{"id":15057017,"url":"https://github.com/kunai-project/kunai","last_synced_at":"2025-05-15T07:05:47.531Z","repository":{"id":177427377,"uuid":"656723700","full_name":"kunai-project/kunai","owner":"kunai-project","description":"Threat-hunting tool for Linux","archived":false,"fork":false,"pushed_at":"2025-05-05T12:35:44.000Z","size":1276,"stargazers_count":832,"open_issues_count":13,"forks_count":64,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-05-08T01:42:40.202Z","etag":null,"topics":["ebpf","linux","security-monitoring","threat-detection","threat-hunting"],"latest_commit_sha":null,"homepage":"https://why.kunai.rocks","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kunai-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"0xrawsec","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2023-06-21T14:02:18.000Z","updated_at":"2025-05-07T05:45:52.000Z","dependencies_parsed_at":"2023-11-10T12:33:01.045Z","dependency_job_id":"24f5d9ee-43b8-4f81-b674-e397d0d26dd4","html_url":"https://github.com/kunai-project/kunai","commit_stats":null,"previous_names":["0xrawsec/kunai","kunai-project/kunai"],"tags_count":116,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kunai-project%2Fkunai","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kunai-project%2Fkunai/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kunai-project%2Fkunai/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kunai-project%2Fkunai/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kunai-project","download_url":"https://codeload.github.com/kunai-project/kunai/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254292042,"owners_count":22046426,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","linux","security-monitoring","threat-detection","threat-hunting"],"created_at":"2024-09-24T22:00:33.632Z","updated_at":"2025-05-15T07:05:42.522Z","avatar_url":"https://github.com/kunai-project.png","language":"Rust","funding_links":["https://github.com/sponsors/0xrawsec"],"categories":["Other Lists","Rust","Major Projects that Use Aya"],"sub_categories":["🧪 LAB","Aya-related talks"],"readme":"\u003cdiv align=\"center\"\u003e\u003cimg src=\"assets/logo.svg\" width=\"500\"/\u003e\u003c/div\u003e\n\n[![CI](https://img.shields.io/github/actions/workflow/status/0xrawsec/kunai/ci.yml?style=for-the-badge)](https://github.com/0xrawsec/kunai/actions/workflows/ci.yml)\n[![Downloads](https://img.shields.io/github/downloads/0xrawsec/kunai/total.svg?style=for-the-badge)]()\n[![Discord](https://img.shields.io/badge/Discord-chat-5865F2?style=for-the-badge\u0026logo=discord)](https://discord.com/invite/AUMaBvHvNU)\n\n[![GitHub release (with filter)](https://img.shields.io/github/v/release/0xrawsec/kunai?style=for-the-badge\u0026label=stable\u0026color=green)](https://github.com/0xrawsec/kunai/releases/latest)\n[![Documentation](https://img.shields.io/badge/docs-stable-blue.svg?style=for-the-badge\u0026logo=docsdotrs)](https://why.kunai.rocks)\n\n\u003c!--\n[![GitHub Latest Release](https://img.shields.io/github/v/release/kunai-project/kunai?include_prereleases\u0026style=for-the-badge\u0026label=unstable\n)](https://github.com/kunai-project/kunai/releases)\n[![Documentation](https://img.shields.io/badge/docs-unstable-orange.svg?style=for-the-badge\u0026logo=docsdotrs)](https://why.kunai.rocks/docs/next/quickstart)\n--\u003e\n\n# Leitmotiv\n\nKunai is a powerful tool designed to bring actionable insights for tasks such as **security monitoring** and **threat hunting** on **Linux** systems. Think of it as the Linux counterpart to Sysmon on Windows, tailored for comprehensive and precise event monitoring.\n\n## Why Kunai Stands Out\n\n- **Chronologically Ordered Events:** Events are processed and delivered in the exact order they occur.\n- **On-Host Correlation:** Built-in capabilities for event enrichment and correlation to provide deeper context.\n- **Container-Aware:** Fully compatible with Linux namespaces and container technologies, enabling complete tracing of container activities.\n\n## How It Works\n\nKunai leverages eBPF (Extended Berkeley Packet Filter) technology, with kernel-level probes that capture critical events. These probes send data to a userland program, responsible for tasks like reordering, enriching, and correlating the collected events.\n\nOn the implementation side, Kunai is predominantly written in Rust, using the robust [Aya library](https://github.com/aya-rs/aya). This design ensures a self-contained standalone binary, embedding both the eBPF probes and the userland processing logic for ease of deployment.