Tracee: Linux Runtime Security and Forensics using eBPF

Overview

Tracee Logo

GitHub release (latest by date) Go Report Card License docker

Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Tracee is delivered as a Docker image that once run, will start to monitor the OS and detect suspicious behavior based on a pre-defined set of behavioral patterns.

Tracee is composed of the following sub-projects:

Getting started

Prerequisites

  • Linux kernel version >= 4.18
  • Relevant kernel headers available under conventional location (see Linux Headers section for info)
  • libc, and the libraries: libelf and zlib
  • clang >= 9

Exceptions:

  • Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are required only for the one-time compilation, and not at runtime. See Setup Options for more info.
  • When using Tracee's Docker image, all of the aforementioned requirements are built into the image. The only requirement left is the kernel headers or the pre-built eBPF. See Setup Options for more info.

Quickstart with Docker

docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest

Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for info.

This will run Tracee with no arguments, which defaults to detecting all available rules and reporting them as raw messages on standard output of the container. These can be further customized as detailed below.

Rules

To view the list of available rules, run the container with the --list flag.

We are currently working on creating a library of behavioral signature detections. Currently, the following are available:

Name Description Tags
Standard Input/Output Over Socket Redirection of process's standard input/output to socket "linux", "container"
Anti-Debugging Process uses anti-debugging technique to block debugger "linux", "container"
Code injection Possible code injection into another process "linux", "container"
Dynamic Code Loading writing to executable allocated memory region "linux", "container"
Fileless Execution Executing a precess from memory, without a file in the disk "linux", "container"
kernel module loading Attempt to load a kernel module detection "linux", "container"
LD_PRELOAD Usage of LD_PRELOAD to allow hooks on process "linux", "container"

Integrations

Tracee leverages falco-sidekick for sending it's detection events into other systems which are easier to consume. You can use any of falco-sidekick's supported "outputs", which includes: Slack, Mattermost, Teams, Datadog, Prometheus, StatsD, Email, Elasticsearch, Loki, PagerDuty, OpsGenie, and many more. The full list is available here.

To configure Tracee to integrate with another system, compose a falco-sidekick configuration file, and provide it to Tracee using the TRACEE_WEBHOOK_CONFIG environment variable. By default, Tracee will try to find this file at /tmp/tracee/integrations-config.yaml, so if you have followed the quickstart and started the container with /tmp/tracee mounted in, you can simply drop that file there.

A complete reference of falco-sidekick's configuration format is available here.

Setup options

Tracee is leveraging Linux's eBPF technology, which is kernel and version sensitive, and therefore needs to be specifically compiled for your hosts.

The easiest way to get started is to just let Tracee build the eBPF program for you automatically when it starts, as demonstrated by the Quickstart.
Alternatively, you can pre-compile the eBPF program, and provide it to Tracee. There are some benefits to this approach as you will not need clang and kernel headers at runtime anymore, as well as reduced risk of invoking an external program at runtime.

You can build the eBPF program in the following ways:

  1. Clone the repo and make bpf.
  2. make bpf DOCKER=1 to build in a Docker container which includes all development tooling.

Running this will produce a file called tracee.bpf.$kernelversion.$traceeversion.o under the dist directory.
Once you have the eBPF program artifact, you can provide it to Tracee in any of the following locations:

  1. Path specified in TRACEE_BPF_FILE environment variable
  2. /tmp/tracee

In this case, the full Docker image can be replaced by the lighter-weight aquasec/tracee:slim image. This image cannot build the eBPF program on its own, and is meant to be used when you have already compiled the eBPF program beforehand.

Running in container

Tracee uses a filesystem directory, by default /tmp/tracee as a work space and for default search location for file based user input. When running in a container, it's useful to mount this directory in, so that the artifacts are accessible after the container exits. For example, you can add this to the docker run command -v /tmp/tracee:/tmp/tracee.

If running in a container, regardless if it's the full or slim image, it's advisable to reuse the eBPF program across runs by mounting it from the host to the container. This way if the container builds the eBPF program it will be persisted on the host, and if the eBPF program already exists on the host, the container will automatically discover it. If you've already mounted the /tmp/tracee directory from the host (like suggested by the quickstart, you're good to go, since Tracee by default will use this location for the eBPF program. You can also mount the eBPF program file individually if it's stored elsewhere (e.g in a shared volume), for example: -v /path/to/tracee.bpf.1_2_3.4_5_6.o:/some/path/tracee.bpf.1_2_3.4_5_6.o -e TRACEE_BPF_FILE=/some/path.

If you are building the eBPF program in a container, you'll need to make the kernel headers available in the container. The quickstart example has broader mounts that works in a variety of cases, for demonstration purposes. If you want, you can narrow those mounts down to the specific directory that contains the headers on your setup, for example: -v /path/to/headers:/myheaders -e KERN_HEADERS=/myheaders. As mentioned before, a better practice for production is to pre-compile the eBPF program, in which case the kernel headers are not needed at runtime.

