v0.4.0

What's Changed

• fix: ancestors and parent_exe for zombie process by @qjerome in #141
• enhance: process tracking by @qjerome in #142
• fix: broken events url in README.md by @gkamathe in #140
• fix: double quotes on spaces in Buffer::to_argv by @qjerome in #143
• rework(user): configuration by @qjerome in #144
• feat: unbuffered output by @qjerome in #145
• feat: file create event by @qjerome in #146
• feat: rule string template by @qjerome in #147
• feat: benchmark in replay command by @qjerome in #148

Full Changelog: v0.3.1...v0.4.0

v0.3.1

What's Changed

• fix(user): avoid using serde(flatten) in events by @qjerome in #139

Full Changelog: v0.3.0...v0.3.1

v0.3.0

New Features:

• Log Rotation: Automatic log rotation keeps your logs clean and manageable. [#77]
• Revamped Command Line Interface (CLI): The CLI has been overhauled for a smoother user experience. [#85]
• New kill security event: A new kill event provides additional tracking for security incidents. [#89]
• Option to Run in Hardened Mode: Introduces a hardened mode with LSM (Linux Security Modules) integration for enhanced protection. [#89]
• Handle actions of detection rules: Detection rules can now handle specific actions, offering greater flexibility. [#91]
• Yara integration: Integrates with YARA-X, enabling advanced malware detection capabilities. [#91]
• New Security Event When a File is Written then Closed: A new event for write-and-close actions is added for finer-grained monitoring. [#101]
• Community-ID Support: Integrates the Community-ID standard, making it easier to correlate network data. [#103]
• Event Filtering by Name: You can now filter by event name directly within detection rules. [#112]
• Installation Command: A new CLI command simplifies installation. [#119]
• View Logs with CLI: The CLI now includes a logs command to make log access faster and more convenient. [#126]
• Option of Installation in Hardened Mode: Install Kunai in hardened mode to maximize security by default. [#129]
• New Ptrace Security Event: A new security event for ptrace actions, giving deeper insight into system interactions. [#137]

Improvements and Fixes

• fix: simplify build by @qjerome in #75
• fix #72: bug trying to match container type in rule by @qjerome in #76
• fix: aarch64 compatibility by @qjerome in #78
• fix: run error never shown by @qjerome in #79
• fix: imports by @qjerome in #81
• fix: tokio task panic propagation by @qjerome in #86
• fix: broken clippy command for eBPF by @qjerome in #87
• fix: high memory consumption issue by @qjerome in #95
• fix #70: making IoC severity configurable by @qjerome in #97
• fix: namespace cache by @qjerome in #98
• chore: prepare new release by @qjerome in #99
• fix: aarch64 build by @qjerome in #100
• enhance: faster EventProducer implementation by @qjerome in #102
• rm: remove unused dependencies by @qjerome in #104
• fix: aarch64 warnings in schedule/clone probes by @qjerome in #106
• fix(user): fix #105 by @qjerome in #107
• add(workflow): create kernel-tracker.yml by @qjerome in #108
• chg(workflow): trigger kernel-tracker.yml on PR by @qjerome in #109
• refactor(user): moved bpf loading in library by @qjerome in #110
• fix(workflow): optimize kernel-tracker.yml by @qjerome in #111
• fix: event processing by @qjerome in #114
• rework(cli): grouped options under config subcommand by @qjerome in #115
• fix: issue with CI build due to latest Aya release by @qjerome in #118
• fix: display error field in FileMeta and in FileScanData by @qjerome in #120
• fix: update yara-x by @qjerome in #121
• fix(main): check if another kunai instance is running by @qjerome in #122
• chg: config format by @qjerome in #123
• optimize(user): do not setns when it is not needed by @qjerome in #124
• fix(ebpf): null byte in probe_name macro by @qjerome in #125
• fix(main): kill_event not implement in replay command by @qjerome in #127
• fix(main): restart harden by @qjerome in #128
• refactor(user): ns operation as FnOnce by @qjerome in #130
• fix(main): kill bug by @qjerome in #131
• fix(ebpf): ignore kunai events by @qjerome in #132
• fix(main): arbitrary ext ioc/rule file loading by @qjerome in #133
• chore: aya upgrade by @qjerome in #134
• fix(main): show only positive scans by @qjerome in #135
• fix(user): normalize file -> path by @qjerome in #136
• refactor: write_and_close -> write_close by @qjerome in #138

