Skip to content

Commit dfdd5a8

Browse files
author
vsilent
committed
2 parents 1a6ed9b + 1e0d022 commit dfdd5a8

20 files changed

Lines changed: 2445 additions & 39 deletions

CHANGELOG.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
77

88
## [Unreleased]
99

10+
## [0.2.2] - 2026-04-07
11+
1012
### Fixed
1113

1214
- **CLI startup robustness**`.env` loading is now non-fatal.
@@ -19,6 +21,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1921

2022
### Added
2123

24+
- **Expanded detector framework** with additional log-driven detection coverage.
25+
- Reverse shell, sensitive file access, cloud metadata / SSRF, exfiltration chain, and secret leakage detectors.
26+
- file integrity monitoring with SQLite-backed baselines via `STACKDOG_FIM_PATHS`.
27+
- configuration assessment via `STACKDOG_SCA_PATHS`.
28+
- package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`.
29+
- Docker posture audits for privileged mode, host namespaces, dangerous capabilities, Docker socket mounts, and writable sensitive mounts.
30+
31+
- **Improved syslog ingestion**
32+
- RFC3164 and RFC5424 parsing in file-based log ingestion for cleaner timestamps and normalized message bodies.
33+
2234
#### Log Sniffing & Analysis (`stackdog sniff`)
2335
- **CLI Subcommands** — Multi-mode binary with `stackdog serve` and `stackdog sniff`
2436
- `--once` flag for single-pass mode
@@ -76,6 +88,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
7688
- Refactored `main.rs` to dispatch `serve`/`sniff` subcommands via clap
7789
- Added `events`, `rules`, `alerting`, `models` modules to binary crate
7890
- Updated `.env.sample` with `STACKDOG_LOG_SOURCES`, `STACKDOG_AI_*` config vars
91+
- Version metadata updated to `0.2.2` across Cargo, the web package manifest, and current release documentation.
7992

8093
### Testing
8194

Cargo.toml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "stackdog"
3-
version = "0.2.1"
3+
version = "0.2.2"
44
authors = ["Vasili Pascal <info@try.direct>"]
55
edition = "2021"
66
description = "Security platform for Docker containers and Linux servers"
@@ -49,6 +49,7 @@ bollard = "0.16"
4949

5050
# HTTP client (for LLM API)
5151
reqwest = { version = "0.12", default-features = false, features = ["json", "blocking", "rustls-tls"] }
52+
sha2 = "0.10"
5253

5354
# Compression
5455
zstd = "0.13"

DEVELOPMENT.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# Stackdog Security - Development Plan
22

3-
**Last Updated:** 2026-03-13
4-
**Current Version:** 0.2.0
3+
**Last Updated:** 2026-04-07
4+
**Current Version:** 0.2.2
55
**Status:** Phase 2 In Progress
66

77
## Project Vision

README.md

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Stackdog Security
22

3-
![Version](https://img.shields.io/badge/version-0.2.1-blue.svg)
3+
![Version](https://img.shields.io/badge/version-0.2.2-blue.svg)
44
![License](https://img.shields.io/badge/license-MIT-green.svg)
55
![Rust](https://img.shields.io/badge/rust-1.75+-orange.svg)
66
![Platform](https://img.shields.io/badge/platform-linux%20%7C%20macos%20%7C%20windows-lightgrey.svg)
@@ -19,6 +19,7 @@
1919

2020
- **📊 Real-time Monitoring** — eBPF-based syscall monitoring with minimal overhead (<5% CPU)
2121
- **🔍 Log Sniffing** — Discover, read, and AI-summarize logs from containers and system files
22+
- **🧭 Detector Framework** — Rust-native detector registry for web attack heuristics and outbound exfiltration indicators
2223
- **🤖 AI/ML Detection** — Candle-powered anomaly detection + OpenAI/Ollama log analysis
2324
- **🚨 Alert System** — Multi-channel notifications (Slack, email, webhook)
2425
- **🔒 Automated Response** — nftables/iptables firewall, container quarantine
@@ -47,12 +48,12 @@
4748
### Install with curl (Linux)
4849

4950
```bash
50-
curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash
51+
curl -fsSL https://raw.githubusercontent.com/trydirect/stackdog/main/install.sh | sudo bash
5152
```
5253

5354
Pin a specific version:
5455
```bash
55-
curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash -s -- --version v0.2.1
56+
curl -fsSL https://raw.githubusercontent.com/trydirect/stackdog/main/install.sh | sudo bash -s -- --version v0.2.2
5657
```
5758

5859
If your repository has no published stable release yet, use `--version` explicitly.
@@ -61,7 +62,7 @@ If your repository has no published stable release yet, use `--version` explicit
6162

6263
```bash
6364
# Clone repository
64-
git clone https://github.com/vsilent/stackdog
65+
git clone https://github.com/trydirect/stackdog
6566
cd stackdog
6667

6768
# Start the HTTP server (default)
@@ -164,21 +165,29 @@ docker compose -f docker-compose.app.yml down
164165

165166
```bash
166167
# Discover and analyze logs (one-shot)
167-
cargo run -- sniff --once
168+
stackdog -- sniff --once
168169

169170
# Continuous monitoring with AI analysis
170-
cargo run -- sniff --ai-provider openai
171+
stackdog -- sniff --ai-provider openai
171172