Permissions

If Tracee is not actually tracing, it doesn't need privileges. For example, just building the eBPF program, or listing the available options, can be done with a regular user.
For actually tracing, Tracee needs to run with sufficient capabilities:

  • CAP_SYS_RESOURCE (to manage eBPF maps limits)
  • CAP_BPF+CAP_TRACING which are available on recent kernels (>=5.8), or SYS_ADMIN on older kernels (to load and attach the eBPF programs).

Alternatively, running as root or with the --privileged flag of Docker, is an easy way to start.

Linux Headers

In order to compile the eBPF program, Tracee needs some of the Linux kernel headers. Depending on your Linux distribution, there may be different ways to obtain them.

  • On Ubuntu/Debian/Arch/Manjaro install the linux-headers package.
  • On CentOS/Fedora install the kernel-headers and kernel-devel packages.

Normally the files will be installed in /lib/modules/${kernel_version}/build which is where Tracee expects them. If you have the headers elsewhere, you can set the KERN_HEADERS environment variable with the correct location.

Note that it's important that the kernel headers match the exact version of kernel you are running. To check the current kernel version, run the command uname -r. To install a specific kernel headers version append the version to the package name: linux-headers-$(uname -r).

Note that more often than not the kernel headers files contains filesystem links to other files in other directories. Therefore, when passing the kernel headers to Tracee docker container, make sure all the necessary directories are mounted. This is why the quickstart example mounts /usr/src in addition to /lib/modules.

Issues
  • Additional tracing modes

    Additional tracing modes

    We currently support three modes of operation. It may be useful to add three more. As we don't want to have a flag for each of these modes, we better change the UX to use "--trace-target" as suggested below by @itaysk

    trace target | trace mode | status (issue) --- | --- | --- process | all | TODO process | new | implemented, migrate UX process | specific | implemented, migrate UX container | all | TODO container | new | implemented, migrate UX container | specific | TODO https://github.com/aquasecurity/tracee/issues/255

    opened by yanivagman 35
  • Feature/sort events by timestamp

    Feature/sort events by timestamp

    Created a method to reorder events and passing them forward sorted by chronological order. For more information about the issue, see #1113 .

    Algorithm

    Events from the kernel are received one-by-one from the data channel. We can rely on the fact that for each CPU, all the events received from it should be ordered by timestamps (except for syscalls which are not ordered because of the way we create the event in 2 steps). So by adding to each event the source CPU, we can put it in its own CPU queue of events and get all the events to be almost ordered.

    To avoid syscalls sorting problem, we can find the appropriate place to put the event in the queue from the end of it, and with maximum of 3 iterations we should find the matching place chronologically.

    After we put all the events in queues according to the source CPU, we can extract each time the oldest first-in-queue event from all CPUs and send it forward.

    To be able to promise that all events prior to oldest first-in-queue event arrived to other CPU's queues, we can use the fact that the CPUs' queues are ordered and be sure that if all queues sent events after given timestamp, all events prior to that timestamp have arrived. So, we can check for each CPU what is the most recent event it sent (for CPUs that sent new events). From those, we can check which one has the most ancient timestamp. Then, we can be sure that all events with older timestamps than that timestamp were received - and send them.

    However, because of the other sorting problem cases (syscalls case and the vCPU case) we cannot send them right away, we need a time buffer. This part is a bit complicated - the vCPU case makes us wait at least 100ms to be sure that a vCPU didn't send a new event right after the previous (the other case is that it has no events to send). The syscalls case makes us wait about 3ms to be sure that there are no new events older than last event received in the CPU. Because the vCPU delayed event can be a syscall event (with older timestamp than the newest event in the CPU's queue), this make things event more complicated. The solution to the 2 sorting problem cases is to wait at least 100ms until we send the events up to the decided timestamp. This way we can be sure that there won't be any new events received with older timestamp than the chosen one.

    To summarize the algorithm - we have a CPU queue for each CPU. We insert new events to the matching CPU's queue, and follow which CPU was updated with new event. Each interval, we check from the most recent events from each CPU which has the oldest timestamp. After a delay of at least 100ms, we send all events from queues up to that timestamp in an ordered way. This way, we can be sure that all sent events are sorted.

    Concepts Used

    Queues

    I implemented a queue structure myself for this PR, because I need an access to the internal queue to be able to insert new events not at the tail of the queue (in the case of syscalls events that are received in unsorted way).

    Pools

    To reduce allocations and freeing amount, I introduced a Pool struct in this PR. The struct is used to make through it alloc and free of new event nodes which are used in the CPU queues. The pool save the freed nodes, and when alloc is required it return a saved free node if there is one saved, or alloc new one. To avoid pooling large amount of nodes, the max pooled amount is the number of allocated nodes. If the number exceeds it, the Pool will free half of the amount pooled in it.

    opened by AlonZivony 30
  • failed to attach to raw tracepoint 'sys_enter': invalid argument in kernel 5.4

    failed to attach to raw tracepoint 'sys_enter': invalid argument in kernel 5.4

    When developing external BTF feature I faced:

    image

    when trying to run tracee in a 5.4.0-80-generic kernel and the BTF file provided by btfhub. This issue is for me to investigate this further in a near future time. The same does not happen in a 5.8 kernel running on the host of the same docker container:

    image

    bug tracee-ebpf 
    opened by rafaeldtinoco 28
  • fea: added the pinned map for ns

    fea: added the pinned map for ns

    This PR aims at adapting tracee to work with pinned maps with mount namespace ids. The implementation is done as a separate trace mode in order to not mess with other functions of tracee.

