kunai v0.2 releases: Threat hunting tool for Linux
kunai
The goal behind this project is to bring relevant events to achieve various monitoring tasks ranging from security monitoring to Threat Hunting on Linux-based systems. If you are familiar with Sysmon on Windows, you can think of Kunai as being a Sysmon equivalent for Linux.
What makes Kunai special?
- events arrive sorted in chronological order
- benefits from on-host correlation and events enrichment
- works well with Linux namespaces and container technologies (you can trace all the activity happening inside your containers)
How it works
All the kernel components of this project are running as eBPF programs (also called probes). Kunai embeds a number of probes to monitor relevant information for security monitoring. When the job is done on the eBPF side, information is passed on to a userland program which is responsible for various things, such as re-ordering, enriching, and correlating events.
On the implementation side, Kunai is written for 99% in Rust, leveraging the awesome Aya library so everything you’ll need to run is a standalone binary embedding both all the eBPF probes and the userland program.
Changelog v0.2
e8c60be – improved xtask and provide a way to configure custom bpf-linker
880f21a – Added xtasks commands to build build-tools (LLVM and bpf-linker)
f7b826e – Created types.h not do depend on kernel headers to build project
24009a8 – Shim building is made with bindgen crate instead of command line
9d51b87 – added info.event.source field, to be used by external tools to identify kunai logs
0cb6c14 – fix #4: “file not found” error string when the file does not exist
7e93900 – stabilizing read_kernel_at for 5.4
6b13658 – fix #3
8f23823 – fix ci failing because of –free-space option
b8d2705 – implemented task clone probe and event
d7d5004 – implemented a way to test kernel compatibility
f274cfb – prioritize tracepoint + utility functions
d3a5eb8 – prctl probe implemented
9aedaba – fix event processing bug leaving always one event in queue
7eb7c2d – fix #12
b24be6f – gene integration
d0ef7c7 – fix #23
c9c6d51 – fix #25
7fba77d – fix #26
92209bc – implementated IoC scanning fix #22
e808367 – fix #27
a4295d4 – fix #30 fix #21
d24fc25 – fix namespaces tests
a26220e – new Container enum
7ee8795 – minor refactor in namespaces.rs
1980f61 – fix #20 : parent image is set to “kernel” when parent is a kthread. Also fix ancestors.
35aac7c – refactored correlation related struct and fn to be less confusing
83a9dfb – fix #17 : data model harmonization
9f83a87 – fix file_unlink probe reporting bpf errors in very specific conditions
a93fc76 – fix #35 bug in schedule probe
da93fa5 – fix #36 error in prctl probe
a3ce05b – fix #34 error in clone probe
d459e20 – detect containers on procfs
b217037 – new probe for finit_module
b0fd394 – fix #38 simplify clone probe
adc104f – fix #16 improved errors happening in BPF and refactored kunai-common
7bbdae9 – improved dns_query related probes in the aim of removing all possible errors
b2ed03e – new podman container
52fbfbf – fix issue #48 in eBPF cgroup parsing we now give a chance to userland to resolve cgroup
09ce207 – fix #50 removed completely FdMap
f0e0f97 – fix #53 ancestor in all events
75bb362 – fixed bug if KernelVersion::from_sys
9b85d44 – improved perf of write events with caching
4edac4a – fix #54 remove mount event
d4efffe – migration to latest stable Aya \o/
Install & Use
Copyright © 2023 RawSec