Tracee: Linux Runtime Security and Forensics using eBPF

Related tags

linux golang security ebpf bpf
Overview

Tracee Logo

GitHub release (latest by date) Go Report Card License docker

Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Tracee is delivered as a Docker image that once run, will start to monitor the OS and detect suspicious behavior based on a pre-defined set of behavioral patterns.

Tracee is composed of the following sub-projects:

Getting started

Prerequisites

  • Linux kernel version >= 4.18
  • Relevant kernel headers available under conventional location (see Linux Headers section for info)
  • libc, and the libraries: libelf and zlib
  • clang >= 9

Exceptions:

  • Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are required only for the one-time compilation, and not at runtime. See Setup Options for more info.
  • When using Tracee's Docker image, all of the aforementioned requirements are built into the image. The only requirement left is the kernel headers or the pre-built eBPF. See Setup Options for more info.

Quickstart with Docker

docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest

Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for info.

This will run Tracee with no arguments, which defaults to detecting all available rules and reporting them as raw messages on standard output of the container. These can be further customized as detailed below.

Rules

To view the list of available rules, run the container with the --list flag.

We are currently working on creating a library of behavioral signature detections. Currently, the following are available:

Name Description Tags
Standard Input/Output Over Socket Redirection of process's standard input/output to socket "linux", "container"
Anti-Debugging Process uses anti-debugging technique to block debugger "linux", "container"
Code injection Possible code injection into another process "linux", "container"
Dynamic Code Loading writing to executable allocated memory region "linux", "container"
Fileless Execution Executing a precess from memory, without a file in the disk "linux", "container"
kernel module loading Attempt to load a kernel module detection "linux", "container"
LD_PRELOAD Usage of LD_PRELOAD to allow hooks on process "linux", "container"

Integrations

Tracee leverages falco-sidekick for sending it's detection events into other systems which are easier to consume. You can use any of falco-sidekick's supported "outputs", which includes: Slack, Mattermost, Teams, Datadog, Prometheus, StatsD, Email, Elasticsearch, Loki, PagerDuty, OpsGenie, and many more. The full list is available here.

To configure Tracee to integrate with another system, compose a falco-sidekick configuration file, and provide it to Tracee using the TRACEE_WEBHOOK_CONFIG environment variable. By default, Tracee will try to find this file at /tmp/tracee/integrations-config.yaml, so if you have followed the quickstart and started the container with /tmp/tracee mounted in, you can simply drop that file there.

A complete reference of falco-sidekick's configuration format is available here.

Setup options

Tracee is leveraging Linux's eBPF technology, which is kernel and version sensitive, and therefore needs to be specifically compiled for your hosts.

The easiest way to get started is to just let Tracee build the eBPF program for you automatically when it starts, as demonstrated by the Quickstart.
Alternatively, you can pre-compile the eBPF program, and provide it to Tracee. There are some benefits to this approach as you will not need clang and kernel headers at runtime anymore, as well as reduced risk of invoking an external program at runtime.

You can build the eBPF program in the following ways:

  1. Clone the repo and make bpf.
  2. make bpf DOCKER=1 to build in a Docker container which includes all development tooling.

Running this will produce a file called tracee.bpf.$kernelversion.$traceeversion.o under the dist directory.
Once you have the eBPF program artifact, you can provide it to Tracee in any of the following locations:

  1. Path specified in TRACEE_BPF_FILE environment variable
  2. /tmp/tracee

In this case, the full Docker image can be replaced by the lighter-weight aquasec/tracee:slim image. This image cannot build the eBPF program on its own, and is meant to be used when you have already compiled the eBPF program beforehand.

Running in container

Tracee uses a filesystem directory, by default /tmp/tracee as a work space and for default search location for file based user input. When running in a container, it's useful to mount this directory in, so that the artifacts are accessible after the container exits. For example, you can add this to the docker run command -v /tmp/tracee:/tmp/tracee.

If running in a container, regardless if it's the full or slim image, it's advisable to reuse the eBPF program across runs by mounting it from the host to the container. This way if the container builds the eBPF program it will be persisted on the host, and if the eBPF program already exists on the host, the container will automatically discover it. If you've already mounted the /tmp/tracee directory from the host (like suggested by the quickstart, you're good to go, since Tracee by default will use this location for the eBPF program. You can also mount the eBPF program file individually if it's stored elsewhere (e.g in a shared volume), for example: -v /path/to/tracee.bpf.1_2_3.4_5_6.o:/some/path/tracee.bpf.1_2_3.4_5_6.o -e TRACEE_BPF_FILE=/some/path.

If you are building the eBPF program in a container, you'll need to make the kernel headers available in the container. The quickstart example has broader mounts that works in a variety of cases, for demonstration purposes. If you want, you can narrow those mounts down to the specific directory that contains the headers on your setup, for example: -v /path/to/headers:/myheaders -e KERN_HEADERS=/myheaders. As mentioned before, a better practice for production is to pre-compile the eBPF program, in which case the kernel headers are not needed at runtime.

Permissions

If Tracee is not actually tracing, it doesn't need privileges. For example, just building the eBPF program, or listing the available options, can be done with a regular user.
For actually tracing, Tracee needs to run with sufficient capabilities:

  • CAP_SYS_RESOURCE (to manage eBPF maps limits)
  • CAP_BPF+CAP_TRACING which are available on recent kernels (>=5.8), or SYS_ADMIN on older kernels (to load and attach the eBPF programs).

Alternatively, running as root or with the --privileged flag of Docker, is an easy way to start.

Linux Headers

In order to compile the eBPF program, Tracee needs some of the Linux kernel headers. Depending on your Linux distribution, there may be different ways to obtain them.

  • On Ubuntu/Debian/Arch/Manjaro install the linux-headers package.
  • On CentOS/Fedora install the kernel-headers and kernel-devel packages.

Normally the files will be installed in /lib/modules/${kernel_version}/build which is where Tracee expects them. If you have the headers elsewhere, you can set the KERN_HEADERS environment variable with the correct location.

Note that it's important that the kernel headers match the exact version of kernel you are running. To check the current kernel version, run the command uname -r. To install a specific kernel headers version append the version to the package name: linux-headers-$(uname -r).

Note that more often than not the kernel headers files contains filesystem links to other files in other directories. Therefore, when passing the kernel headers to Tracee docker container, make sure all the necessary directories are mounted. This is why the quickstart example mounts /usr/src in addition to /lib/modules.

Issues
  • Additional tracing modes

    Additional tracing modes

    We currently support three modes of operation. It may be useful to add three more. As we don't want to have a flag for each of these modes, we better change the UX to use "--trace-target" as suggested below by @itaysk

    trace target | trace mode | status (issue) --- | --- | --- process | all | TODO process | new | implemented, migrate UX process | specific | implemented, migrate UX container | all | TODO container | new | implemented, migrate UX container | specific | TODO https://github.com/aquasecurity/tracee/issues/255

    opened by yanivagman 35
  • failed to attach to raw tracepoint 'sys_enter': invalid argument in kernel 5.4

    failed to attach to raw tracepoint 'sys_enter': invalid argument in kernel 5.4

    When developing external BTF feature I faced:

    image

    when trying to run tracee in a 5.4.0-80-generic kernel and the BTF file provided by btfhub. This issue is for me to investigate this further in a near future time. The same does not happen in a 5.8 kernel running on the host of the same docker container:

    image

    bug tracee-ebpf 
    opened by rafaeldtinoco 28
  • fea: added the pinned map for ns

    fea: added the pinned map for ns

    This PR aims at adapting tracee to work with pinned maps with mount namespace ids. The implementation is done as a separate trace mode in order to not mess with other functions of tracee.

    Usage example: tracee --trace pinned_map --mntns_pin=/path/to/pinned/map There is a point I would like to raise about this request beyond tracee mode extension itself. I have tested the application mainly with gadget-tracer from kinvolk because including tracee as an additional gadget is a primary purpose of my work. I have issues with legacy probes since several gadgets might work in parallel and use same probes which leads to conflict and error. My problem was solved by using perf-based probes which libbpf.go already provides. I understand that legacy probes are used for compatibility reason. We can try to create a fall-back to older probes if error is raised or use older probes by default and fall back to perf-probes is case of an error, if it is still necessary to keep using legacy probes in newer version of tracee. Of course, any other suggestions about how to improve this request are very much welcome. Thank you. @kinvolk @alban @mauriciovasquezbernal

    opened by ogozman 28
  • ID for rules

    ID for rules

    Currently rules are identified by their name. If a user wants to select which rules to load, they need to give their full name on the command like, which is not ideal. We should add an ID field to signatures' metadata and use that in the --rules option.

    tracee-rules 
    opened by itaysk 26
  • tracee.go: initialize pid_to_cont_id_map during startup

    tracee.go: initialize pid_to_cont_id_map during startup

    Fixes: #862

    Initialize pid_to_cont_id_map during tracee startup so that already running containers can have their container_id resolved when being traced.

    Instead of traversing cgroups filesystem, like tracee eBPF code does, I have preferred to rely in wrapped 'docker cli' commands to discover container ids and tasks running in each active container. This made the code cleaner and easier to be maintained.

    Note: There is a small window of opportunity for a container to be started while this logic is running. I could have made 'Containers' logic to run in a go coroutine but that would also create another race window: userland adding a pid to the map that has already been removed by the - now active - trace event handler.

    opened by rafaeldtinoco 18
  • Initial BPFMaps population freezes tracee-ebpf

    Initial BPFMaps population freezes tracee-ebpf

    While developing a fix for https://github.com/aquasecurity/tracee/issues/862, and loading the embedded CO-RE eBPF object, I realized that sometimes the logic worked and sometimes it did not.

    From time to time the entire tracee-ebpf code was in a state where it could not receive (or display) any event:

    BTF enabled, attempting to unpack CORE bpf object
    unpacked CO:RE bpf object file into memory
    TIME             UTS_NAME         CONTAINER_ID     UID    COMM             PID/host        TID/host        RET              EVENT                ARGS
    <nothing>
    

    and nothing happened.