    Usage example: tracee --trace pinned_map --mntns_pin=/path/to/pinned/map There is a point I would like to raise about this request beyond tracee mode extension itself. I have tested the application mainly with gadget-tracer from kinvolk because including tracee as an additional gadget is a primary purpose of my work. I have issues with legacy probes since several gadgets might work in parallel and use same probes which leads to conflict and error. My problem was solved by using perf-based probes which libbpf.go already provides. I understand that legacy probes are used for compatibility reason. We can try to create a fall-back to older probes if error is raised or use older probes by default and fall back to perf-probes is case of an error, if it is still necessary to keep using legacy probes in newer version of tracee. Of course, any other suggestions about how to improve this request are very much welcome. Thank you. @kinvolk @alban @mauriciovasquezbernal

    opened by ogozman 28
  • ID for rules

    ID for rules

    Currently rules are identified by their name. If a user wants to select which rules to load, they need to give their full name on the command like, which is not ideal. We should add an ID field to signatures' metadata and use that in the --rules option.

    tracee-rules 
    opened by itaysk 26
  • refactor tracee-ebpf (Go)

    refactor tracee-ebpf (Go)

    today, most of tracee-ebpf is two huge packages: main and tracee. split tracee-ebpf's Go code into multiple packages. each package is self-contained and testable. think hard about the names and APIs of those packages.

    Some ideas:

    1. create new package tracing instead of the current tracee which will contain the core tracee-ebpf engine
    2. rename the struct tracee to tracer

    main package:

    1. flags handling - stay in package main for now. but extract from main.go - #1248
    2. ebpf compilations - remove #1239
    3. check capabilities utility function - create package capabilities -
    4. printer.go - create new package eventprinter. Factory function moves to main.go - #1266

    tracee package:

    1. tracee package needs to eventually go away, broken down into other packages
    2. external package needs to eventually go away, the structs will be moved to respective packages
    3. buckets cache - create new package bucketscache - #1249
    4. stats - create new package stats. external.Stats will move to this package - #1250
    5. configurations - create package config that includes filter, captureConfig ,outputConfig and related functions. (also create an interface for config and implement validators) - #1264
    6. argprinters.go - move to eventprinter package (see above). remove dependency on tracee (can be a static function). replace parse misnomer with print (as the file name suggests). - #1265
    7. containers - create new package containers. The code is already independent of tracee -
    8. create package events - #1268
      1. events_decoder.go - create new package events. rename to events_decoding.go
      2. events_processor.go - create new package events. rename to event_processing.go. CopyFileByPath function should move to some utlis package or duplicated.
      3. events.go - create new package events processEventsshould be minimal as possible, there is some code here that should be inprocessEvent`.
    9. filters.go - create new package tracingfilters (consider the usage of pointers vs values in Filter) - #1269

    TBD - tarcee.go and consts.go

    related: #934, #789, #1131, #1098

    tracee-ebpf 
    opened by itaysk 21
  • [BUG] intermittent errors after PR 1202 (drop privileges)

    [BUG] intermittent errors after PR 1202 (drop privileges)

    Prerequisites

    • [ ] This affects latest released version.
    • [x] This affects current development tree (origin/HEAD).
    • [x] There isn't an issue describing the bug.

    Select one OR another:

    • [ ] I'm going to create a PR to solve this (assign to yourself).
    • [x] Someone else should solve this.

    Bug description

    I'm executing tests in multiple environments through the DAILY TESTS and I have observed that we're currently getting intermittent failures after merging commits 6b0cad48 and bf0600a0. I know tests are intermittently failing because after an initial run I got the following tests failing:

    CO-RE (TRC-3, focalhwe-5.13) CO-RE (TRC-4, focalhwe-5.13) CO-RE (TRC-9, focalhwe-5.13) CO-RE (TRC-14, focalhwe-5.13)

    CO-RE (TRC-4, jammy-5.15) CO-RE (TRC-11, jammy-5.15)

    Beside the known failure of GKE kernel for TRC-9.

    After running tests again, most of them passed but:

    CO-RE (TRC-4, focalhwe-5.13)

    ALL the errors were similar to the one bellow:

    image

    Meaning that it might be that tracee dropped privilege BEFORE the eBPF program load+attachment.

    Steps to reproduce

    Steps to reproduce the issue:

    Run the CO-RE daily tests and observe intermittent issues.