Full Changelog: v0.2.6...v0.3.0

Funding

The NGSOTI project is dedicated to training the next generation of Security Operation Center (SOC) operators, focusing on the human aspect of cybersecurity. It underscores the significance of providing SOC operators with the necessary skills and open-source tools to address challenges such as detection engineering, incident response, and threat intelligence analysis. Involving key partners such as CIRCL, Restena, Tenzir, and the University of Luxembourg, the project aims to establish a real operational infrastructure for practical training. This initiative integrates academic curricula with industry insights, offering hands-on experience in cyber ranges.

v0.3.0-beta.1

New Features

• feat: new write_and_close event by @qjerome in #101
• feat: integrate community-id by @qjerome in #103
• feat: filter by event name in rules by @qjerome in #112
• feat: install CLI command by @qjerome in #119
• feat(user): add a logs command in CLI by @qjerome in #126

Other Changes

• enhance: faster EventProducer implementation by @qjerome in #102
• rm: remove unused dependencies by @qjerome in #104
• fix: aarch64 warnings in schedule/clone probes by @qjerome in #106
• fix(user): fix #105 by @qjerome in #107
• add(workflow): create kernel-tracker.yml by @qjerome in #108
• chg(workflow): trigger kernel-tracker.yml on PR by @qjerome in #109
• refactor(user): moved bpf loading in library by @qjerome in #110
• fix(workflow): optimize kernel-tracker.yml by @qjerome in #111
• fix: event processing by @qjerome in #114
• rework(cli): grouped options under config subcommand by @qjerome in #115
• fix: issue with CI build due to latest Aya release by @qjerome in #118
• fix: display error field in FileMeta and in FileScanData by @qjerome in #120
• fix: update yara-x by @qjerome in #121
• fix(main): check if another kunai instance is running by @qjerome in #122
• chg: config format by @qjerome in #123
• optimize(user): do not setns when it is not needed by @qjerome in #124
• fix(ebpf): null byte in probe_name macro by @qjerome in #125
• fix(main): kill_event not implement in replay command by @qjerome in #127

Full Changelog: v0.3.0-alpha.1...v0.3.0-beta.1

v0.3.0-alpha.2

What's Changed

• feat: new write_and_close event by @qjerome in #101
• enhance: faster EventProducer implementation by @qjerome in #102
• feat: integrate community-id by @qjerome in #103

Full Changelog: v0.3.0-alpha.1...v0.3.0-alpha.2

v0.3.0-alpha.1

New Features

• new CLI
• new kill event generated when a process attempt at killing another
• harden mode: prevent kunai from being tampered with by other processes
• action handling: detection rules can be configured with actions to take after detection
  • kill: kill the process triggering the detection rules
  • scan-files: scan any file path contained in event with Yara rules
• new file_scan event: generated when a scan-files action is run
• IoC now contain severity information: allow to attribute more or less importance to some IoC sources/types

Notable fix

• High memory consumption on the long run or when kunai runs under stress conditions

What's Changed

• feat: new CLI by @qjerome in #85
• fix: tokio task panic propagation by @qjerome in #86
• fix: broken clippy command for eBPF by @qjerome in #87
• feat: new kill event + hardened mode through LSM by @qjerome in #89
• feat: implement handling action in detection rules + yara-x integration by @qjerome in #91
• fix: high memory consumption issue by @qjerome in #95
• fix #70: making IoC severity configurable by @qjerome in #97
• fix: namespace cache by @qjerome in #98
• chore: prepare new release by @qjerome in #99
• fix: aarch64 build by @qjerome in #100

Full Changelog: v0.2.4...v0.3.0-alpha.1

v0.2.6

Features

• enhanced rules conditions, now support: none of them, none of $VAR_PREFIX, any of them, any of $VAR_PREFIX, all of them, all of $VAR_PREFIX, N of them and N of $VAR_PREFIX
• enhanced event selection, now support - (minus) in front of event-ids to filter them out.