    The logic being added to PopulateMap is:

    	// Initialize pid_to_cont_id_map if tracing containers
    	c := Containers{}
    	err := c.Populate()
    	if err != nil {
    		return err
    	}
    	bpfPidToContIdMap, _ := t.bpfModule.GetMap("pid_to_cont_id_map")
    	for _, contId := range c.GetContainers() {
    		for _, pidstr := range c.GetPids(contId) {
    			if t.config.Debug {
    				fmt.Println("Running container =", contId, "pid =", pidstr)
    			}
    			var pid uint32
    			_, err = fmt.Sscanf(pidstr, "%d", &pid)
    			err = bpfPidToContIdMap.Update(pid, []byte(contId))
    			if err != nil {
    				return err
    			}
    		}
    	}
    

    Initially I thought it was related to my logic, but debug always showed me that the slices of container_id and pids were ok:

    $ sudo ./dist/tracee-ebpf --debug --trace container --trace event=execve
    BTF enabled, attempting to unpack CORE bpf object
    unpacked CO:RE bpf object file into memory
    Running container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1721925
    Running container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1726069
    ...
    

    and there were no errors adding the pids to the map:

     err = bpfPidToContIdMap.Update(pid, []byte(contId))
    

    I'm also able to reproduce this behavior using the versioned eBPF object file:

    $ sudo TRACEE_BPF_FILE="$(pwd)/dist/tracee.bpf.5_11_0-24-generic.v0_6_0-11-g49503a2.o" ./dist/tracee-ebpf --debug --trace container --trace event=execve
    BPF object file specified by TRACEE_BPF_FILE found: /home/rafaeldtinoco/work/sources/ebpf/aquasec-tracee/tracee-ebpf/dist/tracee.bpf.5_11_0-24-generic.v0_6_0-11-g49503a2.oRunning container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1721925
    Running container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1726069
    Running container = 9521c39d6d3d54f5c5f4760c2e3dbde4fdcfd4fba99c2d46c49a4edd63864ae3 pid = 1236570
    Running container = 9521c39d6d3d54f5c5f4760c2e3dbde4fdcfd4fba99c2d46c49a4edd63864ae3 pid = 1236611
    ...
    TIME             UTS_NAME         CONTAINER_ID     UID    COMM             PID/host        TID/host        RET              
    EVENT                ARGS
    <nothing>
    

    I'm running Ubuntu Hirsute: 5.11.0-24-generic #25-Ubuntu with BTF enabled.

    bug tracee-ebpf 
    opened by rafaeldtinoco 18
  • containerid doesn't work for existing containers

    containerid doesn't work for existing containers

    image

    Initial traces were from a previously started container, showing no containerid.

    bug tracee-ebpf 
    opened by itaysk 18
  • feat: Add ringbuffer support to libbpfgo

    feat: Add ringbuffer support to libbpfgo

    This adds support for ringbuffers to libbpfgo. A good reference for ringbuffers can be found here. There is not much difference in userspace between ringbuffers and perfbuffers besides the fact that ringbuffers API does not support a callback for lost events. That will have to be handled in kernel space for consumers of libbpfgo, like Tracee.

    I have a separate PR awaiting this which I can open as a draft seeing how it would be consumed in Tracee.

    opened by grantseltzer 17
  • Tracee fails on startup after signal other than sigint, doesn't have cleanup behavior

    Tracee fails on startup after signal other than sigint, doesn't have cleanup behavior

    I ran tracee --security-alerts, hit ctrl-c, then ran it again and get the following error:

    failed to add kprobe 'p:kprobes/psecurity_inode_unlink security_inode_unlink': -17
    failed to create kprobe event: -17
    

    I've tried running make clean && make but the problem still occurs. This is with latest in main branch (a87426a702aa1b69d38dbe1f96b8179f38471ea5)

    tracee-ebpf 
    opened by grantseltzer 16
  • Can't run tracee - getting error about long argument list

    Can't run tracee - getting error about long argument list

    Hello,

    I'm trying to run tracee-ebpf with no specific arguments on the following kernel : 5.3.0-1023-aws #25~18.04.1-Ubuntu SMP Fri Jun 5 15:18:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

    This is the error I get MicrosoftTeams-image (3)

    Thank you

    bug 
    opened by michaelkatch 16
  • tracee-ebpf: remove events pipeline

    tracee-ebpf: remove events pipeline

    This PR removes the events pipeline that was created before tracee-rules existed. The idea behind the pipeline was to create plugins between the different stages, and to improve performance, but neither is achieved by it today. As the amount of work done by each stage of the pipeline is very small, the channel communication time becomes more dominant, and the performance is degraded. With the pipeline, it takes ~75us (on my env) for an event to cross all of its stages (decode, process, emit). Without it, it now takes ~5us to perform the same logic. Although it is more than x10 faster, this will not show a great improvement as the current bottleneck is the perf buffer polling as described in https://github.com/aquasecurity/libbpfgo/issues/80

    opened by yanivagman 0
  • tracee-ebpf: simplify saving to buf

    tracee-ebpf: simplify saving to buf

    null

    opened by yanivagman 0
  • Performance improvement with EventSelector

    Performance improvement with EventSelector

    Maybe we should change the event's type in EventSelector to be an integer?

    I thought about it and it seems to me that using constant integer for the events instead of a string will reduce the time of creation of each event selector created for the events map. If we think about it it will change operation of copy of O(n) to O(1). Changing the event's origin to be an integer const too could also considered. I don't know if the improvement is drastic enough to do the change, but it should improve the performance of tracee-rules a bit at least. It would force us to move the const.go file in tracee-ebpf to an external package but it should happen anyways in my opinion.

    What do you think?

    opened by AlonZivony 2
  • Unmarshal

    Unmarshal "envp" using json output

    Hey, I have an issue when using tracee-ebpf with the flag "-o option :exec-env" when output format is JSON. The exec-env outputs a slice of string ([]string) when execve syscall is made. Gob output handles it well but, JSON output won't.

    bug 
    opened by michaelkatch 6
  • tini problem

    tini problem

    When running the docker image with pid=host I get the following warning:

    [WARN  tini (48804)] Tini is not running as PID 1 and isn't registered as a child subreaper.
    Zombie processes will not be re-parented to Tini, so zombie reaping won't work.
    To fix the problem, use the -s option or set the environment variable TINI_SUBREAPER to register Tini as a child subreaper, or run Tini as PID 1.
    
    opened by yanivagman 1
  • won't build in RHEL environments due to /usr/lib64

    won't build in RHEL environments due to /usr/lib64

    Whenever trying to build tracee-ebpf in a fedora environment - outside docker - I realized that RHEL based distros won't compile because of their compat-libs approach of having /usr/lib and /usr/lib64 as prefixes for their OS environment. This leads to the following error:

    # github.com/aquasecurity/tracee/tracee-ebpf
    /usr/lib/golang/pkg/tool/linux_amd64/link: running clang failed: exit status 1
    /bin/ld: cannot find -lelf
    /bin/ld: cannot find -lz
    /bin/ld: cannot find -lpthread
    /bin/ld: cannot find -lc
    clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
    

    and should be fixed in the Makefile.

    This was identified during tests for https://github.com/aquasecurity/tracee/pull/1001 and it is also part of the supported environments effort: https://github.com/aquasecurity/tracee/issues/971.

    opened by rafaeldtinoco 2
  • improve json unmarshaling

    improve json unmarshaling

    partial fix to: #986

    bug tracee-rules 
    opened by itaysk 0
  • json unmarshaling issues

    json unmarshaling issues

    reported by @idanr1986

    • [x] empty string array
    panic: interface conversion: interface {} is nil, not []interface {}
    
    • [ ] commit creds
    commit_creds - panic: interface conversion: interface {} is map[string]interface {}, not external.SlimCred
    
    • [ ] bytes
    magic_write - panic: interface conversion: interface {} is string, not []uint8
    
    bug tracee-rules 
    opened by itaysk 2
  • Don't handle signals in tracee package, but in main

    Don't handle signals in tracee package, but in main

    Today we handle the SIGINT and SIGTERM signals in the tracee package (of tracee-ebpf). A user that wants to use tracee-ebpf as a library may want to set its own handlers, and also be able to gracefully close the perf buffers and save the captured artifacts as done in the Run() function (and not in the Close() function). A better approach to signal tracee to close can be done by using go context, which will then enable the caller (either main or a user that is using tracee-ebpf as a library) to call the context's cancelation function, and close tracee-ebpf gracefully.

    tracee-ebpf 
    opened by yanivagman 0
  • Moved consts files to a new module

    Moved consts files to a new module

    null

    tracee-ebpf 
    opened by AlonZivony 1
Releases(v0.6.1)
  • v0.6.1(Sep 3, 2021)