    Additional info

    The full log for the last error can be found at:

    https://github.com/aquasecurity/tracee/runs/6765902831?check_suite_focus=true

    bug 
    opened by rafaeldtinoco 19
  • tracee-ebpf: mount event missing source field

    tracee-ebpf: mount event missing source field

    Hi, I'm using tracee-ebpf to collect mount events. However, the "source" field misses sometimes.

    Here is an example (you can start a docker container a few times and see this scenario):

    Also, you can notice that the "filesystem type" is also missing sometimes. The example shows that LTTng gives mount type "bind", while tracee gives nothing.

    {
      "processName":"runc:2:INIT]",
      "containerId":"2af0bc626525",
      "eventId":"165",
      "eventName":"mount",
      "argsNum":3,
      "returnValue":0,
      "args":[{ 
        "name":"target",
        "type":"const char*",
    "value":"/var/lib/docker/overlay2/6fd16b36923947538d76e6b781d08f08d64ac69f513e7b24a889fa4337a948e0/merged/etc/resolv.conf"
      },{
        "name":"mountflags",
        "type":"unsigned long",
        "value":278528
      },{
        "name":"data",
        "type":"const void*",
        "value":0}
    ]}
    

    As a comparison, LTTng will output this event as:

    {
      "pid_ns":4026532645,
      "vtid":1,
      "event":"mount",
      "comm":"runc:[2:INIT]",
      "args":[{
        "Name":"dev_name",
        "Value":"/sys/fs/cgroup/devices/docker/2af0bc6265257c960d559b38134bf212b3292f226c586dd9295b42faa2945df7"
      },{
        "Name":"dir_name",
    "Value":"/var/lib/docker/overlay2/6fd16b36923947538d76e6b781d08f08d64ac69f513e7b24a889fa4337a948e0/merged/etc/resolv.conf"
      },{
        "Name":"type","Value":"bind"
      },{
        "Name":"flags","Value":"278528"
      }],
      "tid":220199
    }
    
    tracee-ebpf 
    opened by SericaLaw 19
  • Initial BPFMaps population freezes tracee-ebpf

    Initial BPFMaps population freezes tracee-ebpf

    While developing a fix for https://github.com/aquasecurity/tracee/issues/862, and loading the embedded CO-RE eBPF object, I realized that sometimes the logic worked and sometimes it did not.

    From time to time the entire tracee-ebpf code was in a state where it could not receive (or display) any event:

    BTF enabled, attempting to unpack CORE bpf object
    unpacked CO:RE bpf object file into memory
    TIME             UTS_NAME         CONTAINER_ID     UID    COMM             PID/host        TID/host        RET              EVENT                ARGS
    <nothing>
    

    and nothing happened.

    The logic being added to PopulateMap is:

    	// Initialize pid_to_cont_id_map if tracing containers
    	c := Containers{}
    	err := c.Populate()
    	if err != nil {
    		return err
    	}
    	bpfPidToContIdMap, _ := t.bpfModule.GetMap("pid_to_cont_id_map")
    	for _, contId := range c.GetContainers() {
    		for _, pidstr := range c.GetPids(contId) {
    			if t.config.Debug {
    				fmt.Println("Running container =", contId, "pid =", pidstr)
    			}
    			var pid uint32
    			_, err = fmt.Sscanf(pidstr, "%d", &pid)
    			err = bpfPidToContIdMap.Update(pid, []byte(contId))
    			if err != nil {
    				return err
    			}
    		}
    	}
    

    Initially I thought it was related to my logic, but debug always showed me that the slices of container_id and pids were ok:

    $ sudo ./dist/tracee-ebpf --debug --trace container --trace event=execve
    BTF enabled, attempting to unpack CORE bpf object
    unpacked CO:RE bpf object file into memory
    Running container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1721925
    Running container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1726069
    ...
    

    and there were no errors adding the pids to the map:

     err = bpfPidToContIdMap.Update(pid, []byte(contId))
    

    I'm also able to reproduce this behavior using the versioned eBPF object file:

    $ sudo TRACEE_BPF_FILE="$(pwd)/dist/tracee.bpf.5_11_0-24-generic.v0_6_0-11-g49503a2.o" ./dist/tracee-ebpf --debug --trace container --trace event=execve
    BPF object file specified by TRACEE_BPF_FILE found: /home/rafaeldtinoco/work/sources/ebpf/aquasec-tracee/tracee-ebpf/dist/tracee.bpf.5_11_0-24-generic.v0_6_0-11-g49503a2.oRunning container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1721925
    Running container = 0a829b3bc00d7f1b393d070c0f3e5d1929a186df1b41b4cd2bf95525f495aa55 pid = 1726069
    Running container = 9521c39d6d3d54f5c5f4760c2e3dbde4fdcfd4fba99c2d46c49a4edd63864ae3 pid = 1236570
    Running container = 9521c39d6d3d54f5c5f4760c2e3dbde4fdcfd4fba99c2d46c49a4edd63864ae3 pid = 1236611
    ...
    TIME             UTS_NAME         CONTAINER_ID     UID    COMM             PID/host        TID/host        RET              
    EVENT                ARGS
    <nothing>
    

    I'm running Ubuntu Hirsute: 5.11.0-24-generic #25-Ubuntu with BTF enabled.

    bug tracee-ebpf 
    opened by rafaeldtinoco 18
  • tracee.go: initialize pid_to_cont_id_map during startup

    tracee.go: initialize pid_to_cont_id_map during startup

    Fixes: #862

    Initialize pid_to_cont_id_map during tracee startup so that already running containers can have their container_id resolved when being traced.

