{"id":13632277,"url":"https://github.com/exein-io/pulsar","last_synced_at":"2025-05-15T00:13:02.609Z","repository":{"id":37584406,"uuid":"504882729","full_name":"exein-io/pulsar","owner":"exein-io","description":"A modular and blazing fast runtime security tool for the IoT, powered by eBPF.","archived":false,"fork":false,"pushed_at":"2025-05-13T20:21:44.000Z","size":6945,"stargazers_count":948,"open_issues_count":17,"forks_count":57,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-13T21:30:02.094Z","etag":null,"topics":["ebpf","kernel","linux","rust","security"],"latest_commit_sha":null,"homepage":"https://pulsar.sh","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/exein-io.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-06-18T15:38:05.000Z","updated_at":"2025-05-13T20:13:44.000Z","dependencies_parsed_at":"2023-12-11T13:29:09.741Z","dependency_job_id":"be876b54-47b5-4338-9db5-4e416ba362c4","html_url":"https://github.com/exein-io/pulsar","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exein-io%2Fpulsar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exein-io%2Fpulsar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exein-io%2Fpulsar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/exein-io%2Fpulsar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/exein-io","download_url":"https://codeload.github.com/exein-io/pulsar/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254249206,"owners_count":22039029,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","kernel","linux","rust","security"],"created_at":"2024-08-01T22:02:58.590Z","updated_at":"2025-05-15T00:12:57.597Z","avatar_url":"https://github.com/exein-io.png","language":"Rust","funding_links":[],"categories":["Rust","security"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg width=\"300\" src=\"assets/pulsar-logo-black.png#gh-light-mode-only\" alt=\"Pulsar dark logo\"\u003e\n  \u003cimg width=\"300\" src=\"assets/pulsar-logo-white.png#gh-dark-mode-only\" alt=\"Pulsar light logo\"\u003e\n\n  \u003cp\u003e\n    \u003ca href=\"https://github.com/exein-io/pulsar/actions/workflows/release.yaml\"\u003e\n      \u003cimg src=\"https://github.com/exein-io/pulsar/actions/workflows/release.yaml/badge.svg?branch=main\" alt=\"Release\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://discord.gg/ZrySDqhBtZ\"\u003e\u003cimg src=\"https://img.shields.io/discord/986983233256321075?color=%2331c753\u0026logo=discord\"\u003e\n    \u003ca href=\"https://opensource.org/licenses/Apache-2.0\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/License-Apache_2.0-blue.svg\" alt=\"License\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/License-GPL--2.0-blue.svg\" alt=\"License\"\u003e\n    \u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\nPulsar is a security tool for monitoring the activity of Linux devices at runtime, powered by [eBPF](https://ebpf.io/). \n\nThe Pulsar core modules use eBPF probes to collect events from the kernel in a safe and efficient way. Pulsar events can be categorized in the four main following areas:\n\n- **Processes**: processes information, including file execution and file opening.\n- **File I/O**: I/O operations on disk and memory.\n- **Network**: data from the network stack.\n\nPulsar is built with a modular design that makes it easy to adapt the core architecture to new use cases, create new modules or write custom rules.\n\n## Quickstart\n\n\u003e **Warning**  \n\u003e A kernel 5.5 or higher with BPF and BTF enabled is required. Visit the official Pulsar website for the full [requirements](https://pulsar.sh/docs/faq/kernel-requirements/) and [installation options](https://pulsar.sh/docs/getting-started/installation) available.\n\nTo download and install Pulsar, run the following in your terminal:\n\n```sh\ncurl --proto '=https' --tlsv1.2 -LsSf https://github.com/exein-io/pulsar/releases/latest/download/pulsar-install.sh | sh\n```\n\nLaunch the pulsar daemon in a terminal **with administrator privileges**:\n\n```sh\npulsard\n```\n\nThat's pretty much it. At this point Pulsar is actively monitoring the activity of all the target processes, and checking it against the set of security policies defined in the rules file. You can test this by triggering a threat event, for example running the following command in another terminal:\n\n```sh\nln -s /etc/shadow /tmp/secret\n```\n\nIn the pulsar terminal you should see something similar to:\n\n```console\n[2023-02-07T14:29:09Z  THREAT  /usr/bin/ln (36267)] [rules-engine - { rule_name = \"Create sensitive files symlink\" }] File Link { source: /tmp/secret, destination: /etc/shadow, hard_link: false }\n```\n\nAs you can see Pulsar identifies the previous command as a threat event.