    Changelog

    bcf7153b207b91fe618061a6b8c087b8ccf912ba helpers/btfinfo: renamed to osinfo and improved, syncing (#981) dfdb5d66613f0a2f0b5da412bb4dce64481e9ff6 tracee-ebpf: move prepare_args() to argprinters file e2f9f1b1f983b464c245149aac3ceeb6623a5917 tracee-ebpf: add sched_process_exec to default set b55da80a486ee765294d4e377948ab9623e3211d Use filepath.WalkDir() to scan for signatures (#901) 90b75302cfa05b860812e7c217ea8e029cdd3710 fix json unmarshaling nil f9b43946d8b7ea28f6a269cfc9a35df9116e8835 tracee-rules: add GetSelectedEvents aad4c95b344209b79d3501e97c229cf00db239a7 tracee-ebpf: fix process tree disabled 9d588c980acc0cc88f6fe80250523f6ccc78a44e Implement process tree filter (#927) e438abe3789dd40c8e805849d69407d3d5591d23 Feature/fetch system info (#945) 7910a97bb390e1409f46e2b7802c91d91c22abe1 feat: Bump OPA to v0.32.0 (#978) d4cdac0c9aff8244e37fb42d8135db459ebe2522 tracee: move MissingKernelConfigOptions to libbpfgo helper 1aac4412f3fa00ab7e05dfa3747b8ea47ec6617f tracee-ebpf: update to latestl libbpfgo due to kconfig changes dd77f56eb9361e1da5fdd67d95efd0e38d72343e tracee-ebpf: fix sched_process_fork arg names dcb26c2f38455d6eec382977941e1d291471d0c9 add mknod lsm hooks (#970) c02ae01cfa35fd11a61355ea85c5bdd843726b5b tracee-ebpf: simplify events pipeline f184b9ed1229458fb0dc22a3eac24db2624b66f1 handle param type int[2] (#969) a4bac2996000368acb2cad2deca02c99b3dc3d1f tracee-ebpf: mitigate deadcode optimization issue for 5.4 and less b4181ca59be2f4d1e44694f279f86c2268fc0024 tracee-ebpf: linting: spellcheck, empty chars & statements 3f412c510b25a426abbe8aa76fa306123120685d tracee-ebpf: fix sched_process_exec argument types 0177dae1ebf63bd69e18b9b5ac72c5646d30ac1a tracee-ebpf: add capture profile documentation 7f98f9b365f9942b94235645712ad3ee2df701c6 fix incorrect cli flags in docs example 5c85d2aa1309bfe3c1f36018621baf38122cf1ff tracee-ebpf: don't send stats in done channel c81d97531b13bb067a011e98199de311afc2a591 fix unmarshaling of string arrays c261897e93d522e3c603248cc3272561a477b09a tracee-ebpf: fix build error after libbpfgo linting fixes 5cfba33745e93f1c010e6a1d4db0555e14a4a7bb tracee-ebpf: move printer to main package 1514fb5ae9a05eeebc203a457234041bdb7cfbca tracee-ebpf: fix network capture with latest libbpf 4584f75a3c2bfe534857dcc44a7391f063f18145 tracee-ebpf: add static build support for portability b0eba9e2ce3957892a9a4c9189900a4d95052090 tracee-ebpf: use replace for the external package (#949) a3c2d51ceec81b8a21a1150653f8e0621c477418 tracee-rules: update dependency Masterminds/sprig (#938) b644fe80b4377d7b43ad44ebbfee16f40add31e4 tracee-rules: refactor non used code (#939) 61dfcd804bf35cfc7f01a7085014de3b65718b5a tracee-ebpf: add stats to external fef7e8a987606e506fd9034aacd77f9b112f5121 tracee-ebpf: support network capture from multiple interfaces c1ce71732a1083eb97674c0b3bfba53031cc8d27 tracee-ebpf: remove gob printer errEnc 5627299fd5ba3fd6ce5b783d8ada26015e4cff3f tracee-ebpf: fix error printing to be always text 05daef9de1b1d8d2b3e858b5e0b01d55b8c5ff07 tracee-ebpf: fix gob test (#941) ce2b75e5d37664535997d3f436efa0d0ed29c022 tracee-ebpf: restructure and split files 5a0eb2d55bb7453e844db12ac3cd3397f0fc9256 tracee-ebpf: improve Containers object 5032dc4f8578ec9097cea312d64b38c80d2e866c tracee.go: initialize pid_to_cont_id_map during startup e176bdc8389a97297b794aef29be1beb066b890a tracee: support external BTF files 7380f08bb773950b977bce54532c9c8c1a8065f9 tracee-ebpf: update to libbpfgo with initial btfinfo b7007617228284c0043d6d7fee9e56e0cb0ecca2 tracee-ebpf: Change libbpfgo map methods to new prototype ed0f4a2ae88e992b3e91fc314f8986b40b8d40dc tracee-ebpf: update libbpf to sync with libbpfgo 25ffccd0ef031f8c4772b56ef6aa8b6e2e8913e1 tracee-ebpf: update to libbpfgo v0.2.0-libbpf_0.4.0 5ae161047906e801cd3ced2f1638b8ffa63e83a1 tracee-ebpf: add syscall_nr to security_file_open a3e048b82af91b3f28941d888f53e72b392bb2f5 tracee-ebpf: fix get syscall id from regs 3baa9520840203b4bfab0b87462a781920ab7485 tracee-ebpf: fix regression - program too large in kernel 4.19 8a434047e9d7399367371cdd2dd16ecccb9e4b8b tracee-rules: fix rego signature loading cbc56c9351ca20c6c5a23bec48ffa2f3830fe5c2 add flags support for make test (#879) 329154eadcbe2216a0825ea485ab9ba487627736 tracee-ebpf: add --output ignore (#882) 4ad02defb824cadd9c02f59c3898fea0cf0548d8 tracee-ebpf: print help for invalid arguments 2bae871f788776f31c28a40439930cc23333de9b tracee-ebpf: remove '--capture all' 8462b71a21fcdfbf39a3bd03c6c7e538bffec4de tracee-ebpf: don't filter security_file_open for open/openat 9cd6bb51a016731382b74a2ebc6102a684b2aec1 tracee-ebpf: don't send zero-sized chunks e277be2d9fdb45361c47d462c39028d8e2c48060 tracee-ebpf: simplify save_xxx_to_buf logic ceece80d347ef5e23777a4f8888cfd3fca9b4447 tracee-rules: improve error logging 0770dc466114cfc7d17ba17ee257dd4cab07dbe5 add close on fileread finish ad2596a0c1d3c76d9332803c56523a1b896d21f5 remove unneeded var 1bc09c3dab841f304369ced95b1cce1c2e29e19e change invoked_from_kernel detection method fb605fe8803a44c97058597a173dcd7ed7169fc3 Fix CO:RE support for RHEL and RHEL derivatives cb836e14c7690c4cd4e2c78572a08fcc1cd4cb22 fix rule name partially cropped in error message (#867) 82a1289c12da2255682743f6d762bf6adde69a9b tracee-ebpf: add support to custom rego helpers 147f6dec8e0526a1c2c425f57a3790ba98060fbe tracee-ebpf: fix capabilities minimum requirements 9f917a1fa938a6ee7e1c9071ed9bc77b81145283 tracee-ebpf: turn MAX_PATH_COMPONENTS down to 48 (#889) 282bcbd4717f15c34c81468fbb7453880c38059f tracee-ebpf: fix help flag to print to stdout 26a9eb22a9133fe07f4912363aa5827b7d49b893 tracee: add tini tracee docker image (#883) aee7e8f04e08b2b869e8526dbff70e1562d016b5 tracee-ebpf: add output validate test (#881) 76a932ff09fe5fb61b71cc6d95c947236da42eab tracee-rules: enable pprof endpoints (#860) 3bca7eaabc5812715a4b6262c0db84e811fad7f9 tracee-ebpf: improve argprinters test coverage (#877) f641d42052af02b81629ff84833a557713a92a16 tracee-rules: fix minimum requirements link 5ce9ff4c93737d25a02152ab9f4a485d861d77ad tracee-ebpf: refactor to avoid two strings.Split (#859) 4c99a2aef97774fc8291d0aeb85c710221a36ae8 Change quickstart one liner to just make note of mounting config

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.1
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.1
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(15.65 MB)
  • v0.6.0(Aug 3, 2021)

    Release highlights and discussion

    Tracee v0.6.0 released!

    Changelog

    703a7a9d614724d864fff19e7bc72fd966af4fae add security_kernel_read_file lsm hook (#869) c40c82cb86697ebe259ff0a830bbc3e1bf2a1164 Update docs to be more targeted at users, rather than developers (#870) 238cc6e76176766a83c4ba0a114c36cc91afa207 Update docs to take into account CO:RE default (#868) fa7feae4008c0d639630af0b4347ebe487bf5806 use tcp_connect kprobe to get tcp handshake packets (#861) 6df0969653c4567f7e6dabca5a77b639c042fb83 Feature/event origin signature filter (#856) c27e914eb4d358eac6908a47d9db1f569a0e700b add lsm hooks to event sets (#863) 4c78ac3562a33799823b843aaa5f58156cfd4737 tracee-ebpf: security_sb_mount: send exact argnum 5c84d6098b61abbd605855154478aab9e80f3e0e tracee-ebpf: add SIGTERM support (#858) 2d2845fded1561440e430412be4c363c8d296b77 tracee-rules: evaluate parsed input with OPA (#829) de4f865ca25c06ca719af935e9cdbff0f4aad181 tracee-ebpf: extend magic_write bytes (#853) 8684eeab26c4f26a3e11cda8ffb437d4d9304b58 tracee-ebpf: fix 4th syscall param value 7aa2964f938e18ebfe712a3863fb67b8dcdf18c3 tracee-ebpf: add inode and dev to magic_write event 6a584488dfb329861a0289ec27948d29535440f6 tracee-ebpf: update external module bbe411a2a16775309952f31f4a8b598da96633d0 tracee-ebpf: update timestamp in external func ToUnstructured() f17c1d161b640966f77e7d9ee164ee535e141987 tracee-ebpf: Adjust MAX_PATH_COMPONENTS limit for kernels >= 5.2 4d0b1c886f9455999965f23062eee5bed36ec878 tracee-ebpf: add epoch timestamp 443955e3c087f8e7652420c9d947cf5fe3c51756 feat: Add ToUnstructured method to Event (#830) bb6be1198cfa578da18a2a78908cd8883589774b tracee-ebpf: fix core compilation warnings (#838) 2991701f2caf1fb5288ec1ee3465a8f19fe30a52 Add embed directive to embed the compiled CORE bpf object into go binary (#818) f5240ae1730a7d286cb7293115fe5fd205f5294b tracee-ebpf: fix print of preamble and epilogue 6da6c9f96ac71c95592bf46284d37430c704696b tracee-ebpf: add capture network to docs 8c463c7986a809c28fb9299d60409ff53077cf52 tracee-ebpf: add network debug events and context 6516b2524761ff45214b14a600fb93fba4143528 tracee-ebpf: capture network activity 3a25e7486b17668cc09c6ba99484bc800671fb2f tracee-ebpf: add args and env to sched_process_exec event 4276fba30c1ce6e39c6da89f1be3ee36c8ddce09 skip printing out if library mode 247ffc9d9c03e784db05664ae943ef7ef048fa63 fix panic due to slice outbound a291eae79a0ec1c0e7a01d44cbaecc073f90f274 Replace external package with go module (#824) 59acd669cdc889dba8a2268d200088ba90ee5ab6 add external package as a module b3b73465ede22996712c0e5577d33cef23cbb28c tracee-ebpf: fix incomplete path (#812) 2df1177abcd431a181f2486b9ddf34d329ceaff1 fix go rules requirement 4575262793813aecec5a9e6de39617c0616c4cc5 fix help message faa56142fcd83cc8b8303c4f00dec35347490cd6 Update tracee logo (#809) ad3b86b8d0fce97faaef2307b1e89fd9a93c18f9 tracee-ebpf: record context timestamp at sys_enter 8d69f428d5310af5c6bf8df0d23894be902ce209 test: Describe benchmarks for tracee-rules 31f21b85421b7d266cf2b8114a792dffc40b6d54 adding Close API to signature interface adding Load/UnloadSignature functions to tracee-rules Engine 1fbc090f5b7672120421472278e95e048fe04ba3 tracee-ebpf: improve output flag help b8937fdb379f3a9fcbbe9395ced07b6f11bc87a1 tracee-ebpf: fix container id issues c827ae0e4990e52aef1e57c869cd23d7942a71ad fix(benchmark): Unprotected global variable processMemFileRegexp in golang.codeInjection.Init() ef95ded3dd6fce4ee008269385e01ab2d99de108 fix(benchmark): Use uniquely identifiable sigs in BenchmarkEngineWithNSignatures 5fc8a52686a87622d8a6cb0ec896814a7193eac8 fix: Unsynchronized send and close operations on signature channels f773f883457e97d7008bd20caea046f917cd874a fix bugs that caused panic when tracee API used from third party app 662a668a8e065cafe54f29b92781e162f9c2ebf9 test: Add wasm target to tracee-rules benchmarks (#790) ae07c82dc6a9e98253ffb65c0eb4f848e3abfc1e Adding exportable channel into Config struct. In this way a third party entity can read from the channel without any dependencies with the tracee printers. ef8d4ee17fbbb278fb7918f76740754b508a613a fix clean target 05c11bfb099b512a3ea99892c98be2a8dc989ff5 test: Benchmark rules engine based on number of signatures (#792) 741e7bb6e6bdfff0743394e47b52d1c6c3a92940 fix broken link (#791) acf1752a53a7d33fe9a7c3009be1254369e17e9e test: Benchmark tracee-rules (#785) 06851ee77638cdb9f062c315df3cf60b12c3e1af tracee-ebpf: fix compilation on ubuntu 4bf8ca6bd33bc59e64e849eec89d33d3fe8bc08d Add initial CO:RE support (#759) cca5fa9190332e44e71536254850a1705fb97ccc fix error that caused bpf code not to be loaded 422e86ebce71ee23a29849a74ffbca2f9687d8ce tracee-ebpf: fix instruction count on kernels < 5.2 (#779) 6166346e7479bc3b4b417a67a92a2493a30b949e add sched_process_exec and fix

