This release introduces several new features, performance improvements, bug fixes, and infrastructure updates focused on enhancing system monitoring, stability, and resource management.
🎉 New Features
- File System Event Limiting: Implemented a new feature to limit file system related events, improving resource management and preventing event floods. This limit can be configured per-CPU, distinguishing between task-level and global limits for fine-grained control.
- User/Group Name Resolution: Added the ability to resolve and include user and group names in events, enhancing the context and value of audit logging and security event analysis.
- Start Event: A new
startevent is introduced to provide detailed information about the agent startup process as well as system related information. - Error Event: Introduced a new
errorevent designed to bubble up important error conditions into Kunai logs, such as filesystem event throttling decisions. These events provide visibility into critical issues affecting system operation. - Event Loss Event: Implemented a new
event_lossevent to report cases where events are lost between the kernel and userland due to the userland component not being able to keep up with high kernel event rates. This event provides important information about system load and potential data loss.
✨ Enhancements
- Error and Log Event Refactor: Refactored the error event into a more general
logevent, offering better flexibility and enabling the distinction between informational, warning, and error messages. This provides a more accurate terminology and more flexibility when generating events. - Path Structure Rework: Improved the
Pathstructure to simplify path resolution, compute path hashes, and introduce aPath::MapKeystruct for generating unique map keys, leading to improved efficiency and better structure handling.
🐞 Bug Fixes
- Execve Probe Fix: Addressed a rare error in the
execveprobe by aligning map sizes and offloading some work totry_security_bprm_checkfunction, improving the stability of the probes. - User/Group Resolution Bug: Fixed bugs in parsing user/group information and reduced log verbosity to improve ease of debugging.
- Fixed Public IP Check: Corrected the
is_public_ipfunction to handle specific edge cases. - Hostname Handling: Fixed an issue that prevented the hostname from being resolved correctly on RHEL9 systems.
What's Changed
- feat: user/group name in events by @qjerome in #150
- fix(user): handle missing hostname in RHEL9 by @qjerome in #152
- feat: limit i/o related events by @qjerome in #153
- fix: dependabot alert by @qjerome in #154
- fix(main): is_public_ip was wrong for specific ips by @qjerome in #155
- chore: updates and upgrades by @qjerome in #156
- fix: user/group name resolution by @qjerome in #157
- refactor: turn error event into log event by @qjerome in #158
- feat: error event by @qjerome in #160
- fix: verbose error log by @qjerome in #161
- feat: agent event by @qjerome in #162
- fix: missing batch in event_loss events by @qjerome in #163
- feat: new start event by @qjerome in #164
- change: redifine new event ids by @qjerome in #165
- rename: max_eps_io -> max_eps_fs by @qjerome in #166
- fix: attempt execve rare error by @qjerome in #167
- chore: ebpf toolchain upgrade by @qjerome in #168
- refactor(ebpf): replace fn calls by clamp by @qjerome in #169
- chore: upgrade userland code toolchain by @qjerome in #170
- fix: event filter by @qjerome in #171
Full Changelog: v0.4.0...v0.5.0