MatheuZSecurity

MatheuZSecurity / ksentinel

Public

Linux kernel integrity monitor for detecting syscall hooking

defense ftrace integrity linux rootkit
71
6
69% credibility
Found Feb 19, 2026 at 53 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
C
AI Summary

ksentinel is a security tool for Linux that continuously monitors core system functions for unauthorized changes commonly made by advanced malware.

How It Works

1
🖥️ Get ksentinel on your Linux computer

You download the simple files for this security watcher to your Linux machine.

2
🔨 Prepare the guardian

You build the guardian tool, and it shows a unique private password once – write it down securely right away.

3
🚀 Turn on protection

Using the easy manager script, you load the guardian, and it quietly starts watching your system's core spots for sneaky changes.

4
👀 See it's working

You check the colorful status screen to confirm it's guarding hundreds of important areas with no problems detected.

5
📊 Spot any issues

You view alerts or watch live to catch any unauthorized tweaks to your system's vital functions.

6
🔓 Safely turn off

When done, enter your private password using the manager to unlock and remove the guardian.

🛡️ System secured

You now have peace of mind knowing your computer was checked for deep hidden threats.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 53 to 71 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is ksentinel?

ksentinel is a C-written Linux kernel module that detects syscall hooking and integrity changes in critical functions, targeting rootkit tactics like table hijacking and ftrace hooks. It baselines the syscall table (512 entries), VFS/network stack ops, and x86_64 LSTAR on load, then polls every 2 seconds (configurable), logging detailed violations to dmesg. Developers get a manager script for linux github cli-like commands: load, status, watch live alerts, or list violations.

Why is it gaining traction?

Unlike userspace scanners, it runs inside the kernel for real-time detecting on linux kernel 6.18-compatible versions (5.4-6.12+), covering 500+ syscalls via prefixes plus sensitive funcs like commit_creds. The anti-unload mode hides it from lsmod behind a random compile-time key, with easy unlock via script—perfect for stealthy linux kernel update monitoring. Its manager script delivers polished CLI control, standing out in linux kernel github repos for quick setup via ssh key or desktop gui.

Who should use this?

Linux sysadmins hardening servers against rootkits like Diamorphine, security pentesters verifying linux kernel source code post-compromise, or forensics analysts checking linux kernel version anzeigen for hooks. Suited for x86_64/ARM64 prod environments where you load it early on clean boots, using linux github download or clone for custom linux kernel git builds.

Verdict

At 52 stars and 0.7% credibility, this initial-version tool shines with thorough docs and CLI ease but stays detection-only—load first or miss early rootkits, no prevention. Grab it for linux kernel panic investigations or research; mature enough for trusted systems if you secure the unlock key.

(198 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.