dev

This is a nightly release based on main branch. Do not use for production

v0.9.0

What's Changed

Fixed

• path_rename lsm hook for kernel >= 5.19
• BREAKING: threat logger module rename
• docker container ID parsing with cgroupfs driver
• BREAKING: Event display format removing additional line
• rules DSL quoted strings
• filtering test

Added

• detect image layer directory for podman
• ci: integration test using architest
• ci: bundle the installer in the release
• syslog priority
• add uid and gid to event header and process map
• allow threats to be logged as JSON
• new metadata fields for the rules (category, severity, description)
• include riscv64gc in pulsar-install.sh

Changed

• BREAKING: xtask: switch to xtask surun command to improve running as root in development
• BREAKING: use elf_check instead of elf_check_enabled in file-system-monitor
• BREAKING: new modules API, modules need to simply implement a trait
• ci: run workflows on all pull requests, not only the ones to main branch
• improved BPF features detection
• ci: use cross-rs even for native builds
• BREAKING: xtask: unify test and cross subcommands
• prefer rustls over OpenSSL for static builds

Removed

• wrong telnet rule

---

Check out the changelog for details on all the changes and fixes.

v0.8.1

What's Changed

Fixed

• bpf_strncmp compatibility for older kernel versions

---

Check out the changelog for details on all the changes and fixes.

v0.8.0

What's Changed

Added

• MITRE compatible ruleset
• rule dsl: type methods
• rule dsl: unary conditions
• rule dsl: option field support

---

Check out the changelog for details on all the changes and fixes.

v0.7.1

What's Changed

Added

• boltdb support for podman container configuration

Changed

• read cgroup name in BPF

Fixed

• one character string value in rule engine DSL
• handle containers which were running before Pulsar

---

Check out the changelog for details on all the changes and fixes.

v0.7.0

What's Changed

Added

• support for monitoring containers within the core functionality
• new description field in the Threat structure, providing a human-readable description of the threat
• new namespaces field for events related to fork and exec operations
• SMTP integration within the module for logging threats to sent threats also via email
• ability to modules to display warnings as part of their functionality
• syslog capabilities to the logger module
• new enabled_by_default flag for every module, allowing the definition of default behavior
• CI: create release/dev containers on tags/main-updates

Changed

• bpf: refactored preemption in the BPF probes
• CI: rewritten workflows because of deprecated actions
• move dependecnies in workspace
• bpf: clean probes license

Fixed

• issue introduced by changes in the kernel affecting the layout of the struct iov_iter in network-monitor probe
• doctest in the validation module
• check the payload before applying the ruleset in the rule-engine module to correctly handle cases of rules only on the header
• bpf: disable stack protector on probes

---

Check out the changelog for details on all the changes and fixes.

v0.6.0

What's Changed

Added

• cross compilation task
• bpf loop detection
• extract absolute file paths on exec
• cgroup support
• collection support in rules
• dynamic fields compare in rules

Changed

• improved LSM autodetect
• allow more that one BPF program per module
• moved get_path_str to shared header
• more modular event filtering
• validatron rewrite

Fixed

• uname parse for wsl2
• module manager start command
• memory alignments issue in bpf output event struct
• warning on stopping never started modules

---

Check out the changelog for details on all the changes and fixes.

v0.5.0

What's Changed

Added

• better examples
• markdown link checker
• desktop-notifier module
• event monitor API endpoint
• monitor command on pulsar cli
• scripts to ease development
• support for kernel 6.x
• LOOP macro to handle loops with bpf_loop on supported kernels

Changed

• improve test suite
• better daemon/logger module output format
• new threat event structure to support derived, custom, empty payloads
• send eBPF events in a more memory efficient way
• move pulsar to workspace root package

Fixed

• sporadic segmentation fault when running test-suite
• track parent process changes
• module/crate version coherency
• startup warnings in ebpf programs

Removed

• non core payloads from payload variants

---

Check out the changelog for details on all the changes and fixes.

v0.4.0

Added

• Basic rules
• argv in events

Changed

• Installed download basic rules

Fixed

• Cross containers
• FIleFlag checks and compare

---

Check out the changelog for details on all the changes and fixes.

v0.3.0

Added

• Pulsar installer script
• Github release workflow
• Increase rlimit on daemon start
• More network events and fields
• More filesystem events and fields

Changed

• Better quickstart on README
• Strip debug symbols from BPF probes
• Proper error context in bpf-common
• Improved fields in Payload structure

Fixed

• Delete correct unix socket
• Error handling in ProcessTracker

Security

• update axum to address a cve

---

Check out the changelog for details on all the changes and fixes.