    Instead of traversing cgroups filesystem, like tracee eBPF code does, I have preferred to rely in wrapped 'docker cli' commands to discover container ids and tasks running in each active container. This made the code cleaner and easier to be maintained.

    Note: There is a small window of opportunity for a container to be started while this logic is running. I could have made 'Containers' logic to run in a go coroutine but that would also create another race window: userland adding a pid to the map that has already been removed by the - now active - trace event handler.

    opened by rafaeldtinoco 18
  • Enrich container events

    Enrich container events

    Changes

    Adds container data enrichment from runtime APIs to events.

    Currently the data added is:

    1. Container name (if exists)
    2. Container's image
    3. Pod metadata (if in k8s)

    Supported runtimes are:

    1. Containerd
    2. Docker
    3. CRI-O

    Podman will be done in a later PR, since it requires implementing our own API client (the provided library isn't very good IMO) but integration should be simple through the interfaces introduced here.

    Architecture diagram (thanks @mtcherni95):

    image

    opened by NDStrahilevitz 17
  • DNS events: export DNS struct

    DNS events: export DNS struct

    move DNS struct into trace package, so signatures can use it

    Initial Checklist

    • [x] There is an issue describing the need for this PR.
    • [x] Git log contains summary of the change.
    • [x] Git log contains motivation and context of the change.
    • [ ] If part of an EPIC, PR git log contains EPIC number.
    • [ ] If part of an EPIC, PR was added to EPIC description.

    Description (git log)

    i've moved DnsResponseData, DnsAnswer, DnsQueryData structs into package 'trace' to be used in signatures.

    Fixes: #1867

    Type of change

    • [x] Bug fix (non-breaking change fixing an issue, preferable).
    • [ ] Quick fix (minor non-breaking change requiring no issue, use with care)
    • [ ] Code refactor (code improvement and/or code removal)
    • [ ] New feature (non-breaking change adding functionality).
    • [ ] Breaking change (cause existing functionality not to work as expected).

    How Has This Been Tested?

    locally. added mock signature to verify these struct can indeed be used.

    • [ ] Test File A: dns_sig.go (unable to attach, can provide if you ask me to)

    Reproduce the test by running:

    • command 01: ./dist/tracee-ebpf -t e=dns_request,dns_response -t net=enp0s3 -o format:gob | ./dist/tracee-rules --input-tracee file:stdin --input-tracee format:gob

    Final Checklist:

    Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

    • [x] I have made corresponding changes to the documentation.
    • [x] My code follows the style guidelines (C and Go) of this project.
    • [x] I have performed a self-review of my own code.
    • [x] I have commented all functions/methods created explaining what they do.
    • [x] I have commented my code, particularly in hard-to-understand areas.
    • [x] My changes generate no new warnings.
    • [x] I have added tests that prove my fix, or feature, is effective.
    • [x] New and existing unit tests pass locally with my changes.
    • [x] Any dependent changes have been merged and published before.

    Git Log Checklist:

    My commits logs have:

    • [x] Subject starts with "subsystem|file: description".
    • [x] Do not end the subject line with a period.
    • [x] Limit the subject line to 50 characters.
    • [x] Separate subject from body with a blank line.
    • [x] Use the imperative mood in the subject line.
    • [x] Wrap the body at 72 characters.
    • [x] Use the body to explain what and why instead of how.
    opened by roikol 0
  • [FEAT] Janitor Events Consumer Interface

    [FEAT] Janitor Events Consumer Interface

    Prerequisites

    • [x] This issue is an EPIC issue (add label: EPIC).
    • [ ] This issue is an EPIC TASK (add issue to EPIC description).

    Select one OR another:

    • [ ] I'll create a PR to implement this feature (assign to yourself).
    • [ ] Someone else should implement this (describe it well).

    Feature description

    Many features in tracee use the existing events and consume them as sources of info for later use in enrichment or configuration changes. Existing examples in the code currently are the the Containers and ProcInfo structs. We should formalize this concept for future use in similar features for example:

    1. Network interfaces being attached and detached responding to events
    2. Devices being added
    3. CPU and memory growth and reduction, tuning parameters
    4. Probes responding to events (for example new containers could make tcProbes attach to them)

    In addition, we could add new event sources that track the OS to create these janitor events into the pipeline.

    @rafaeldtinoco

    Additional Information (feature drawings, files, logs, etc)

    feature EPIC 
    opened by NDStrahilevitz 0
  • [BUG] dns structs can't be used in signatures on dns events

    [BUG] dns structs can't be used in signatures on dns events

    Prerequisites

    • [ ] This affects latest released version.
    • [x] This affects current development tree (origin/HEAD).
    • [x] There isn't an issue describing the bug.