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(16.33 MB)
  • v0.5.4(Jun 17, 2021)

    Changelog

    e68ecaa4c07bd2ed085aab7fdeee181feeb4c492 tracee-ebpf: move fork logic to sched_process_fork 9eb91fb54f6aed59f5ef41838b4048d7949095e7 tracee-ebpf: bump libbpfgo version

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.4
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.4
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(14.65 MB)
  • v0.5.3(Jun 15, 2021)

    Release highlights and discussion

    Tracee v0.5.3 released!

    Changelog

    8c944cf07f15045f395f7754f92b7809316c681c tracee-ebpf: add container id to context 6129122999ddf144a4e0902dd32930cc1e6d3aca feat: Tracee Profiler Mode (#725) 1e0aba550543f8eb238b77c401a6eb1a279f5662 clarify license (#760) 5cc1e8cc27d03b60c7178995a3e448337815630a fix gob type declaration (#753) 09ef6287e5892c852569e212a6c26ef8de9ed758 Optimize save_path_to_str_buf in tracee.bpf.c (#758) 9312e26ed9ac477fadb121fdffdd0a414faf530c tracee-ebpf: fix bpf compilation error c15806966312a53264b4989bfb1f316d1d50ae27 tracee-ebpf: ignore kernel config check when init fails f87e71faaf1d88f1151296fa1ef575d1212ab761 Update Prerequisites Link in READMe (#744) 58a120a68e88d2efe68e5e5a42b8d02f3e8476d8 tracee-ebpf: add security_bpf{,_map} events (#617) (#739)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.3
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.3
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(14.57 MB)
  • v0.5.2(Jun 3, 2021)

    Release highlights and discussion

    Tracee v0.5.2 released!

    Changelog

    2fb9a7ea8884255c264ff9458faf6beba85590b1 tracee-ebpf: commit_creds: submit more credentials 6e1c370bf50fb8eaab490c89ec2e09932aa19618 add detection for writing into /etc/ld.so.preload (#733) 9387554f6b08f1c625eda034410f6141366e5478 switch to libbpf v0.4 (#738) 83a869d58d7b61cfd672faedb95276ed8c31713f fix: remove libbpfgo from this repo (#734) 94530727cde45371a0e4cacffb35ee2b19277b67 libbpfgo: Add map iterator support (#728) da4124acec31f255ae42294662b3a04c2a51c7e1 tracee-ebpf: close gracefully on error (#729) 242d721bad3dc698540464b15a15f6aa1f16f760 libbpfgo: Check for ERR_PTR return values (#709) 94f33d0b7a9129fb22556d0af0c41929e41b72d9 work with new form of security_socket_connect 1960f31be55455694fd4a79bd5a772de95321c39 libbpfgo: Add support for AttachPerfEvent 74b3c48c070b5f775edfa72b83fa7c955f42a4ea dont set essential events to network lsm hooks 6fb4c8af528c771b1b1609894afe55b76da263f8 set network syscall events as essential events for their corresponding lsm hooks b24f18c152aeddbef27da87d92b12e3bc2a08d48 use kernel pid instead of tgid to avoid race condition between threads 21548485d83465b46806bd4b477a64bcc78474ce set default sockfd to -1 d75a61fa9d815d45020a0133d3c7207457c569e9 remove event_id from sockfd_map key, use tgid alone instead 32191ee8a52f405bd8360d940c076b99a2817e5a fix sockfd_map comment fcd84785f7076f72d55a9f3b3dc69a9abfd9701b added sockfd arg to network lsm hooks dccdd841f2b0ebeb304d03319c3dd017afdecbda Add security_sb_mount lsm hook 38b402df69f26efd5e33353ce0f9f4086727bcdb tracee kubernetes deployment yamls (#680) 210d85b2bf67cedd9d91739d23ae84c6b0de857a Add tracee video hub link in README (#714) 03448380c7e3899b242e6c131fe06d691968777a add manual parameter to docs workflow (#712) 25eb688b3d04a8539bf4268ddd53dd509ecbfbb7 libbpfgo: Add AttachLSM() method 2bf844d25929d556c82b81514cdaf9635609b27b Network lsm hooks (#697) a6f33c373c43625a7d708dba0ebecc935665b8da Load kernel config into bpf hashmap (#670) 71b887671b083fd71f792e542ce375076e3b30a1 Run libbpfgo self tests on self hosted github action runner (#693) 93809da91b9c7e559357c909b32a80b73987c5ed add manual trigger to docs workflow

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.2
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.2
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(14.55 MB)
  • v0.5.1(Apr 18, 2021)

    Release highlights and discussion

    Tracee v0.5.1 released!

