All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
bpf_strncmpcompatibility for older kernel versions
- MITRE compatible ruleset
- rule dsl: type methods
- rule dsl: unary conditions
- rule dsl: option field support
- boltdb support for
podmancontainer configuration
- read cgroup name in BPF
- one character string value in rule engine DSL
- handle containers which were running before Pulsar
- support for monitoring containers within the core functionality
- new
descriptionfield in the Threat structure, providing a human-readable description of the threat - new
namespacesfield for events related to fork and exec operations - SMTP integration within the module for logging threats to sent threats also via email
- ability to modules to display warnings as part of their functionality
- syslog capabilities to the logger module
- new
enabled_by_defaultflag for every module, allowing the definition of default behavior - CI: create release/dev containers on tags/main-updates
- bpf: refactored preemption in the BPF probes
- CI: rewritten workflows because of deprecated actions
- move dependecnies in workspace
- bpf: clean probes license
- issue introduced by changes in the kernel affecting the layout of the
struct iov_iterinnetwork-monitorprobe - doctest in the
validationmodule - check the payload before applying the ruleset in the
rule-enginemodule to correctly handle cases of rules only on the header - bpf: disable stack protector on probes
- cross compilation task
- bpf loop detection
- extract absolute file paths on exec
- cgroup support
- collection support in rules
- dynamic fields compare in rules
- improved LSM autodetect
- allow more that one BPF program per module
- moved
get_path_strto shared header - more modular event filtering
- validatron rewrite
- uname parse for wsl2
- module manager start command
- memory alignments issue in bpf output event struct
- warning on stopping never started modules
- better examples
- markdown link checker
desktop-notifiermodule- event monitor API endpoint
monitorcommand onpulsarcli- scripts to ease development
- support for kernel 6.x
LOOPmacro to handle loops withbpf_loopon supported kernels
- improve test suite
- better daemon/logger module output format
- new threat event structure to support derived, custom, empty payloads
- send eBPF events in a more memory efficient way
- move pulsar to workspace root package
- sporadic segmentation fault when running test-suite
- track parent process changes
- module/crate version coherency
- startup warnings in ebpf programs
- non core payloads from payload variants
- Basic rules
- argv in events
- Installed download basic rules
- Cross containers
- FIleFlag checks and compare
- Pulsar installer script
- Github release workflow
- Increase rlimit on daemon start
- More network events and fields
- More filesystem events and fields
- Better quickstart on README
- Strip debug symbols from BPF probes
- Proper error context in
bpf-common - Improved fields in
Payloadstructure
- Delete correct unix socket
- Error handling in
ProcessTracker
- update
axumto address a cve
- Initial support for Android
- Add Github workflows
- Add xtask commands (test, pulsard, pulsar, probe)
- Replace Kprobes with LSM and tracepoints where possible
- Refactor test suite as external executable