    Select one OR another:

    • [x] I'm going to create a PR to solve this (assign to yourself).
    • [ ] Someone else should solve this.

    Bug description

    signatures that work on dns_request and dns_response events, can't use the DnsResponseData, DnsAnswer, DnsQueryData structs.

    Steps to reproduce

    Context

    Relevant information about my setup:

    • Linux version:
    • Linux kernel version:
    • Tracee version (or commit id of your tree):
    • LLVM version:
    • Golang version:

    Additional Information (files, logs, etc)

    bug 
    opened by roikol 0
  • ebpf: remove bufs_off map

    ebpf: remove bufs_off map

    Initial Checklist

    • [ ] There is an issue describing the need for this PR.
    • [x] Git log contains summary of the change.
    • [x] Git log contains motivation and context of the change.
    • [ ] If part of an EPIC, PR git log contains EPIC number.
    • [ ] If part of an EPIC, PR was added to EPIC description.

    Description (git log)

    To save map lookups and space, remove bufs_off map

    Fixes: #issue_number

    Type of change

    • [ ] Bug fix (non-breaking change fixing an issue, preferable).
    • [ ] Quick fix (minor non-breaking change requiring no issue, use with care)
    • [x] Code refactor (code improvement and/or code removal)
    • [ ] New feature (non-breaking change adding functionality).
    • [ ] Breaking change (cause existing functionality not to work as expected).

    How Has This Been Tested?

    Manually

    Tests being included in this PR:

    • [ ] Test File A
    • [ ] Test File B

    Reproduce the test by running:

    • command 01
    • command 02

    Final Checklist:

    Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

    • [ ] I have made corresponding changes to the documentation.
    • [x] My code follows the style guidelines (C and Go) of this project.
    • [x] I have performed a self-review of my own code.
    • [x] I have commented all functions/methods created explaining what they do.
    • [x] I have commented my code, particularly in hard-to-understand areas.
    • [x] My changes generate no new warnings.
    • [] I have added tests that prove my fix, or feature, is effective.
    • [x] New and existing unit tests pass locally with my changes.
    • [x] Any dependent changes have been merged and published before.

    Git Log Checklist:

    My commits logs have:

    • [x] Subject starts with "subsystem|file: description".
    • [x] Do not end the subject line with a period.
    • [x] Limit the subject line to 50 characters.
    • [x] Separate subject from body with a blank line.
    • [x] Use the imperative mood in the subject line.
    • [x] Wrap the body at 72 characters.
    • [x] Use the body to explain what and why instead of how.
    opened by yanivagman 0
  • ebpf: remove events_to_submit map

    ebpf: remove events_to_submit map

    Initial Checklist

    • [ ] There is an issue describing the need for this PR.
    • [x] Git log contains summary of the change.
    • [x] Git log contains motivation and context of the change.
    • [ ] If part of an EPIC, PR git log contains EPIC number.
    • [ ] If part of an EPIC, PR was added to EPIC description.

    Description (git log)

    To reduce the number of map lookups in every event, remove the use of events_to_submit map. Instead, create an events bitmap shared between the userspace and bpf code through the configuration map.

    Fixes: #issue_number

    Type of change

    • [ ] Bug fix (non-breaking change fixing an issue, preferable).
    • [ ] Quick fix (minor non-breaking change requiring no issue, use with care)
    • [ ] Code refactor (code improvement and/or code removal)
    • [x] New feature (non-breaking change adding functionality).
    • [ ] Breaking change (cause existing functionality not to work as expected).

    How Has This Been Tested?

    Manually

    Tests being included in this PR:

    • [ ] Test File A
    • [ ] Test File B

    Reproduce the test by running:

    • command 01
    • command 02

    Final Checklist:

    • [ ] I have made corresponding changes to the documentation.
    • [x] My code follows the style guidelines (C and Go) of this project.
    • [x] I have performed a self-review of my own code.
    • [x] I have commented all functions/methods created explaining what they do.
    • [x] I have commented my code, particularly in hard-to-understand areas.
    • [x] My changes generate no new warnings.
    • [] I have added tests that prove my fix, or feature, is effective.
    • [x] New and existing unit tests pass locally with my changes.
    • [x] Any dependent changes have been merged and published before.

    Git Log Checklist:

    My commits logs have:

    • [x] Subject starts with "subsystem|file: description".
    • [x] Do not end the subject line with a period.
    • [x] Limit the subject line to 50 characters.
    • [x] Separate subject from body with a blank line.
    • [x] Use the imperative mood in the subject line.
    • [x] Wrap the body at 72 characters.
    • [x] Use the body to explain what and why instead of how.
    opened by yanivagman 0
  • [FEAT] Improve container enrichment integration with k8s

    [FEAT] Improve container enrichment integration with k8s

    Prerequisites

    • [ ] This issue is an EPIC issue (add label: EPIC).
    • [ ] This issue is an EPIC TASK (add issue to EPIC description).

