Ecdysis is a next-generation, cross-distro kernel security framework that operates at the root of the OS to detect and neutralize threats before they reach user space. It provides real-time integrity monitoring, active threat interception, and zero-day resilience for enterprise, governmental and research environments. :contentReference[oaicite:1]{index=1}
- Key Goals
- Highlights
- Architecture
- Components & Integrations
- Editions
- Quick Start
- Configuration
- Usage
- Deployment Notes
- Contributing
- License
- Contact
- Provide kernel-level threat detection and prevention across Linux distributions. :contentReference[oaicite:2]{index=2}
- Maintain real-time integrity checks and active interception of attacks that attempt to reach user space. :contentReference[oaicite:3]{index=3}
- Offer a free distribution for governments, educational institutions and research labs while providing an enterprise edition with advanced analytics and AI-assisted threat modeling. :contentReference[oaicite:4]{index=4}
- Kernel-level monitoring and enforcement (root of system operations). :contentReference[oaicite:5]{index=5}
- Zero-day resilience through pre-user-space interception. :contentReference[oaicite:6]{index=6}
- Forensics & crash log collection for post-incident analysis. :contentReference[oaicite:7]{index=7}
- Integrations with common security tooling for layered defense (antivirus, YARA, VirusTotal, firewall control, LKRG, SELinux). :contentReference[oaicite:8]{index=8}
Ecdysis is designed as a modular kernel-centric framework with userland orchestration components:
+-------------------------+ | Userland Orchestrator | | - Policy Manager | | - Analytics (optional) | | - Config / UI / APIs | +-----------+-------------+ | +-----------v-------------+ | Kernel Vanguard | <-- Core: integrity hooks, interception, active blocking | - LKRG-like monitoring| | - Active interception | +-----------+-------------+ | +-----------v-------------+ | Integrations Layer | | - ClamAV / YARA | | - VirusTotal queries | | - Firewalld / UFW | +-------------------------+
The architecture idea and component list come from the project brief. :contentReference[oaicite:9]{index=9}
The framework anticipates integration with the following (examples from the project brief):
- ClamAV — Signature-based scanning. :contentReference[oaicite:10]{index=10}
- YARA — Rule-based pattern matching. :contentReference[oaicite:11]{index=11}
- VirusTotal / Threat Intel — optional lookups for suspicious artifacts. :contentReference[oaicite:12]{index=12}
- Firewalld / UFW — firewall/reactive network controls. :contentReference[oaicite:13]{index=13}
- LKRG (or equivalent) — kernel integrity monitoring helpers. :contentReference[oaicite:14]{index=14}
- SELinux / FA Policy — mandatory access controls and policies. :contentReference[oaicite:15]{index=15}
- Forensics / Crash Logging — automatic capture of forensic artifacts and crash traces. :contentReference[oaicite:16]{index=16}
NOTE: Ecdysis is a kernel-level project. Running or building kernel code requires care. The commands below are example placeholders — replace with your actual build/test commands and ensure you test in VMs or isolated hardware.
Configuration
Ecdysis is configurable via YAML/JSON policy files. Example skeleton:
mode: "monitor" # monitor | enforce integrations: clamav: true yara: true virustotal: false policies: kernel: allow_modules: [] deny_signatures: [] forensics: capture_on_violation: true output_dir: /var/log/ecdysis/forensics logging: level: INFO remote_syslog: false
Place in /etc/ecdysis/ecdysis.yaml or pass --config to userland orchestrator.
Usage & Examples
Monitor mode — observe kernel activity and produce alerts without blocking. Great for initial deployment and tuning.
Enforce mode — actively intercept and prevent policy violations at kernel level. Use after thorough testing.
Forensics — on policy violation, capture traces, memory dumps (where feasible), and related logs for analysis.
(Provide CLI examples and REST API docs in docs/ folder — TODO.)
Deployment Notes & Safety
Testing: Always test kernel modifications in a controlled VM or isolated testbed. Kernel faults can render systems unbootable.
Compatibility: Targeted to be cross-distro, but kernel ABI differences can require per-distro packaging and kernel header matching.
Privacy & Compliance: Forensic capture may include sensitive data. Ensure deployments meet legal and compliance requirements.