172173
# Use Ollama (local LLM)
173174
STACKDOG_AI_API_URL=http://localhost:11434/v1 cargo run -- sniff
174175

175176
# Consume mode: archive to zstd + purge originals
176-
cargo run -- sniff --consume --output ./log-archive
177+
stackdog -- sniff --consume --output ./log-archive
177178

178179
# Add custom log sources
179-
cargo run -- sniff --sources "/var/log/myapp.log,/opt/service/logs"
180+
stackdog -- sniff --sources "/var/log/myapp.log,/opt/service/logs"
180181
```
181182

183+
The built-in sniff pipeline now includes Rust-native detectors for:
184+
185+
- web attack indicators such as SQL injection probes, path traversal probes, login brute force, and webshell-style requests
186+
- exfiltration-style indicators such as suspicious SMTP/attachment activity and large outbound transfer hints in logs
187+
- reverse shell behavior, sensitive file access, cloud metadata / SSRF access, exfiltration chains, and secret leakage in logs
188+
- Wazuh-inspired file integrity monitoring for explicit paths configured with `STACKDOG_FIM_PATHS=/etc/ssh/sshd_config,/app/.env`
189+
- Wazuh-inspired configuration assessment via `STACKDOG_SCA_PATHS`, package inventory heuristics via `STACKDOG_PACKAGE_INVENTORY_PATHS`, Docker posture audits, and improved RFC3164/RFC5424 syslog parsing
190+
182191
### Use as Library
183192

184193
Add to your `Cargo.toml`:
@@ -457,7 +466,7 @@ dnf install sqlite-devel openssl-devel clang llvm
457466
### Build from Source
458467

459468
```bash
460-
git clone https://github.com/vsilent/stackdog
469+
git clone https://github.com/trydirect/stackdog
461470
cd stackdog
462471
cargo build --release
463472
```
@@ -608,7 +617,7 @@ stackdog/
608617

609618
```bash
610619
# 1. Clone and setup
611-
git clone https://github.com/vsilent/stackdog
620+
git clone https://github.com/trydirect/stackdog
612621
cd stackdog
613622
cp .env.sample .env
614623

VERSION.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
0.2.1
1+
0.2.2

docs/INDEX.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# Stackdog Security - Documentation Index
22

3-
**Version:** 0.2.0
4-
**Last Updated:** 2026-03-13
3+
**Version:** 0.2.2
4+
**Last Updated:** 2026-04-07
55

66
---
77

install.sh

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2,15 +2,15 @@
22
# Stackdog Security — install script
33
#
44
# Usage:
5-
# curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash
6-
# curl -fsSL https://raw.githubusercontent.com/vsilent/stackdog/main/install.sh | sudo bash -s -- --version v0.2.0
5+
# curl -fsSL https://raw.githubusercontent.com/trydirect/stackdog/main/install.sh | sudo bash
6+
# curl -fsSL https://raw.githubusercontent.com/trydirect/stackdog/main/install.sh | sudo bash -s -- --version v0.2.2
77
#
88
# Installs the stackdog binary to /usr/local/bin.
99
# Requires: curl, tar, sha256sum (or shasum), Linux x86_64 or aarch64.
1010

1111
set -eu
1212

13-
REPO="vsilent/stackdog"
13+
REPO="trydirect/stackdog"
1414
INSTALL_DIR="/usr/local/bin"
1515
BINARY_NAME="stackdog"
1616

@@ -73,7 +73,7 @@ resolve_version() {
7373
fi
7474

7575
if [ -z "$TAG" ]; then
76-
error "Could not determine latest release. Create a GitHub release, or specify one with --version (e.g. --version v0.2.0)."
76+
error "Could not determine latest release. Create a GitHub release, or specify one with --version (e.g. --version v0.2.2)."
7777
fi
7878

7979
VERSION="$(echo "$TAG" | sed 's/^v//')"
@@ -136,7 +136,7 @@ main() {
136136
echo "Install stackdog binary to ${INSTALL_DIR}."
137137
echo ""
138138
echo "Options:"
139-
echo " --version VERSION Install a specific version (e.g. v0.2.0)"
139+
echo " --version VERSION Install a specific version (e.g. v0.2.2)"
140140
echo " --help Show this help"
141141
exit 0
142142
;;

src/database/connection.rs

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,24 @@ pub fn init_database(pool: &DbPool) -> Result<()> {
188188
[],
189189
);
190190

191+
conn.execute(
192+
"CREATE TABLE IF NOT EXISTS file_integrity_baselines (
193+
path TEXT PRIMARY KEY,
194+
file_type TEXT NOT NULL,
195+
sha256 TEXT NOT NULL,
196+
size_bytes INTEGER NOT NULL,
197+
readonly INTEGER NOT NULL,
198+
modified_at INTEGER NOT NULL,
199+
updated_at TEXT NOT NULL
200+
)",
201+
[],
202+
)?;
203+
204+
let _ = conn.execute(
205+
"CREATE INDEX IF NOT EXISTS idx_file_integrity_updated_at ON file_integrity_baselines(updated_at)",
206+
[],
207+
);
208+
191209
conn.execute(
192210
"CREATE TABLE IF NOT EXISTS ip_offenses (
193211
id TEXT PRIMARY KEY,

0 commit comments

Comments
 (0)