    Select one OR another:

    • [x] I'll create a PR to implement this feature (assign to yourself).
    • [ ] Someone else should implement this (describe it well).

    Feature description

    Container enrichment currently works by either "mounting" the correct sockets through the cli (--cri <runtime_name>:/path/to/sock) or by letting tracee auto discover runtime sockets through a hard coded list. However this hardcoded list is non satisfactory for some non standard k8s envs (for example microk8s, k3s, etc.). In addition, non standard k8s envs sometimes use "custom" paths for their cgroups, which cause tracee to not detect the runtime version.

    I think the best solution for this would be a k8s flavor declaration, which we could use to improve the autodiscover, which could also inform additional search paths for container runtimes in container_derive event.

    Additional Information (feature drawings, files, logs, etc)

    So this could either be done through a cli flag (probably something like --k8s), a config file when we have that, and probably autodiscovered from the host environment in the future.

    feature 
    opened by NDStrahilevitz 0
Releases(v0.7.0)
  • v0.7.0(Mar 28, 2022)

    v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!

    Docker images

    • docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)
    • docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)

    What's Changed

    Features

    • BTFHub Support (#1226)
    • Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
    • sched_process_fork event now includes pid of both processes (#1280)
    • New Hidden Inode event (#1187)
    • New capabilities package (#1256)
    • Many new documentation files and improvements
    • New process context map (#1300)
    • Support for libbpf/libbpfgo 0.7
    • Container lifecycle events (#1397)
    • Container ID filtering (#1426)
    • Sorting of events by timestamp (#1103)
    • New decoder package (#1405)
    • Introducing packages for linux distros (#1403, #1479)
    • Prometheus support (#1404)
    • New net_packet event (#1469)
    • New security_path_symlink event (#1490)
    • Expanded kconfig to BPF code (#1512)
    • New existing_containers event (#1519)
    • eBPF events caching option (#1527)

    Fixes

    • Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
    • Remove false positives for memfd executables (#1207)
    • Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
    • Corrected incorrect PPID in ebpf events (#1244)
    • Fix non-systemd docker runtime support (#1319)
    • Fix tracee-rules --list-events output to remove duplicates and sort (#1327)
    • eBPF non-core will not be built during tracee-ebpf execution (#1273)
    • Proper handling of errors when BPF object can't be loaded (#1349)
    • Reordering variables on the stack (#1281)
    • Refactoring of events map (#1293)
    • Update to go 1.17 (#1084)
    • Stats for lost events are printed to stderr (#1387)
    • Fixed missing security lockdown sysfs file (#1402)
    • Improved testing (#1282, #1410, #1411, #1416)
    • Fix for inequality filter in tracee-ebpf (#1419)
    • Fixed pcap packet data (#1500)

    New Contributors

    • @chriskaliX made their first contribution in https://github.com/aquasecurity/tracee/pull/1296
    • @vincent-pli made their first contribution in https://github.com/aquasecurity/tracee/pull/1327
    • @liamg made their first contribution in https://github.com/aquasecurity/tracee/pull/1360
    • @Akasurde made their first contribution in https://github.com/aquasecurity/tracee/pull/1427
    • @Phat3 made their first contribution in https://github.com/aquasecurity/tracee/pull/1480
    • @OriGlassman made their first contribution in https://github.com/aquasecurity/tracee/pull/1490
    • @kaitoii11 made their first contribution in https://github.com/aquasecurity/tracee/pull/1567
    • @YuviGold made their first contribution in https://github.com/aquasecurity/tracee/pull/1570

    Full Changelog: https://github.com/aquasecurity/tracee/compare/v0.6.5...v0.7.0

    Source code(tar.gz)
    Source code(zip)
    checksum.v0.7.0.txt(94 bytes)
    tracee.v0.7.0.tar.gz(12.99 MB)
  • v0.7.0-rc-2(Mar 28, 2022)

  • v0.7.0-rc-1(Mar 21, 2022)

  • v0.6.5(Dec 6, 2021)

