Explore Kunai Events
๐๏ธ Event Layout and Info Section
Every kunai event gets a set of common fields shared between all the events. These fields give various information which might be used for advanced purposes such as event identification, grouping or correlation.
๐๏ธ Start
This event is generated when Kunai starts and contains both system-related information and Kunai-specific details. This event can help in understanding the system's state and verifying the Kunai configuration and environment at startup.
๐๏ธ Execve
This event is generated when a new process is created using one of the execve system calls. execve system calls are used to execute a program within the context of an existing process, replacing the current process image with a new one. This event is crucial for monitoring process execution and understanding the lineage and behavior of processes on a Linux system.
๐๏ธ Execve Script
This event is generated when a script or binary is executed using the execve family of system calls. The execve_script event is a specialized form of the execve event, focusing on the execution of script files and binaries. This event is essential for monitoring script and binary executions, which are often used in automation, system administration, and various other tasks.
๐๏ธ Exit
Exit events get generated when a single task (process or thread) exits.
๐๏ธ Exit Group
Event generated when a thread-group (process and all its threads) exits.
๐๏ธ Clone
A task is being cloned/forked. This means that a new task will be created
๐๏ธ Prctl
A prctl event is generated when a process makes a call to the prctl syscall. As you can
๐๏ธ Kill
This event is generated when kill signal is send to a foreign process.
๐๏ธ Ptrace
Event generated when a ptrace syscall is issued. .data.mode reflects the ptrace mode as defined in Linux Kernel headers
๐๏ธ Init Module
This kind of event is generated when a kernel module is loaded into the kernel.
๐๏ธ Bpf Prog Load
This event is generated every time a BPFย program is loaded into the kernel.
๐๏ธ Bpf Socket Filter Attached
A socket filter attachement has been made (for instance via getsockopt syscall).
๐๏ธ Mprotect Exec
This kind of event is generated when memory protection is turned to executable.
๐๏ธ Mmap Exec
This events is generated whenever the mmap syscall is used to map an executable file in memory, with memory execution protection.
๐๏ธ Connect
This event gets generated every time a connect attempt is made to a remote IP.
๐๏ธ Dns Query
This event is generated when the a DNS response is received on the host and gives insight both on the query, the response and the DNSย resolver.
๐๏ธ Send Data
This events gets generated when data is sent to a remote IP address.
๐๏ธ Read
This event gets generated whenever a file is read.
๐๏ธ Read Config
This file is generated whenever a file located in /etc is being read.
๐๏ธ Write
This event gets generated whenever a file is write.
๐๏ธ Write Config
This file is generated whenever a file located in /etc is being written.
๐๏ธ File Rename
This event gets generated whenever a file is being renamed.
๐๏ธ File Unlink
Event generated when a file gets unlinked
๐๏ธ Write and Close
An event generated when a file that has been written is just being closed. This is a great hook event to trigger a file scan as the file is not supposed to be written again.
๐๏ธ File Create
This event is generated when a new file is being created at .data.path.
๐๏ธ IO Uring SQE
This event is generated when Kunai detects a submission queue entry (SQE) in the iouring subsystem. The iouring subsystem is a Linux kernel feature that provides an asynchronous I/O interface, allowing applications to perform I/O operations without blocking the calling thread. This event captures details about the operation being submitted.
๐๏ธ File Scan
Such events are generated when a scan-files action is requested. This event is a bit particular compared to other because it is triggered from another event. You can find the **cross-reference** to the **triggering event** in .data.sourceevent field.
๐๏ธ Error
This event is generated when Kunai encounters an error. It provides detailed information about the error, including its code, message, and context. The error event helps in diagnosing and resolving issues effectively by surfacing critical details.
๐๏ธ Event Loss
This event is generated when Kunai detects that some events are lost between the kernel and Kunai userland. It reflects a scenario where the event monitor cannot keep up with the kernel's pace. Such occurrences are inevitable when Kunai is configured to log very frequent events, such as file system activities (read, write, filecreated, fileunlink, etc.). While these events are valuable for detailed analysis, the high frequency may lead to unavoidable losses.