The Exein team is happy to announce a new version of Pulsar, 0.6.0. Pulsar is a powerful, blazing fast runtime security observability framework designed for the IoT. Pulsar uses the latest eBPF technology to trace and collect system activity information directly from the kernel.
To download and install Pulsar, run the following in your terminal:
curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/Exein-io/pulsar/main/pulsar-install.sh | sh
The rules-engine module is one of the central pieces of Pulsar as it's responsible for checking whether the eBPF events represent a threat for the system. In this release we've completely rewritten validatron, the reflection engine which powers it. Validatron allows to compile textual rules into closures, which can efficiently check every pulsar event for anomalous behavior.
This rewrite adds support for comparing fields to each other (the old version required a constant on the right side of operators) and collections support with the `CONTAINS` operator. On top of that, the new code is both more flexible and easier to read. This will make it easier to add new features in the next releases.
New cgroup-based filtering
Pulsar now allows to generate events only for processes belonging to a particular cgroup. Since all container engines use cgroup under the hood, this feature allows to target specific containers.
- [new] Rewritten rule-engine with support for collections
- [new] Add xtask for cross-compiling and running over an SSH target
- [new] Update Clang to version 16
- [new process-monitor] Emit cgroup events
- [new] Allow to filter processes depending on cgroup
- [fix] Auto-detection for kernels with LSM support was improved
- [fix] Fixed v0.5.0 regression on kernels older than 5.13
- [fix] Fixed a bug on Windows Subsystem for Linux
- [fix process-monitor] Make sure to extract absolute file paths on exec
- [fix network-monitor] Error recognizing UDP connections on kernel 5.5
- [fix] Return error when trying to start a module which is already running