New Features:

• Log Rotation: Automatic log rotation keeps your logs clean and manageable. [#77]
• Revamped Command Line Interface (CLI): The CLI has been overhauled for a smoother user experience. [#85]
• New kill security event: A new kill event provides additional tracking for security incidents. [#89]
• Option to Run in Hardened Mode: Introduces a hardened mode with LSM (Linux Security Modules) integration for enhanced protection. [#89]
• Handle actions of detection rules: Detection rules can now handle specific actions, offering greater flexibility. [#91]
• Yara integration: Integrates with YARA-X, enabling advanced malware detection capabilities. [#91]
• New Security Event When a File is Written then Closed: A new event for write-and-close actions is added for finer-grained monitoring. [#101]
• Community-ID Support: Integrates the Community-ID standard, making it easier to correlate network data. [#103]
• Event Filtering by Name: You can now filter by event name directly within detection rules. [#112]
• Installation Command: A new CLI command simplifies installation. [#119]
• View Logs with CLI: The CLI now includes a logs command to make log access faster and more convenient. [#126]
• Option of Installation in Hardened Mode: Install Kunai in hardened mode to maximize security by default. [#129]
• New Ptrace Security Event: A new security event for ptrace actions, giving deeper insight into system interactions. [#137]

Improvements and Fixes

• fix: simplify build by @qjerome in #75
• fix #72: bug trying to match container type in rule by @qjerome in #76
• fix: aarch64 compatibility by @qjerome in #78
• fix: run error never shown by @qjerome in #79
• fix: imports by @qjerome in #81
• fix: tokio task panic propagation by @qjerome in #86
• fix: broken clippy command for eBPF by @qjerome in #87
• fix: high memory consumption issue by @qjerome in #95
• fix #70: making IoC severity configurable by @qjerome in #97
• fix: namespace cache by @qjerome in #98
• chore: prepare new release by @qjerome in #99
• fix: aarch64 build by @qjerome in #100
• enhance: faster EventProducer implementation by @qjerome in #102
• rm: remove unused dependencies by @qjerome in #104
• fix: aarch64 warnings in schedule/clone probes by @qjerome in #106
• fix(user): fix #105 by @qjerome in #107
• add(workflow): create kernel-tracker.yml by @qjerome in #108
• chg(workflow): trigger kernel-tracker.yml on PR by @qjerome in #109
• refactor(user): moved bpf loading in library by @qjerome in #110
• fix(workflow): optimize kernel-tracker.yml by @qjerome in #111
• fix: event processing by @qjerome in #114
• rework(cli): grouped options under config subcommand by @qjerome in #115
• fix: issue with CI build due to latest Aya release by @qjerome in #118
• fix: display error field in FileMeta and in FileScanData by @qjerome in #120
• fix: update yara-x by @qjerome in #121
• fix(main): check if another kunai instance is running by @qjerome in #122
• chg: config format by @qjerome in #123
• optimize(user): do not setns when it is not needed by @qjerome in #124
• fix(ebpf): null byte in probe_name macro by @qjerome in #125
• fix(main): kill_event not implement in replay command by @qjerome in #127
• fix(main): restart harden by @qjerome in #128
• refactor(user): ns operation as FnOnce by @qjerome in #130
• fix(main): kill bug by @qjerome in #131
• fix(ebpf): ignore kunai events by @qjerome in #132
• fix(main): arbitrary ext ioc/rule file loading by @qjerome in #133
• chore: aya upgrade by @qjerome in #134
• fix(main): show only positive scans by @qjerome in #135
• fix(user): normalize file -> path by @qjerome in #136
• refactor: write_and_close -> write_close by @qjerome in #138

Full Changelog: v0.2.6...v0.3.0

Funding

The NGSOTI project is dedicated to training the next generation of Security Operation Center (SOC) operators, focusing on the human aspect of cybersecurity. It underscores the significance of providing SOC operators with the necessary skills and open-source tools to address challenges such as detection engineering, incident response, and threat intelligence analysis. Involving key partners such as CIRCL, Restena, Tenzir, and the University of Luxembourg, the project aims to establish a real operational infrastructure for practical training. This initiative integrates academic curricula with industry insights, offering hands-on experience in cyber ranges.