provide a way to configure custom bpf-linker
880f21a - Added xtasks commands to build build-tools (LLVM and bpf-linker)
f7b826e - Created types.h not do depend on kernel headers to build project
24009a8 - Shim building is made with bindgen crate instead of command line
9d51b87 - added info.event.source field, to be used by external tools to identify kunai logs
0cb6c14 - fix #4: "file not found" error string when the file does not exist
7e93900 - stabilizing read_kernel_at for 5.4
6b13658 - fix #3
8f23823 - fix ci failing because of --free-space option
b8d2705 - implemented task clone probe and event
d7d5004 - implemented a way to test kernel compatibility
f274cfb - prioritize tracepoint + utility functions
d3a5eb8 - prctl probe implemented
9aedaba - fix event processing bug leaving always one event in queue
7eb7c2d - fix #12
b24be6f - gene integration
d0ef7c7 - fix #23
c9c6d51 - fix #25
7fba77d - fix #26
92209bc - implementated IoC scanning fix #22
e808367 - fix #27
a4295d4 - fix #30 fix #21
d24fc25 - fix namespaces tests
a26220e - new Container enum
7ee8795 - minor refactor in namespaces.rs
1980f61 - fix #20 : parent image is set to "kernel" when parent is a kthread. Also fix ancestors.
35aac7c - refactored correlation related struct and fn to be less confusing
83a9dfb - fix #17 : data model harmonization
9f83a87 - fix file_unlink probe reporting bpf errors in very specific conditions
a93fc76 - fix #35 bug in schedule probe
da93fa5 - fix #36 error in prctl probe
a3ce05b - fix #34 error in clone probe
d459e20 - detect containers on procfs
b217037 - new probe for finit_module
b0fd394 - fix #38 simplify clone probe
adc104f - fix #16 improved errors happening in BPF and refactored kunai-common
7bbdae9 - improved dns_query related probes in the aim of removing all possible errors
b2ed03e - new podman container
52fbfbf - fix issue #48 in eBPF cgroup parsing we now give a chance to userland to resolve cgroup
09ce207 - fix #50 removed completely FdMap
f0e0f97 - fix #53 ancestor in all events
75bb362 - fixed bug if KernelVersion::from_sys
9b85d44 - improved perf of write events with caching
4edac4a - fix #54 remove mount event
d4efffe - migration to latest stable Aya \o/
Published by qjerome 7 months ago
f3787a2 - update gene-rs
30cf089 - cleanup in CLI help
e3a113b - standardized packages Cargo.toml
6f79071 - updated kunai-ebpf toml
03c14a3 - integrate xtask with cargo release
8f4cbb3 - new cargo alias for xtask (run, build, release)
0b14112 - kunai version bump
bd7b271 - packages version bumps
Published by qjerome 8 months ago
d5eee4e - unpub co_re::gen
0ca8834 - new FileNotFound ProbeError
ca42f24 - removed FdMap dep from mmap probe
ffb20af - use FileNotFound error in DNS probes
09ce207 - fix #50 removed completely FdMap
f0e0f97 - fix #53 ancestor in all events
75bb362 - fixed bug in KernelVersion::from_sys
1199f73 - do not unwrap in bpf alloc
9b85d44 - improved perf of write events with caching
0d7b278 - added syscall information to init_module event
4edac4a - fix #54 remove mount event
a4d354f - resolve nodename in eBPF instead of navigating inside namespaces in userland
Published by qjerome 8 months ago
a93fc76 - fix #35 bug in schedule probe
da93fa5 - fix #36 error in prctl probe
a3ce05b - fix #34 error in clone probe
b0fd394 - fix #38 simplify clone probe
adc104f - fix #16 improved errors happening in BPF and refactored kunai-common
52fbfbf - fix issue #48 in eBPF cgroup parsing we now give a chance to userland to resolve cgroup
Published by qjerome 9 months ago
92209bc - implementated IoC scanning fix #22
e808367 - fix #27
539b127 - updated aya helpers (fix #14) (#29)
a4295d4 - fix #30 fix #21
1980f61 - fix #20 : parent image is set to "kernel" when parent is a kthread. Also fix ancestors.
83a9dfb - fix #17 : data model harmonization
Published by qjerome 9 months ago
Fixes issues with latest LTS kernel 6.6:
- fix #23
- fix #25
- fix #26
Published by qjerome 10 months ago
Change log:
- supports detection / filtering rules
Published by qjerome 11 months ago
Change log:
- file unlink event implemented
- fix CI build failing due to latest bpf-linker commit
- Path PartialEq own implementation
Published by qjerome 12 months ago
Published by qjerome over 1 year ago
Throwing Kunai