    Changelog

    521b52b10c29dad4702bd4e1a6d1bc824e7faec7 add build in docker to tracee-rules 24daa0e2fed028b1faf02ee87578a019078e9afd small typo fixed 8db13ca541eaa460f3a3b8bf3de962b2cf946361 Fix minimum requirements link d6069729ff805f17d8c2933930b0a2106f704b80 fix: add check for empty bytes being written by file write channel fileWrChannel (#696) 2317a86b4db25c7a26340bc9da0ab6d7cbc7f2cd fix: trace-ebpf flag output (#632) feb16774f64eba054b3ed3e062cd75eedaca66f1 feat: add testing envrionment matrix that includes self hosted runner (#692) c3da07d21abd94cd6ff5d3c133b99dfc6886345e Merge pull request #688 from grantseltzer/upgrade-libbpfgo-fix e25ba71a024a2b6ba5c3f61aa58520e5b8eff469 Merge pull request #687 from yanivagman/fix_build 71d4c839fb68a809b0ccce5879beb8323a57986b Fix build with libbpfgo 510aae763184ad808c70b8e4869f7a00b474e7e7 integrate and document gotemplate 7b3c71b78ab66361f83cc45287761a2d1be4b8f7 Merge pull request #682 from krol3/issue-681-dockerignore ff03f7bc76bb11e39e3051b4841c61e805e59684 Merge pull request #649 from eyakubovich/fix-chan-map-race 5052cb856498a41f3ea730157f4a71531551d55c Merge pull request #678 from grantseltzer/upgrade-libbpf-v0.3 f37f3d37f1f6fde204450bfcb7fc9a57373c2b78 feat: docker ignore for tracee 29b216c9ed652c867c62d308d810016fee23a784 Merge pull request #672 from yanivagman/fix_type_mismatch 8d2664234143c38b51027f00b36fa21d77529b47 Merge pull request #679 from yanivagman/fix_docs_link 4ef3eba0a87479e86877b36226b09bb342cdfae0 fix documentation link in readme 96bdca85b812938c316ae0748836f9fdeffe7d49 improve docs f11eced33dbf831cba15aea84ad547e00dc3cdc3 fix error handling 103ddbdd4220e4b600895b6f6a1f2d43a2d78e01 tracee-ebpf: Fix type mismatch of event arguments d1a0c00b9ad02841255d6924e0ab89444d765880 fix: update libbpfgo go module to fix build for tracee-ebpf c67295f85dff0c52ab641151652d3cc9413b5157 fix: upgrade libbpfgo dependency to latest 3970f7fb8282760e0256bb73df21669a7b69e497 fix: upgrade libbpf dependency to v0.3 release 095336c20e035841c6cfd7a6446e6c2d7af9eb55 Merge pull request #656 from eyakubovich/add-map-setters 7ace63bcad376fd4d08dfc966c30643c4638dc54 Add Resize() and GetMaxEntries() to BPFMap 7862e0e60d87fd4a20a02bbb19bbcda3b247606f Merge pull request #645 from grantseltzer/feature-check-package 4f5af968cb660b84b921972877847974222dff3d fix json output template 5c76627542088d7ef52ca0201b6573af624f1d86 add a quick video intro (#660) 2d62a69b9584ff2e985cd96ed255d25781fa9bde fix: add some tests, fix error string 69b576ef24ebe02e2cb323cc811dcc6280d41adf Merge pull request #657 from aquasecurity/docs-small-fixes 23597a0ded9379cef0666d13d6a1d7949dd9a20e Fix eventsChannels race 1092871941cc436897cddf18e819ed3fcd857ba2 fix: broken links 8482773c35ca473c5230ab98a7042a5d4b0c374c fix: match document headers with navigation links 56ede7fd0bab358a50f79ff614afb412a4161103 fix: clarify local rules directory, add libbpf to dependencies f68cea77462294d76775320d2c4742fefa70ff1f fix: move architecture diagram and images into docs directory, update usage accordingly 2e288fdc2ed8b2275021cb2b0f0c765b174c2751 fix: small typos and table formatting 50a69404dc29093322baf0debbde29721e1ddfff refactor: Remove falcosidekick specific code and reuse templating (#653) e868978b73de4d388707499204f4a9589efdea0e feat: Add high level overview to Readme (#650) 6acdf8c9bf7c96bcc9f07c890ee826c3aed7d2d6 feat: add constants to use for kernel configuration options 996cbd2d6d0f56ead9607a70ecbc7279be62f917 revamp documentation 7ce5943f4cb7a9cbf006537388690f22071fdd6f feat: add tests for proc gz config cf01331724cbe0b9345035f58a52dee312031ec8 fix: libbpfgo module files 6474790eeca9d43224d30576f869a0fa024de8fd Merge pull request #638 from eyakubovich/fix-perf-buffer-stop 5e8cd40463e42cb7b897ddbd7375493c4523b49d feat: add functions to helper package for checking the kernel config options ba273ac415bba4e7c6fcfd573f281b0334700964 types.Finding interface update (#646) e1263ed704604a1f6464ce4ca32bd921e20895b7 fix mkdocs generation (#644) 96a39dc0dbeae23f10c9351c12f829bbe28d544f Use Go templates for stdout (#630) 77cf435059442695b6b604630406ddc8614820e8 Fix PerfBuffer shutdown 8b8045bffac178b9727c61ebb08ef62d57ab8b7a add mkdocs documentation (#633) 42edaaf734a434ac55c76461f939030ce5ffe377 Group of small fixes (#643) 97d27e024e396e94681a912fffbe22d272b25dfd Merge pull request #629 from jan0ski/main 7bac7f5a25866ef97899ed19ca0e54a82d8656a0 feat: Add support for wildcard event suffixes f8df7da6a27f729610992b6bd52e89d510fcf384 Merge pull request #625 from krol3/labels-docker d0d267021477b710ea9e0dbc20740aab2a03e796 fix relative link to quickstart-with-docker (#635) 1a31966e3dd1e627465ce96cd804901a8d0bfd63 Merge pull request #631 from grantseltzer/use-helpers-package-in-tracee-ebpf 443994b57b65705a8b164c18e208783417fbabe6 Merge pull request #603 from grantseltzer/selftest-actions 5f4ab2d52edb96b189ab9b6a434ae3fbf952eaff remove falcosidekick from container 656da9c3592811323a9c334d39bb7bb66200d201 Remove old helper functions from tracee-ebpf and update usage to new helpers package 25bfb2d8f8931fda3b9cc55828e881a8f50c90ad fix: update imported gomodules so libbpfgo includes the newly added helper package f66f7bedda266d8b16bebd59bcb4632fa4d65225 Merge pull request #493 from mtcherni95/tracee-issue-485 8934c28e6e0031b66ee08ff8af3c1681a76fe1c7 fix: copy argument parsing functions from traee-ebpf into libbpfgo 9753401fa14d572b037fa254756ec3b9c40c5765 fix: move and document the signature helpers (#601) 284bb1510cdc584cc4aad8c9a347b5163e21a434 Add basic integration test framework (#606) 2e0edb21546034ababb76321a4a63d01de3c75a8 Fix "make clean" 749258023b9c4047f786c0193ab8f57813596e3d Adding labels Docker ec34648b7aff2ca49b7307e6af2862cf34f02457 feat: Print loaded rules info at runtime 518d407b0e1e5947c89c4b746c9d2e2975a3a96f fix tracee-ebpf dockerfile for go 1.16 b9958735cb06f69195fa5b88e2d9178ee9bac1eb Merge pull request #620 from eyakubovich/fix-ringbuf-stop 09b2b47c0d4fe2c84c0f247f83da8a757789c3ad Fix RingBuffer shutdown 1fd89c3f125015b534c83de54b188011fc357715 Merge pull request #616 from icarus-sparry/better_help 2aa71c701ddaadbfdebc632595121ae8d22f2764 Better help message for missing libbpf cb4589f4ca5aea65fbaf1949d32ae44f7905d9ab feat: add libbpfgo selftests to github actions 436c11d20c90c2241723aad033689a600e11b336 Merge pull request #598 from grantseltzer/improve-selftest 559ff36124836a5c047d6745121ec4134ec3b086 improve readme with triggering a sig f1f3c72028bedf8474ad3486bf261792731bb820 Remove debugfs mount c22f59cdab9b07cfaf4d33795b79ed09bbada013 feat: Use //go:embed to bundle artifacts (#596) 6b6a8d6ac59a9cdca158e07c69f33688f8c10aa6 Adding version string to --list output (#602) a6ceb2ee5db7fd7c98e3b916172e647230f4eebe feat: Add signature versioning (#597) 64864926d3c162778fc8c85398587e61083c0d63 add tests for entrypoint 9c6d2485013706f05ac691b14e14c95237bc571b Webhook message formatting using go templates (#582) 8ab02546ed80b1fe7045094215d8a35c5ffa1fa2 fix: self test for ringbuffer should verify the integrity of the data sent from kernel space 228c6d329e86dd8f62bb5fe48761e78b67dafb39 tracee-ebpf: add magic_write event 0c581d0a120b0ac5b86e1d9e31299b660ddeb81d tracee-ebpf: move capture write filter to tail cc2a749db98da6b6432060aaab3cc66be0326ab6 tracee-ebpf: add bytes argument type 9a25d021519e1ea15f2b87cd98dc50aa7ac42b36 Merge pull request #591 from grantseltzer/blocking-stop-channel-write 5ba8472ca590e1ca2a4e56bce7ce0715c125dbf2 feat: Bump up to go1.16 (#589) 8d3c3d5ff0e77ca75ce8227625ab875c27405ec0 Merge pull request #483 from aquasecurity/gs/ringbuf-libbpfgo 809794bfd2d29329a69bef8a51219647e3ac5fce tracee-ebpf: remove validator workarounds 828f39e80515eaf3ae6a59f17c76be124527fcbc tracee-ebpf: fix docker builder (#587) 6eb7608d8228ecb36d867667c693035be8762ccd fix: rb.stopped should be set in the Stop method 42839aa8d92de78319d18742419c69b6f6c0e503 feat: add support for ringbuffers in libbpfgo d2867320403c0598fc6d61d78c3564ca23e4b62f feat: Add OPA tests to Github Actions (#535) 5dc13527f7732929edebce4f1ab6fdbcf8fb20a4 feat: Better formatted output for detected events. (#573) 28fbc66be8c9f3efa53f617a654cafe7421e8c70 feat: Add IDs to Signature Metadata. (#567) 05b0d915446270fe3a3e94e0270a1314ffbde956 tracee-ebpf: Fix readme for docker quickstart (#568) 097ce27ef369d3f750533a95ac5a634dad8b2d31 Added information how to run Tracee on Docker Mac 59312a14427f0fb87177137b1651c1226a578d99 tracee-ebpf: update minimal kernel version to 4.18

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.1
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.1
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(13.99 MB)
  • v0.5.0(Feb 18, 2021)

    Release highlights and discussion

    Tracee v0.5.0 released!

    Changelog

    2001ffec81a817ce22457728e7822ce9d5fe3fb4 fix dynamic code loading sig e5f25a7ce93f366778d58f78ef749ad603f281de fix release 24ea252c323f958e8776e70367b51b4e9bc4d783 fix docker image contains glibc artifacts 1b9c59fde755c6e0179071d53e2adbe469d332ea fix release to fetch submodules 6c2b2e5b6143e5ebd1c4235b916f87dfde707994 fix dependency resolution in tracee-rules 0575cb7b157d101d4ed01a95a5ca0978330f3b7c Revert "fix release as monorepo" ef7e96ace8592fe6eb2333008391f0bfb9b6ce8e update import paths after restructure f1f841daefca9bb4acf0a7ee6d1c9405c104c77a remove code injection sig from go b4501be6552cb982824b170e84b5109053cb68ce Fix stdio over socket (#552) a7c47e96da0ff4373ad818978da4dd2178d2bf15 fix release as monorepo a750666805849c14bc64094494d363a27e32c864 tracee-ebpf: add switch_task_ns event c92b5c551495a3eeffc7249acbbfa8b4f0ce72ac fix match for non af_inet sockets 5b2a740b8d4a0487478b67853f853171b9347952 Add signatures (#528) 3fcee47b02d9b7ed1cfb5c6565815f541e04afcd update entrypoint to use security-alerts 6ea5773ba30e84694894b95f1d51691d2b5e2ad7 tracee-ebpf: Add commit_creds event 4bd2e3cd1cf32411526f2869d91e38e0fc37a6c7 fix make release didn't build slim image c34c10f390fc611406e6f8f5f7362c7869b50198 fix: trace-ebpf: Fix typo in clang option (#526) f0604fba5474e8a4995bc057e785792e20dc19df Merge pull request #525 from grantseltzer/list-flag-output-fix b1bf684f55054dd241fc9c364d26528f76d3d6f9 fix: Move example sigs into own dir and exclude from build. (#523) fc534300281f1ca60498cf49b196825432054e07 add tracee container 4255857da3a8ca9c8202b537cd4612725bedf51d fix makefile 6d632e3c8582d5cccd799b5ac32c6cb4aa68daa2 add option to make bpf from root f474f44066e4f012dba8bf07d9f5c67e7cd56ebe Merge pull request #518 from grantseltzer/input-source-unit-tests 2e827a37b8bff5cc5e5cc01b08a71b6d5c9ffabc Fix: rename signatures and add spacing to printing of them with --list flag a5e8040018c18a4345621d87436dfbb8affc1ef5 start of unit tests for input source setup functions f41c794d8ce23b180ac22be0a30dfc4c28a2880e fix webhook panic when server returns error b54cfda365ec79c444a18ea16d5e68cf2fa64e52 Merge pull request #500 from grantseltzer/gs/print-help-tracee-rules dbc56af61a0c1fccca6b42fc5c09676973484c51 Update readme, fix default logic 8645c0a1ca0a965d06e7988454f450d717dc09ba Update tracee-rules/input.go 86c09583560df3f0e2785602bffc19184b81e4c1 fix: Address a few typos 4d43dc1187154939297c20efc72540229f0aecc0 rename tracee input parsing functions eb8f7dbacd55950df69478283376fdb703552967 rename help error 48bd0d32299b4b07e3102a4c87a0f016bac49bf9 Remove more references to EOT, set default values for tracee input (gob from stdin) 696053a35f9c9d4570209385facb48d722308a50 Close on EOF, not on EOT b2756e5dbcbe713b44fa04a68be52ec1aa025a0a remove the eof/eot option 311e42378d8bac1df0c39803b3c44e8812a2b504 adress feedback about help being displayed effd1f6ca2862518b9b9537e0c53ddef7ae5128b Remove old flags 9829d2b6719ee61b349d10cfa7a119c5c59d7cdd add minimal unit tests 8cc046fcc0e11c45ee92cb978f985985a6aa86a6 add invalid input checks 0e5c733cedfdd6422613643169c2a3c38a88627f Refactor flags in tracee-rules 3590ef06f32af21d7cdc7b318712ac041a772e5d feat: Add tests for core engine functionality (#477) 8e4e7b35902bb17ad2df1071cbf14f9a9c27257a Merge pull request #510 from aquasecurity/remove-eot-tracee-ebpf 0e61c188eb0b2bb99d3e957f5d1e38baa0eb8796 Update contributing guidelines (aka team agreements) 9deb2cea3c9002d5537a4537b8a488b686d4adcb Remove the notion of an EOT event signalling end of transmision da310b07bbc71705b1c12c2e6ccb6cb19a5cbf33 refactor: tracee-rules use types from tracee-ebpf 775ac46c8cb5e5b708af39ef1a02a2ad4bc0d385 rename tracee execuable to tracee-ebpf 17d840f899562a047c33b2eae9370061978a37e1 feat: add root level Makefile for release 5ac1db482a097a14b39ae9e552242f62473c2d62 feat: mostlyclean target b04facc55a4ac4995f71eaf7d0bd8f619f64835d fix: improve makefile targets a95d52dd2b338446b5a2cf040c1dfb79b2c3d3fe fix: don't send context when building builder 062c7b15b989da6ec27b3a9097be14f4ca701ef9 fix: docker builder file creation and cleanup d931f21bc3315ce2ebfb0dcbc4d297e030812514 fix: make in docker without git 02900d92b91ca3ea77193c5333252a76a53e6740 fix: make in docker ignoring target d28d4cca4ad20852b5fc392ec37ab31a51fc01ed feat: convert anti_debugging sig to rego 5905ce4fa267a0069b1b70402cf8364a3f9a640e feat: add rego tests febd3de75f5522938e08e155e70e8154ffe4c8e1 lint: Address a few idiomatic Go improvements (#427) 4fdcba8ad7ad51f7bff77faed1add657ecbbf2fa Merge pull request #449 from aquasecurity/traceprint dd1dbb15074cd47bbcdf143d73ba3cee303e6af8 Add tracee-rules pr workflow a3d574896bc4c547535d6467842d8190e532cd31 Fix tracee-rules build c43b1c3394ec639bb0ea71ef69ef75d27fe522a0 Restructure repo as monorepo (#459) 57797050702a3dba5c816f343122ce1c8bcbc2da fix: allow reading from stdin 5fc24f000b3ae93abcf7c7576e478ee73995077a docs: add tracee-rules readme bb3d227392fa5ab9306dbaab64e01440c995792d fix sigs building e6b431e7147301f3de301e3c8a3f15b0d5b92d35 fix regosig numeral handling 86c815c5ea0385247c705e4fb51757cb35997ded rego optimizations 07aa51f8335cb5cd9dcebed4995dee14be7a2d30 add support for rego signatures 9a8c83602df1a6e47b6dff8a7e0c75c6fd859dd2 simplify finding data 4025eff51bb490ad52f36c8699ca46b81050940d add code injection signature de77008dc253e292221d1f63f4aa0560f203d5b6 add anti debugging signature and sigs tests infra e12b1ce274796f1c3ad07a8aae93b70404d6c8be improve signature error handling 56fa8977f55922307c97cdcd1b4463dd965b929f tracee-rules rewrite 8841bc018318489e03241a9c848933375ccb965d Rule engine initial commit 1d879fc587151b76720bb6c2a033982675ae7ad5 write errors to stderr, and close file 4d721af558196cd03dc7ecb41ac316790e6da508 feat: add TracePrint to libbpfgo a87426a702aa1b69d38dbe1f96b8179f38471ea5 fix: default output format fbdf5a6f72e60bb6ead7b8b2612c4e5358065d44 fix: written files index relative to out dir 871c1db8bd2d3586130b1247336727f40dd8d390 Add pin, unpin and setpin for maps in libbpfgo (#437)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(13.95 MB)
  • v0.4.0(Jan 24, 2021)

    Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/441

    Changelog

    da6a281ffc9480a0412925811e34c73cd3d442ca fix release workflow for github actions c22b85562f800e8a9b44a85245625b01785cac5b release with github action 60f353e4dc92f1a5d82c045a3b59b2f3f4b38b71 remove redundant go setup steps 4f289b5131bb430dcca756c025ca9bb3b354d45e update readme 16f16888e3b527c6e32f286c3cc01bc5fbb47249 refactor output flag afa9b2d73e2965f16a074580816736e6301398eb improve --capture help 7d2ce345dfca4f1f24f2aa1a0a99a97e5ad0952f Add return value filter 3098430da6eb26d2ea4bf05dfe99ebd868fa3f53 Make '--capture clear-dir' safer ee2d9bb8918bb4cbbc12692f073f58f12a4b3371 Handle capture output dir in capture flag 534d012f692e8db09a57737b36bc69518cc2496f Decouple and remove filter-file-write flag 062947d2e4e9cd844f94202abc7c783b8572bd27 Add prefix operator to argument filters b47bbc51c38387cd105adb01cff1d7cf2875195f Remove trace flag and add new filters 199357787bb6068321f7215c9edcbb47b72dbbd7 Remove vfs_write(v) and ioctl from default set d38fbefedcd5f3c5561ed22466998aa31f3bce15 Added --stack-addresses flag to log stack addresses to JSON output 487d1e44fcdaa04a1fa3c9430fdb225317cc2731 added 'DeleteKey' and 'GetValue' to 'libbpfgo' 409f21e8053141fdac323441ede51ef5e6198e68 Move pidns trace mode to filter flag b486a253a3ba6c1aedb48049ed92c8a9be58c92d Use filters instead of modes in bpf code 6b4fe815d47b7404237d939730dc0bef69c36264 Move follow trace mode to filter flag 4b3d318ab1e48924601900e8e8c548cb2b6053b2 Add EventID postfix to new syscall events to fit convention 3ac6a21adaddf5e0f29b0dcdfd1d19721c72759f Add support for filtering an event by its argument f44eb206bf8e80efeb1da68641cb61f3f00c522c Supporting new syscalls from kernel version 5.7 - Resolves #372 7ce92f6979378923f2803ae000c86dc8ce93b3bf Fix bad param renaming 3c622e0f00acf94e274f0fcba32e70e601c616be Fix comm and uts filters e36e8805b6df57ccbfd85197216febaa8fe62a9a fix libbpf import 96ed00e0dd8db229e742d046195eca9c878b63ca Issue-398 add arguments to events d387056175263bbbed05b865e691d011a62c91f5 Add indexing of written files b4f0a0aa796b64dbfd9b071bb041d6862ede4a0b Support using filter prefix for common filters 1edeff85251d3a55c018634ed6702a7ddff10de3 Move event flags into filter flag 1bd03a90465240563871deea857a92be7b601366 Change trace modes and add container filter f1968a7d2b7a1fc78f3ce7a6ecd27cff0f73e99b refactor Event and params ff0cb90450cf58c4bbc3d6e446eb145864df02ac fix compat detection for older kernels 54d324f23175dae81e98b3961b9f3eb607464ddb Add support for arm64 32bit compatibility mode af0ea0885dae740b9c894d2e30c7bf543d01bed1 Fix ptrace request argument print 0536237598401df49b6effc78ec68d04773d3cc2 remove redundant var ad3cb5db11b9113700c83b9ea770731c9b012a77 Fix event listing 21720aff70ffa60a50785c2be1fc68372df1c8b9 Simplify filters logic ea5dca15faee3c8d578dfad3a3858ed4abc1e5d4 Move pid filter to filter flag c3d5c4d5e1f78ed75a7dd2b46803925572d2646f signal end of transmission for gob output 84180be0b00511033a08192ce6cdd788ff06c2b5 Support ARM64 architecture bfcabb20f8715d876c8b3b6807902e38c2e19016 Set TRACEE_BPF_FILE to point to file instead of dir 68d6c712cfc55c2a44b3aa6d972c67818fa54451 Fix execve pointer errors 8ed6772a2760534820d47be98b6fd8def7b8dbaf Fix pidns filter erroneously set to mntns f32c50b66e75e5465cb73d21b5b42024cf69f601 Add process follow mode 22ffc4ed78bcbeeeb08937e3d3daeb59cf7b42e5 rename master to main 5702252d72743122576d6814f682bf1c3b4da2f0 Merge filters and set bit size ef665e3a683623f5d58076092539545124cffb50 Rearrange bpf filtering code 11b251f5e81a0aa886a68354c0413d222cbce950 Add UTS and COMM filters 88f5d6bb6725a31bd22cd2b19efde032c4653b31 Add mnt ns and pid ns filters 64a084afc813374e7c74d819692a8c58482c7d32 Simplify uid filtering code

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.4.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.4.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(3.43 MB)
  • v0.3.1(Dec 9, 2020)

    Changelog

    d4b7008478a813486d42b4bbba0723862397a2f8 Fix bpf compilation on redhat and centos with kernel 4.18 57e2178d19c6e4e7afc58d3bf7aa13b77e51f312 Add the ability to specify filters (such as UID) using comparison operators (=, !=, >, <). a92b1eff3e086950f351862d9d332e94e7ea074f Use more informative error when making bpf object fails 800a0799d192dc8f6d955ed843ec1e424ff8eb57 Split kernel headers to source and build 79d625e2c2a2ceb76f60e5ff2ed5b92e5d8ca854 Add security_inode_unlink event 5564d6e235bf91bd458650cb174e8dd0724f6fd7 Print bpf cmd argument and make a default event 919c261bb65c6a0e8b015dbb3e79ad5853ee50b9 Add host only mode 741f1071db1fbd3de38f2bd64f92ff422ed13ca3 Use alpine image instead of ubuntu f302eaf0703ac93849a4972946296cc314d78b41 Fix docker build on manjaro(arch) linux

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.3.1
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.3.1
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(3.40 MB)
  • v0.3.0(Nov 29, 2020)

    Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/331

    Changelog

    fff75d00078276e9fbeccc958e7afbd3c8637ed9 fix version for build in docker 5a7a7fcab5dc01f15188816086433ec85620ccd0 fix make libbpf headers f1a239be10c5f759533278ce21ceb5082db3b7ac fix make clean e210c72f743d4b65f4690952943665c8026b4d2c fix version detection for docker build 8d0ac305a004a1bda981ae15362b18218672c31a fix version detection for release dab487d56f78bfda6c4a3bfab7d11085b54f2bcf fix version detection for release b481f0d80f9086e09b279c738b23c34f31a99c50 update readme for release b837b6bb2f3cae7a52babdbea631f9bca3bf5069 fix kernel headers defaults in other distros aa5ec50335fc83f04ad85d5d3ebc3882ae7616a8 make bpf obj file version dependent e123fcab6a69d5bbe2da125b4281b734c2c3ff23 refactor release script, include slim images in notes 87d70f913d6bfdbb02ef03c4c24a37c24132fe34 update readme 318933ebee39fa3014e653d5c8723c59f4f40c3b update readme eb47b745ffad10c3b7b68abb5836c4998479fe46 test for bpf build in ci 5b90fd50ddf3ef8fe7af384fd1625ed4110394a6 fetch libbpf source from make if needed 52c397bd0ae6b8835f87492f33ad1f2e150a10ca fix building in docker without tools 86392ee70437dde9a1ba443bc2579a0e9c366359 fix release process and add slim image ee46b6fcd5ac1561fea005f1de354476c140070b fix typo 85c3379737ec3dd6024ca1894fe42619f1d206b6 docker builder in cwd 151b137da5df5a56a8d68428ec330980c959e65f make docker targets real targets ae2fd1a664bd3551b5462162d5b7119e9d446d45 improve naming of tools and fix make bpf-docker 4a9734ec2875367663b6f78bafb44872e603929e optimize docker building 5faa7c1beeefdc5a2ebb8bc4f7d4497370972447 improve building in docker e4f502cedda2a87f98451d94c3b36e7633149f6f require llvm 9 b4ddc9937de84590e5e5b99c9e39315e200e147b Add a --filter flag which takes arguments of the form =,,... 99c36bef218669a2918a8f599f5e5b1c252d9d0a update_logo 42e11de939ee1f9ca196301a9d944f1027e71787 fix clang version detection efa68eee877345d13f6d48442f4bcd62b348aad6 tracee use libbpgo relatively 8d536dbe0f70528eed44062cb0574ba1d4cffea1 fix naming convention 9f5a3055573f20720784fbd83e7d7366ab60e8b0 add libbpfgo readme 5aaf2309338e7bbe13b658d41bc368e1a32fc6ca make libbpfgo a module d5be3a6942c48f7bddf8913a10036be1265a50e8 feat: add test to ci/cd workflow 2a9d54ed435bece014e90f31c242270d531e27d7 Fix capture exec with empty string a78a915e4b1027b1d25f2e0676c76b13b4fe2ff5 fix test target and add test-docker 1943eaa6a688e9f549567df27d875785d8cf13ee fix bundle path 4bd1c7b68812ca807b53db322d941ec54e2ec89e check minimum clang version (#310) d8a55e7775b92b7ec50080d28424e6cf462b718f Fix and enable tests again 9edac6b77c4bf7a42ca3aeefe3d47bcce5d7ab21 Add sched_process_exit event f35a8f393ea132322cb7077322e1060695f08d4b Add libbpf uapi headers - fix ubuntu16 compilation aefd3cd5a0ebe8817d1ec4d1a29701488aa7bf6d Fix asm_inline for kernel > 5.4 fe77c7f30b3b14bf1fb69a5a7acf4abd3594a7c2 Print uts name in container mode 46f1e2adac79446641b5583320b2fe64a08b9262 force clang compiler d0757229eee66ee6b7c3ea84bf7b47e1287068ca rewrite release process 2cccd1d9ce6b7f5934923e6fd2df0249893801af Update readme with build comments 71c97f07d7a340ca7f23dec160900fe8e30da65d Don't make llvm-strip a dependency 13c4d1abd56cb3a7d813bd747e656749e091e548 fix makefile dependency 9e06a2025d31be99ff651cd738f6d0823741f3a9 Fix lint and build errors 935540e5fc907e91487c448686c7767790a26106 Rename bpfwrap to libbpfgo 6cfa83d6e866b378db08141987d0707397a18591 fix docker builds for libbpf cc7f1eae7d9cacd4d4c3f05f4efc5267fe843290 Organize probe attach code ffe7b63f49e2c801aac8fca5b6b0b2252908bc53 Disable bpf program autoload if not required 3e7199e9ccc33febaa9174d06c31ce4415a1287c Reorganize initBPF function 6a379a2bb0ee3733da1a8cae2149dabaad8b4ad2 add build-policy flag 8fb3fa541cfc452ef8db57e1c272476fd7ae4286 use different dirs for output and install by default b06c4811d05790df03efbee5bb1778eec08143a2 use tmp as default install path fbf395a9041e50780d7e6654cc4d70d5cb18c488 drop capabilities during compilation 3b80e0f189507f864bc51b5849561d91fbe1df0b bundle bpf source for compilation at runtime 6ea6fbf40b44dab5a3b624057aa5e3bf1a8a9ddc compile bpf obj on startup 765d4fac5687f71173ab01b67b8ddc641de2acb8 fix bpf src injection 8c4a1bbdd472893fc4c75dbc74a0044015b59acf refactor bpf obj searching a074b378854b5554959d7c55472992a0e42f57ee Update libbpf submodule 5109ae1f609f51a3a2e59f8056346fde8b32ef56 improve and organize build (#280) 1208adbc532a232a04db6c85988fecba894f6078 add new module creation from buffer to bpfwrap b17be813d024b932ee4b5dde75121d6e035fb613 Remove BCC from readme a2e43591282054955602849b6fc5ca8cf77b6eee Move from gobpf to bpfwrap (libbpf) 172655fa3412a7cec2c0af9d1d82f997844335e9 Add bpfwrap - a thin libbpf wrapper 73d4b7325c8ac42a0efc28f438332f2dcf487d2b Add libbpf submoudle 2cac3ee1ea16f8aba241ad87e2785ab5c4a5b1e1 Fix tests 49dee1eafb648899e5afb2157fb08c3682caccba Fix lint errors f1f43f80ff84ad9fe647e17955733f837b19440b fix ci trigger d64607a179873862f1193ac8a7be1d21cf525cb5 Fix bad string size type 7a755e3f12acca3f075d2dbea1af34d86e6519ea update go version to 1.15 d0fe845c21b7d6613216ae1f4ea37d88b54bb155 updated to golang 1.15 4964f5c75c7a2e42362067082822c5b4698fac01 Output formatting via gotemplate (#256) a3e991f10b771ac98889792c9ed58e853a2debbe feat: Add CI/CD Workflow (#259) 5d49921f900fff50ad0e4bb32204d7fd3b2ddbf7 fix memfd files not shown in vfs_write bc84eae22d5909c0e95fd4c2d80e76ddde5bebd8 fix sockaddr_in parsing 0bb0dbe09d5281a2e0c32fdb4029e2f95f08e01a fix error printing line break 582a3806a41e7a3376573c4d9dbac6cf7c24b972 Created a new --trace flag to replace and enhance the --pid and --container flags 4f50e28e97a2dcfd7c714877f9f9871bb4d9fe2d Revert "Created a new --trace flag to replace and enhance the --pid and --container flags" 120204f26529bb484c0247a18debcc6ab7ecbc87 Created a new --trace flag to replace and enhance the --pid and --container flags aec1ef6ea44bb70008347d6cc1a928990cae399f Fix send bin chunk size d58cd29cba127702f05ddd5e39d7f00eb67e6a0c Fix broken kernel 4.14 support e753945963f6f811574280d05656a8b76e55df9d Made the typo change as requested 91fcd92d56f93c27f40d7c81edc15c9a6a4edfa3 Typo Corrected in README.md to sound more meaningfull 42cd0b70d39ae8bc0b41cb452fe6702f8d07b005 change readiness file format 751f38ddedea869c3cd4c6d8944484060ad9ccac Various Grammatical and Spelling Changes (#246)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.3.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.3.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(3.40 MB)
  • v0.2.1(Oct 11, 2020)

    Changelog

    8ce4688 Small typo fixes (#245) e97ca4a add contribution guidelines (#242) bd05ede chore(docs): Added badges in README.md file (#236) a756211 Read kernel pointers with bpf_probe_read 214346a improve code portability and be generic f4ad395 Don't monitor events generated by tracee 84c3a7a fix_32bit_before_4.17

    Docker images

    • docker pull docker.io/aquasec/tracee:0.2.1
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.74 MB)
  • v0.2.0(Sep 16, 2020)

  • v0.1.0(Sep 10, 2020)

    Changelog

    b497d9d fix capture exec when sharing pidns (#208) b5fb620 Use generic return for execve syscalls 31887af Simplify raw_syscalls logic and remove security_alerts workaround bc2ee10 clear output dir (#222) c40f64a Fix fork of traced processes not traced when clone event not chosen d20395c signal readiness using a file in output dir (#218) 1fbce2e Fix decoding errors when save_args fails 389e596 Handle raw tracepoints fallback aefee76 Enable support for all syscalls 915a1cc Handle events parameters types and names using parameters map 1adf1e4 Add events parameters map 29f5ee9 Add 32bit syscalls support 0e4adff Reduce syscalls handlers instructions size 8b17cf9 Use tracepoints instead of kprobes for syscalls 60b2e09 check null terminated string size 932a706 Add system calls sets ddccf41 Update args macro to be more compact 425193e Use bigger buffer size bdaa084 Update intro video in readme c962d21 Add more syscalls c2b7e4f Add events by sets 57fd98b Pretty print event list 0cebf01 Print raw syscalls only when event was not requested da1e24b Update readme to reflect verbose output

    Docker images

    • docker pull docker.io/aquasec/tracee:0.1.0
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.74 MB)
  • v0.0.3(Aug 5, 2020)

    Changelog

    6df40c6 Fix double printing of first arg 4795a63 Fix print indentation 077916a Update readme file to include host pid when running from docker adab925 fix context parsing 040463a improve table output 9c9e4b7 update readme example 3fdcbbb comma separate args in table 9983e23 retstore tid to table dba88af widen pid column 100834d improve table output 7d9c8d1 Fix capture exec for containers 425ecb7 Save host and container pids in host mode 1f5dd76 add host pids to context b93fff5 Add clone flags 54b1b34 Save writes to /dev/null by pid b100a20 improve output of args 3137927 Don't print raw_syscall if event exists 2d4ba36 Remove essentialEvents map and simplify code 7805c5e Change event print location in table output 46d9ccc Handle events in a pipeline 4245623 Remove global EventNameToID map 701547d Code refactoring f29810f Optimize string array buffer layout 6a80860 Optimize string array buffer layout a591013 Support tracing by pid 35105ce Decouple event data extraction from event parsing 0f5236d Use event id constants for performance 50a7e17 Add argument names 378263e Fix error counter always 0 568afc5 Fix broken raw syscalls feature 7c257ce Beautify table print 888c0e7 Fix getsockname error on null string dce995d fix capture exec for non-filesystem files

    Docker images

    • docker pull docker.io/aquasec/tracee:0.0.3
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.70 MB)
  • v0.0.2(Jul 23, 2020)

