Open-Source Endpoint Security Software for Windows and Linux

Endpoint Detection Agent Simplifies Mixed Environment Monitoring

Cybersecurity professionals managing mixed Windows and Linux environments often struggle with maintaining multiple pipelines, rule sets, and software agents. A new open-source endpoint detection platform aims to streamline this process.

• Rustinel, developed in Rust, offers a unified solution for detecting threats across both operating systems.
• The agent leverages ETW for Windows and eBPF for Linux, providing comprehensive coverage of key system activities such as process creation, image loading, network events, file modifications, and registry interactions.
• This allows for early warning and swift response times.

Operating System Support

• Rustinel operates in user mode on both platforms, eliminating the need for complex kernel-level drivers.
• On Windows, the agent can be installed as a service, ensuring seamless integration with existing infrastructure.
• For Linux deployments, Rustinel requires kernel version 5.8 or later with BTF support and can run under either root or a designated supervisor.

Active Response Capabilities

• Optional active response capabilities include dry-run functionality and allowlists for trusted paths.

Detection Engines

Limitsations

• Rustinel does not detect memory-only payloads, heavily obfuscated living-off-the-land activity, or novel behavior outside existing Sigma rules.
• Encrypted command-and-control communications over trusted infrastructure can evade IOC matching unless triggering surrounding behavior.
• Memory scanning with YARA is actively being developed to improve coverage against packed and runtime-unpacked payloads.

Rustinel is available for free on GitHub under the Apache 2.0 license, making it an attractive option for organizations seeking cost-effective and flexible endpoint detection solutions.

About Author

Anuj

See author's posts