Pulsar release v0.6.0

Pulsar release v0.6.0

The Exein team is happy to announce a new version of Pulsar, 0.6.0. Pulsar is a powerful, blazing fast runtime security observability framework designed for the IoT. Pulsar uses the latest eBPF technology to trace and collect system activity information directly from the kernel.

To download and install Pulsar, run the following in your terminal:

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/Exein-io/pulsar/main/pulsar-install.sh | sh

Rewritten rule-engine

The rules-engine module is one of the central pieces of Pulsar as it's responsible for checking whether the eBPF events represent a threat for the system. In this release we've completely rewritten validatron, the reflection engine which powers it. Validatron allows to compile textual rules into closures, which can efficiently check every pulsar event for anomalous behavior.

This rewrite adds support for comparing fields to each other (the old version required a constant on the right side of operators) and collections support with the `CONTAINS` operator. On top of that, the new code is both more flexible and easier to read. This will make it easier to add new features in the next releases.

- name: Executable deleted itself
  type: FileDeleted
  condition: payload.filename == header.image

Example of comparing fields to each other

New cgroup-based filtering

Pulsar now allows to generate events only for processes belonging to a particular cgroup. Since all container engines use cgroup under the hood, this feature allows to target specific containers.

For more information check the source code and the documentation.

Full changelog

Share this post
Exein Tech

Exein Tech

Exein Tech is a space where our security experts delve deep into our product. A go-to source for all things cyber, from industry trends to in-depth analysis of our open-source security solution.
Rome, Italy