Threat-hunting tool for Linux
The goal behind this project is to bring relevant events to achieve various monitoring tasks ranging from security monitoring to Threat Hunting on Linux based systems. If you are familiar with Sysmon on Windows, you can think of Kunai as being a Sysmon equivalent for Linux.
All the kernel components of this project are running as eBPF programs (also called probes). Kunai embeds numbers of probes to monitor relevant information for security monitoring. When the job is done on eBPF side, information is passed on to a userland program which is responsible for various things, such as re-ordering, enriching and correlating events.
On the implementation side, Kunai is written for its majority in Rust, leveraging the awesome Aya library so everything you'll need to run is a standalone binary embedding both all the eBPF probes and the userland program.
Before going further, I have to remind you that there is a distribution agnostic (built with musl) pre-compiled version of kunai available in release page. So if you just want to give a try to kunai, you probably don't need to build the project yourself.
The project is a little bit tricky to build as it uses cutting edge Aya and bpf-linker features. In order to provide a unique binary you can run on any kernel kunai uses BPF CO-RE, which requires bpf-linker
to support Debugging Information to generate proper BTF information. To compile bpf-linker
you will need also to compile a custom version of LLVM, which includes some specific patches. Please do not run away now, because we have made this process very easy.
Before being able to build everything, you need to install a couple of tools.
rustup
cmake
, ninja
, git
, clang
, lld
clang
, libbpf-dev
Example of commands to install requirements on Ubuntu/Debian:
sudo apt update
sudo apt install -y cmake ninja-build clang lld git libbpf-dev
Now the only thing you need is to run a command and brew a coffee because the first LLVM compilation takes time.
cargo xtask build-tools
After a little while, you get the custom bpf-linker
installed in build-tools
directory within kunai's root directory.
Please note that this step absolutely does not remove any prior bpf-linker
installation made with cargo install bpf-linker
.
NB: do not delete the build-tools
directory, unless you want to compile bpf-linker/LLVM again from scratch.
Once you have the build-tools ready, you don't need to build them again. You can now build the project with xtask, a cargo command (specific to this project) to make your life easier.
Building debug version
cargo xtask build
# find your executable in: ./target/x86_64-unknown-linux-musl/debug/kunai
Building release version (harder, better, faster, stronger)
cargo xtask build --release
# find your executable in: ./target/x86_64-unknown-linux-musl/release/kunai
Let's say you want to cross-compile Kunai for aarch64 using MUSL, so that you have a single static binary at the end.
rustup install target aarch64-unknown-linux-musl
lld
as linker and it works for aarch64-unknown-linux-musl
target.cargo xtask build --release --target aarch64-unknown-linux-musl --linker /usr/bin/lld
If using lld
does not work, you need to find the appropriate linker to use when cross-compiling to the wanted target.
Please dig a bit on the internet for that as I don't know them all, and it also depends on your distribution../target/aarch64-unknown-linux-musl/release/kunai
NB: specifying --linker
option is just a shortcut for setting appropriate RUSTFLAGS env variable when building userland
application.
Sysmon For Linux: https://github.com/Sysinternals/SysmonForLinux
The NGSOTI project is dedicated to training the next generation of Security Operation Center (SOC) operators, focusing on the human aspect of cybersecurity. It underscores the significance of providing SOC operators with the necessary skills and open-source tools to address challenges such as detection engineering, incident response, and threat intelligence analysis. Involving key partners such as CIRCL, Restena, Tenzir, and the University of Luxembourg, the project aims to establish a real operational infrastructure for practical training. This initiative integrates academic curricula with industry insights, offering hands-on experience in cyber ranges.
NGSOTI is co-funded under Digital Europe Programme (DEP) via the ECCC (European cybersecurity competence network and competence centre).