Fix

• aarch64 compatibility is fixed and working
• fixed hidden verifier error

Changelog

ef65e98 - chg: [ebpf] moved remaining CORE field accesses to use core_read_kernel macro + renamed error to be more generic
ed60416 - fix #71: aarch64 compatibility
dd119e3 - chg: [ebpf] removed unused import
65ea2bc - Merge pull request #78 from kunai-project/fix-aarch64-compat
424314f - fix: [kunai] run error never shown
565caa5 - Merge pull request #79 from kunai-project/fix-run-error
f5a075b - fix: [kunai] remove unused import + deny(unused_import)
e578608 - fix: [kunai-common] deny(unused_import)
797633c - fix: [ebpf] deny(unused_import)
3a79a29 - chg: [common] removed useless commands in shim.c
f428a67 - chg: [all] deny(warnings)
e4cf307 - chg: update gene to 0.2.0
1b1f321 - fix:[ci] take vmlinuz from alpine
bfcbadb - fix:[ci] wrong if in test_kernel.sh
d3574f8 - Merge pull request #81 from kunai-project/fix-imports
68612c8 - chore: Release
a68fefc - chg: [ebpf] rm Cargo.lock + add .gitignore
6d80ae5 - chore: Release kunai-ebpf version 0.2.5

v0.2.5

Features

• Log rotation with maximum size and compression

Improvements

• Upgrade of gene (log matching engine)
• Build process simplified -> no need to compile LLVM anymore
• Upgrade Rust nightly toolchain for eBPF
• eBPF probes improvements 

Changelog

894d331 - chg: [kunai] removed useless comment
9ebaea9 - chg: [kunai] info message location for probe loading
0201214 - fix: [kunai-common] fix verifier errors when compiling eBPF with latest nightly
5c1e2a3 - chg: [kunai-common] remove unused imports in eBPF
26ced3d - fix: BPF verifier issues with latest nightly
dd3678c - chg: [kunai-ebpf] bump toolchain
f013333 - fix: [xtask] remove build-tools related code
f99ecd0 - chg: [workflow] cleanup not to use build tools
74dd203 - add: [workflow] test for LTS kernel 6.6
db23181 - fix: [workflow] install bpf-linker after cache retrieval
ef0c776 - chg:[readme] updated with simplified build process
a731d85 - Merge pull request #75 from kunai-project/wip-simplify-build
80a289d - fix #72: bug trying to matcher container type in rule
38ba081 - Merge pull request #76 from kunai-project/bug-fix-72
0a20bd4 - chg: update gene-rs
c10d632 - fix #73: [kunai] implement log rotation
5b3caaf - Merge pull request #77 from kunai-project/impl-log-rotation
767c541 - chore: Release
fdcf374 - chg: [kunai-ebpf] cargo.lock
2192f1a - chore: Release kunai-ebpf version 0.2.4

v0.2.4

0da4c4c - fix #65: issue with send_data probe
e642d12 - chg: make send_data trigger configurable + probe improvement
f13aab1 - chg:[kunai-ebpf] comment in send_data.rs
d47e7ea - chg: [kunai-ebpf] consistent IpPort APIs
fb41cfc - chg: [kunai] remove debug message of dns packet
e2fc29a - chg: [kunai] update gene crates
801f869 - fix: [kunai] ancestor resolution
7f283b8 - chg: [kunai] handle stdin in kunai replay
2d268a0 - chg: update README.md
69ea3ce - chg: [kunai] refactored var names in main.rs
7556dfe - chg: [kunai-ebpf] early return if event is disabled in high throughput probes
d486a59 - chg: [kunai] use tokio tasks for all workers
503ef09 - chg: [kunai] reworked sysconf call + fn to get PAGE_SIZE and PAGE_SHIFT
4c1c841 - chg: [kunai-common][ebpf] handle bio_vec in iov_iter
3c5656a - chg: [kunai-common] uniformize Buffer methods
403e0a5 - chg: [xtask] process workspace before eBPF in release command

v0.2.3

0e826d8 - fix #64: clone event has wrong information