    Changelog

    a87a69e remove python version 398138d fix mem alert when not capturing ebb5563 Add exclude event flag 6c63231 Remove PrintSyscall func 0dbb1ef Fix chmod invalid file f1a66bd Append file write if written file type is char, socket or fifo de74185 change socket address output format 726059c Remove unix socket leading zero in json output 267dae5 Fix unix socket name when there are leading zeros 7c4b242 fix json tags spelling 32051f8 Update readme to include capture flag e2b935b Update readme to include file and binary capture dbacd6e Change consts to use go naming conventions 4cc05ea Change mmap_alert and mprotect_alert to one mem_prot_alert 951fbb2 Support multiple probes for one event 7818daa Use alert struct and save alert payload using timestamp ef4c92e validate capture options 8e79924 don't capture same exec twice 58ead5d Add mmap and mprotect security alerts and data extraction 4074a94 Add chosen events map bbe5fe4 Fix "memory leaks" in bin_args_map and args_map 87a4a78 fix test for ptrace printing a523eae fix file capture when dependent event is missing b10961f Fix write error when buffer and chunk are equal in size 9602d12 allow granular selection of capture-files 6c3fc99 fix ptrace flags print 8114f9c Remove EventsIDToName map 6a6f918 auto build essentialEvens map 165a971 print all raw_syscall names 3e72e64 Add event configuration map 309aab7 fix lost event counter 2cb8a20 print errors to a dedicated file b27aca3 fix raw_syscall printing if syscall is not known to tracee ffa8183 capture executed files 395e9da add hook to process events and use it to show raw_syscall name 17c619d refactor stats collection and printing 2abdacb fix map update issue with old kernels 5fb424a Change save_args key to be unique e2b0a8a decouple internal and external types 90988aa Add tail call event handler db158f1 Use generic method to send binary data da567dd add output gob output format c3af6f3 Support file-write filters up to 64 chars bad16bc Add Tracee logo 498265d cleanup file event handling code 17a08ad decouple should_trace and init_context 280ad5d Handle buffers more efficiently e8eca12 parameterize stdout in tracee package c9b0e91 simplify tracee config 9f17b17 remove args brackets 758145d don't show raw_syscalls by default 0bcf7a8 change printed time resolution from seconds to microseconds ff413c4 Check for privileges 2a74671 read file buffer with struct e84324c move should_trace to a function 45516c7 remove get_config wrapper functions c8982e4 Change vfs_write flags c448b3e Port vfs_write to go 05cfc5a Add configuration flags for vfs_write 89e3b64 Correlate vfs_write with execve and open with dev_id and inode_nr 7ca4b05 Support vfs_write filters 184610d Change output path to include mnt ns id 55917d5 Use tail calls to send vfs writes c77a643 Support multiple chunks in file send a41baa1 Add vfs_write event and file writes extraction 5d28b9d remove redundant casting 61d273f Use full submission buffer size d278132 Remove type argument from save_str_to_buf 39bb47e Save path using helper function 75cb776 Remove R_PATH type and handle as regular string d20cf0d fix make build dependencies 799ed4f add support for tracepoints and implement raw_syscalls tracepoint (#89) 2d5d1cc refactor events map 55b6cc6 update gobpf to include memory leak fix 68b2ce8 add youtube demo to readme

    Docker images

    • docker pull docker.io/aquasec/tracee:0.0.2
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.68 MB)
  • v0.0.1(May 18, 2020)

    Changelog

    5dc755f work around gobpf memory leak 2187ecb add makefile target to build docker image a207a16 add make target to build using docker 5179077 fix dockerfile e42865f update readme with release 5294f4c save_context 0fcfd26 add release procedure using goreleaser (#75) e21954c fix events flag in python 2efa61d fix dockerfile 1a6a69c rename events-to-trace flag to event (#73) 2684f1c update readme (#72) 5687bce build distributable binary (#71) c06e936 update readme (#70) 6697bea update dockerfile to go 613717d handle lost events and support configurable buffer size 2d6e437 fix list command to show recent additions dd0cedc add chown chmod and pkey_mprotect syscalls 541ae53 fix missing threads in system mode 35202dc fix makefile 9eb9f29 fix json arguments formatting to match python version d770f33 fix comment e366065 superficial tests for readArgFromBuff function b9bd744 fix socket type print 67a3ac1 fix POINTER_T parsing and printing c0b87ea fix open flags printing 6bc4686 support security_file_open lsm hook dff978e show stats in table epilogue b6ea608 update readme about go 189a6e7 add bprm_check event (#54) 4b9bad2 print prctl ptrace options in go 1ae06bc print sockaddr common families in go (#52) 6b2ce47 Add lsm bprm_check hook to get exec absolute path (#46) fd8a89b implement show-exec-env in go 7278173 fix event validation 56bd72e Rewrite Python code in Go (#47) 08d5a9a Add prctl option and ptrace request enums aee95da Add sockaddr struct fields for unix, inet, inet6 sockets 05372ab Handle failed read to buffer 8fddef9 Add optional exec-env flag to show env in execve 431eaae performance: get buffer once 58f76e7 fix missing flags 61f172f avoid fork handler code duplication 4fa4d54 Show syscall name in internal kprobes 85afe0b save container mode 04a921c update readme 58b19d9 events: add setXid syscalls 9369869 fix failed tests 6db7ef7 readme: update optional arguments 6d1effc Add config map and verify configuration 649b19f catch keyboard interrupt 4defbd5 Remove container prefix from files 3aa5c75 mount debugfs before starting 6121f73 add dockerfile 39c28ae Generic event handling in userspace 8afaa4a performance: improve performance and reduce lost events ff9aa14 set submission array size according real cpu number 631c9f1 Merge pull request #26 from yanivagman/execve_known_issue bdd847a Readme: update execve known issue status 5b6bffc Merge pull request #23 from yanivagman/add_event_list 7b2ce5b Add event list and update readme e0f5549 workaround PT_REGS_PARM macros bug in new kernels 0762844 Support new kernels 8d2a31c events: add mount, umount, unlink, unlinkat syscalls 0630258 Merge pull request #12 from aquasecurity/fix_missing_stat_syscalls 4ffb880 readme: add omitted title fbdd2e7 Add system tracing mode 2e296cf fix: stat syscalls are ignored 79c4159 Correct name in NOTICE file f3c0e5a Merge pull request #10 from aquasecurity/add_container_id_from_uts_ns_rebased c80ee7a Add container id by using UTS namespace node name 69f490d Merge pull request #8 from aquasecurity/event-filter 31f1a58 fix: kprobe for do_exit is essential 49132fc feat: filter events to trace c691511 Start tracee without -v for stdout output a069238 tracee_test: Add tests for get_sockaddr_from_buf and move offsets on init ea9b0ec tracee_test: Add test cases for open_flags_to_str d7bcba9 tracee_test: Add test cases for open_flags_to_str efc2f14 tracee_test: Add tests for execveat_flags_to_str d0f474f tracee: Apply more pep-8 fixes 95aff98 tracee: cleanup imports 630a71c .git: update gitignore a8c2f1d tracee: Move helper methods out of EventMonitor class ad6401f tracee: init tests and a new makefile 03f18e7 Merge pull request #4 from aquasecurity/readme 5fd4547 update readme file e1050f8 Update readme files 9f22b49 remove execve redundant structs 2e33567 Change kernel-userspace communication buffer 9871c7a add creat syscall and fix open incorrect flags bug 220d5ed expand syscall enum for all syscalls af9abf3 add getdents(64) syscalls 50c939e add symlink(at) syscalls 2fdcfd7 add prctl, ptrace, process_vm_read(write)v, (f)init_module, delete_module syscalls 279aabf suport python 2 json ba4f4ac Add authors info 1fe3310 Add kernel version & usage to README 90440ef Create NOTICE aa5bb68 Create LICENSE 3cf9917 Container tracing using eBPF b30fc5c Initial commit

    Docker images

    • docker pull docker.io/aquasec/tracee:0.0.1
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.50 MB)
Owner
Aqua Security
Full lifecycle security for containers and cloud-native applications
Aqua Security
Build Go applications for IOS

go-build-for-ios Build Go applications for IOS This repository contains a PoC that lets you build any Go application for IOS platform. Cross-compilati

Marcin Tojek 19 Mar 1, 2021
androidqf (Android Quick Forensics) helps quickly gathering forensic evidence from Android devices, in order to identify potential traces of compromise.

androidqf androidqf (Android Quick Forensics) is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the

Nex 9 Sep 13, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.7k Sep 23, 2021
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 8.7k Sep 24, 2021
A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting

A collection of cool tools used by Mobile hackers. Happy hacking , Happy bug-hunting Family project Table of Contents Weapons Contribute Thanks to con

HAHWUL 255 Sep 9, 2021
Cossack Labs 800 Sep 17, 2021
CVE-2021-3449 OpenSSL denial-of-service exploit πŸ‘¨πŸ»β€πŸ’»

CVE-2021-3449 OpenSSL <1.1.1k DoS exploit Usage: go run . -host hostname:port This program implements a proof-of-concept exploit of CVE-2021-3449 affe

Richard Patel 212 Sep 22, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.4k Sep 19, 2021
gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

Secure Go 5.4k Sep 24, 2021
Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.

?? security-slacker Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own e

Niels Hofmans 13 Sep 3, 2021
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Cory Jacobsen 1.8k Sep 19, 2021
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Fabien Potencier 703 Sep 23, 2021
ServerScan一款使用GolangεΌ€ε‘ηš„ι«˜εΉΆε‘η½‘η»œζ‰«ζγ€ζœεŠ‘ζŽ’ζ΅‹ε·₯具。

ServerScan β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•— β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—

Trim 921 Sep 19, 2021
Sqreen's Application Security Management for the Go language

Sqreen's Application Security Management for Go After performance monitoring (APM), error and log monitoring it’s time to add a security component int

Sqreen 146 Sep 3, 2021
Nuclei is a fast tool for configurable targeted vulnerability scanning based on templates offering massive extensibility and ease of use.

Fast and customisable vulnerability scanner based on simple YAML based DSL. How β€’ Install β€’ For Security Engineers β€’ For Developers β€’ Documentation β€’

ProjectDiscovery 5.2k Sep 22, 2021
πŸ”‘ A decentralized key derivation protocol for simple passphrase.

Throttled Identity Protocol (TIP) is a decentralized key derivation protocol, which allows people to obtain a strong secret key through a very simple passphrase, e.g. a six-digit PIN.

Mixin Network 25 Sep 17, 2021
A rest application to update firewalld rules on a linux server

Firewalld-rest A REST application to dynamically update firewalld rules on a linux server. Firewalld is a firewall management tool for Linux operating

Prashant Gupta 309 Sep 12, 2021
A modern tool for the Windows kernel exploration and tracing

Fibratus A modern tool for the Windows kernel exploration and observability Get Started Β» Docs β€’ Filaments β€’ Download β€’ Discussions What is Fibratus?

Nedim Šabić² 1.4k Sep 18, 2021