\n\n# FAQ\n\n* **Is it compatible with my OS/Kernel ?** : Check out [the compatibility page](https://why.kunai.rocks/docs/compatibility)\n* **What kind of events can I get ?** : Please take a read to [events documentation](https://why.kunai.rocks/docs/events/)\n* **Which version should I use ?**: If it is just to test the tool, use the latest build as it is always the best in terms of features and bug fix. However keep in mind that events in **non stable** releases **are subject to change**.\n\n# How to Build the Project?\n\nBefore proceeding, please note that a distribution-agnostic, pre-compiled version of Kunai is available on the [release page](https://github.com/kunai-project/kunai/releases/latest). If you simply want to try Kunai, you likely don’t need to build the project yourself.\n\n## With a Docker image\n\nYou can use a Docker image that includes everything needed to build the project easily: [Kunai build docker image](https://github.com/kunai-project/kunai-build-docker/).  \nThis one-size-fits-all solution should work on any Linux distribution.\n\n## Doing everything by hand\n\n### Requirements\n\nBefore being able to build everything, you need to install a couple of tools.\n\n* to build many Rust projects (this one included), you need [`rustup`](https://www.rust-lang.org/tools/install)\n* to build kunai you need: `clang`, `libbpf-dev` and [`bpf-linker`](https://github.com/aya-rs/bpf-linker)\n\nExample of commands to install requirements on Ubuntu/Debian:\n\n```bash\nsudo apt update\nsudo apt install -y clang libbpf-dev\n\n# assuming you have rustup and cargo installed\ncargo install bpf-linker\n```\n\n### Building Kunai\n\nOnce you have the **requirements** installed, you are good to go. You can now build the project with **xtask**, a cargo command (specific to this project) to make your life easier.\n\nBuilding debug version\n```bash\ncargo xtask build\n# find your executable in: ./target/x86_64-unknown-linux-musl/debug/kunai\n```\n\nBuilding release version (harder, better, faster, stronger)\n```bash\ncargo xtask build --release\n# find your executable in: ./target/x86_64-unknown-linux-musl/release/kunai\n```\n\n### Cross-compiling\n\n#### aarch64\n\n1. Install the proper target using rustup `rustup install target aarch64-unknown-linux-gnu`\n2. You need to install appropriate compiler and linker to cross-compile\n```bash\n# example on ubuntu\nsudo apt install gcc-aarch64-linux-gnu\n```\n4. Cross-compile the project\n```bash\n# compile the project for with release profile\nCC=aarch64-linux-gnu-gcc  cargo xbuild --release --target aarch64-unknown-linux-gnu --linker aarch64-linux-gnu-gcc\n```\n4. You should find your cross-compiled binary at `./target/aarch64-unknown-linux-gnu/release/kunai`\n\n**NB:** specifying `--linker` option is just a shortcut for setting appropriate RUSTFLAGS env variable when building userland\napplication.\n\n# Memory Profiling\n\nIf one believes Kunai has an issue with memory, here is a way to profile it.\n\n```bash\n# compile kunai with debug information for all packages\nRUSTFLAGS=\"-g\" cargo xbuild\n\n# use heaptrack\nsudo heaptrack kunai\n```\n\n# Related Work\n\nSysmon For Linux: https://github.com/Sysinternals/SysmonForLinux\n\n# Acknowledgements\n\n* Thanks to all the people behind [Aya](https://github.com/aya-rs), this stuff is just awesome\n* Special thanks to [@alessandrod](https://github.com/alessandrod) and [@vadorovsky](https://github.com/vadorovsky)\n* Thanks to all the usual guys always supporting my crazy ideas\n\n# Funding\n\nThe NGSOTI project is dedicated to training the next generation of Security Operation Center (SOC) operators, focusing on the human aspect of cybersecurity.\nIt underscores the significance of providing SOC operators with the necessary skills and open-source tools to address challenges such as detection engineering, \nincident response, and threat intelligence analysis. Involving key partners such as CIRCL, Restena, Tenzir, and the University of Luxembourg, the project aims\nto establish a real operational infrastructure for practical training. This initiative integrates academic curricula with industry insights, \noffering hands-on experience in cyber ranges.\n\nNGSOTI is co-funded under Digital Europe Programme (DEP) via the ECCC (European cybersecurity competence network and competence centre).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkunai-project%2Fkunai","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkunai-project%2Fkunai","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkunai-project%2Fkunai/lists"}