Kunai is a powerful tool designed to bring actionable insights for tasks such as security monitoring and threat hunting on Linux systems. Think of it as the Linux counterpart to Sysmon on Windows, tailored for comprehensive and precise event monitoring.
- Chronologically Ordered Events: Events are processed and delivered in the exact order they occur.
- On-Host Correlation: Built-in capabilities for event enrichment and correlation to provide deeper context.
- Container-Aware: Fully compatible with Linux namespaces and container technologies, enabling complete tracing of container activities.
Kunai leverages eBPF (Extended Berkeley Packet Filter) technology, with kernel-level probes that capture critical events. These probes send data to a userland program, responsible for tasks like reordering, enriching, and correlating the collected events.
On the implementation side, Kunai is predominantly written in Rust, using the robust Aya library. This design ensures a self-contained standalone binary, embedding both the eBPF probes and the userland processing logic for ease of deployment.
- Is it compatible with my OS/Kernel ? : Check out the compatibility page
- What kind of events can I get ? : Please take a read to events documentation
- Which version should I use ?: If it is just to test the tool, use the latest build as it is always the best in terms of features and bug fix. However keep in mind that events in non stable releases are subject to change.
Before proceeding, please note that a distribution-agnostic, pre-compiled version of Kunai is available on the release page. If you simply want to try Kunai, you likely don’t need to build the project yourself.
You can use a Docker image that includes everything needed to build the project easily: Kunai build docker image.
This one-size-fits-all solution should work on any Linux distribution.
Before being able to build everything, you need to install a couple of tools.
- to build many Rust projects (this one included), you need
rustup - to build kunai you need:
clang,libbpf-devandbpf-linker
Example of commands to install requirements on Ubuntu/Debian:
sudo apt update
sudo apt install -y clang libbpf-dev
# assuming you have rustup and cargo installed
cargo install bpf-linkerOnce you have the requirements installed, you are good to go. You can now build the project with xtask, a cargo command (specific to this project) to make your life easier.
Building debug version
cargo xtask build
# find your executable in: ./target/x86_64-unknown-linux-musl/debug/kunaiBuilding release version (harder, better, faster, stronger)
cargo xtask build --release
# find your executable in: ./target/x86_64-unknown-linux-musl/release/kunai- Install the proper target using rustup
rustup install target aarch64-unknown-linux-gnu - You need to install appropriate compiler and linker to cross-compile
# example on ubuntu
sudo apt install gcc-aarch64-linux-gnu- Cross-compile the project
# compile the project for with release profile
CC=aarch64-linux-gnu-gcc cargo xbuild --release --target aarch64-unknown-linux-gnu --linker aarch64-linux-gnu-gcc- You should find your cross-compiled binary at
./target/aarch64-unknown-linux-gnu/release/kunai
NB: specifying --linker option is just a shortcut for setting appropriate RUSTFLAGS env variable when building userland
application.
If one believes Kunai has an issue with memory, here is a way to profile it.
# compile kunai with debug information for all packages
RUSTFLAGS="-g" cargo xbuild
# use heaptrack
sudo heaptrack kunaiSysmon For Linux: https://github.com/Sysinternals/SysmonForLinux
- Thanks to all the people behind Aya, this stuff is just awesome
- Special thanks to @alessandrod and @vadorovsky
- Thanks to all the usual guys always supporting my crazy ideas
The NGSOTI project is dedicated to training the next generation of Security Operation Center (SOC) operators, focusing on the human aspect of cybersecurity. It underscores the significance of providing SOC operators with the necessary skills and open-source tools to address challenges such as detection engineering, incident response, and threat intelligence analysis. Involving key partners such as CIRCL, Restena, Tenzir, and the University of Luxembourg, the project aims to establish a real operational infrastructure for practical training. This initiative integrates academic curricula with industry insights, offering hands-on experience in cyber ranges.
NGSOTI is co-funded under Digital Europe Programme (DEP) via the ECCC (European cybersecurity competence network and competence centre).