\n\n### How does it work?\n\nBehind the scenes, when an application performs an operation, it gets intercepted at kernel level by the Pulsar BPF probes, turned into a unique event object and sent to the userspace. There, the Pulsar rule engine processes the event against the set of rules defined in the rules file and, if there is a match, it emits a new event, marked as a threat. Finally a logger module prints threat events to the terminal.\n\nIn the example above, the event produced matched the following rule:\n\n```yaml\n- name: Create sensitive files symlink\n  type: FileLink\n  condition: (payload.destination IN [\"/etc/shadow\", \"/etc/sudoers\", \"/etc/pam.conf\", \"/etc/security/pwquality.conf\"] OR payload.destination STARTS_WITH \"/etc/sudoers.d/\" OR payload.destination STARTS_WITH \"/etc/pam.d\") AND payload.hard_link == \"false\"\n```\n\n## Installation\n\n### (Recommended) Using the official installation script\n\nThe recommended approach to getting started with Pulsar is by using the official installations script. Follow the guide in the [Quickstart](#quickstart) section.\n\n### Use Pre-built Binaries\n\nAnother approach to install Pulsar is by using a pre-built binary. Binaries are available for the [latest release](https://github.com/exein-io/pulsar/releases/latest). Use `pulsar-exec` for x86-64 (`pulsar-exec-static` for a static build) or `pulsar-exec-static-aarch64` for AArch64 platform. Using there approach you also need to download and setup the [helper scripts](./scripts) to have a more convenient way to start in daemon/cli mode.\n\n### Build from source\n\nWe do not recommend build Pulsar from source. Building from source is only necessary if you wish to make modifications. If you want to play with the source code check the [Developers](https://pulsar.sh/docs/category/developers) section of the documentation.\n\n## Resources\n\n- [Read the docs](https://pulsar.sh/docs): understand how to install and set up Pulsar.\n- [Concepts](https://pulsar.sh/docs/category/concepts): dive deep into Pulsar architecture and main concepts.\n- [Tutorials](https://pulsar.sh/docs/category/tutorials): learn how to use Pulsar with practical examples.\n- [Develop new eBPF modules](https://pulsar.sh/docs/developers/tutorials/create-ebpf-probe-module): build new eBPF probes and integrate them into Pulsar through the modules system;\n- [Roadmap](https://github.com/orgs/exein-io/projects/14): check out the plan for next Pulsar releases;\n- [Support](https://discord.gg/MQgaTPef7a): join the Discord server for community support.\n\n## Contributing\n\nIf you're interested in contributing to Pulsar — thank you!\n\nWe have a [contributing guide](CONTRIBUTING.md) which will help you getting involved in the project. Also check the [Developers](https://pulsar.sh/docs/category/developers) section of the documentation for more information on Pulsar development.\n\n## Community\n\nJoin the Pulsar [Discord server](https://discord.gg/MQgaTPef7a) to chat with developers, maintainers, and the whole community. You can also drop any question about Pulsar on the official [GitHub discussions](https://github.com/exein-io/pulsar/discussions) or use the [GitHub issues](https://github.com/exein-io/pulsar/issues) for feature requests and bug reports.\n\n## License\n\nPulsar is [licensed](./LICENSE) under two licenses — Pulsar userspace code is licensed under [APACHE-2.0](./LICENSES/LICENSE-APACHE-2.0). Pulsar eBPF probes are licensed under [GPL-2.0](./LICENSES/LICENSE-GPL-2.0).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexein-io%2Fpulsar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexein-io%2Fpulsar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexein-io%2Fpulsar/lists"}