    Changelog

    2bdb16edf5dd5899cff0b48ea9e6855fb24f46a6 fix help on output flags (#1205) 8f7c296445851f421136229568bd0602b9f6e751 add type of stdin in sched_process_exec (#1214) e1352f864ff50bf644b25979ffaa6c1edbf6a04c get file types from inode struct instead of file_operations (#1213) 83155b242f48e8c24dd61e4679e4b754848d2ae4 tracee-ebpf: fix pid 0 with CO-RE 9ab89faf3b0ebae11c84a467e1713e127b716383 chore: install docker in the Vagrant vm (#1197) d9cfba20e33163206a065f5f6345e92ff503a10f tracee-ebpf: turn CO-RE v4.18 and beyond compatible e22f05be6686bcf4b71019a54d3b52a546227f95 tracee-ebpf: comments for co-re type flavors fd5a64b1f46615bad52ceb34e18108ee0c9558de tracee-ebpf: fix kernfs_node CORE access in RHEL8 d2a942de3f2bbdbe046c0d40e3b23291909b09a3 wait for tracee-ebpf to load 15deef4bc9994cc4825f202162918af87f001323 support writing to existing files 3354b32b65fba97633f2b14b721a1e3830c1b580 move readiness file out of library to main 6f3ceeebf9cf47880f62a172215b049b68c860d8 docs: Re-add section for MacOS (#1194) 7e2186f7c9de66d1ccf3b3e4891c28e24be16be0 add ctime to security_file_open and fix variable type (#1167) 060b5549602f07d5f476242128a2e06a1f16ebbc Checking /proc/sys/kernel/ftrace_enabled (#1152) 7f9c2dc8d2a3c4c7ba9c3249be226e6f8d300ca7 fix reading sockaddr_in struct 7a6c1afeaef6cd1a8c0cf5e35e93b036905ce931 tracee-ebpf: keep deleted containers bbc98ed5b885a6c97fe3d74d815754fe81abde45 tracee-ebpf: reformat fixes 1b52e964c2175b9c28fb86496cca6e1f2a66efd1 tracee-ebpf: reformat suggestions for better readability 0c87b72722adc780c1d859e83a2d673cd3998f3f tracee-ebpf: remove unneeded asm_inline clang mitigation 7474fcc422b3c09bd6a5295c6b7b3bb98fe25214 Upgrade dependencies (#1176) ea58aba751e2709cd08ea9674835c5145dfa78f3 tracee-ebpf: rename co-re headers e9b0ed6cb0634f440bd95bc09e17a0be5e72280c Fix linux headers broken link in readme 74ad130a3e9f63e0500d7ea69693bfd6f07d4be1 tracee-ebpf: single vmlinux header file for CO-RE 3bedc4f2a4774dd272df80cdb5b91c152af8ffad tracee-ebpf: remove unused VM_LINUX_H from Makefile c1ff3f625a0f7956492c40f1c044cc14cf07a0e1 tracee-ebpf: clean up unused task_struct fields c5c96c3c8a6894f4c8f23551162c5cbc6698574c tracee-ebpf: get rid of BPF_NO_PRESERVE_ACCESS_INDEX ifdefs 2c2b00812bff3d65185789c0335aa2b361c8a198 tracee-ebpf: fix CO-RE sk_protocol access in 5.6 kernels 5e9ead903c2be510f88c4b2d38049d433b0855b8 vmlinux: introduce vmlinux-flavored.h to contain flavored types d23987bd3b8ce2ca107b64becd684e73962ee466 tracee-ebpf: CO-RE shouldn't rely in LINUX_VERSION_CODE a2703cfe057877af96ca8f6478859c61415b8110 vmlinux: unify x86_64 and arm64 vmlinux CO-RE header files 0b4c9a308307d110a1c921ca557933ff9ad4180c vmlinux.h: remove full vmlinux.h files 439943c708e16420f366f5ba85410f08dc43108f vmlinux: create vmlinux-core.h for arm64 builds 2a5ecebcc84610d28f30fa717614eba6c4ee173f vmlinux: introduce vmlinux-core for x86_64 c82f5470e71c4a077fa7273c19b2524aa16eb4ee makefile: fix ordering of -Wno-* flags dbbd97005a24bc056ffb061bf405fbea763c78e0 fix: use alpine:3.15 as base image to build tracee (#1173) a38f51805090ac9cfb6feaecc1a735b806471198 docs: use mkdocs macros plugin to specify version of tracee release artifacts (#1164) e9a25270e29ada8846e941aeae19e20ffbafa310 docs: update mkdocs version dependency (#1168) 729fe32f546900ded1352a66fb40058ea4b12b15 docs: add git_semver variable to mkdocs (#1166) 0893a08c17569170098ade19c8f0fcf1b8aa2ec3 fix: install the tini package in the tracee:slim container image (#1162) 9962191d9554237e5138fd7f051316e3e9389de7 refactor: tests for Go signatures (#1128) c75bd90775859d5df3103b36733a0076cc0591d7 docs: fix formatting on eBPF Compilation page (#1163) 1cb78ec28d586f8d0791d7cbae169e4744ad15ff docs: add cgroupns=host docker option ea71755c0c1c174ea440b6cd516b967a32d8a238 tracee-ebpf: filter containers using cgroup id 5198ee0e9cae220529c6c9cf1f9d963ea7d4dfa4 fix wrong type assertion (#1153) d421bb95d93728561b08d4492bb052ced23a659b tracee-ebpf: use cgroup id for container id resolution (#1130) 90ed35e988bf84b360b96d366b9115018ebb0457 tracee-ebpf: don't parse pointers when parse-arguments is chosen 11915a67f5aad0ff8e628a0affabe6f93c35250e tracee-ebpf: introduce MemProtAlert type in external package a22531c422c2f95566f909105b556c535eae1ab5 add READ_USER (#1147) 7df0e9b2319cc0a487179bebbc214800ca0af6c2 fix: using exec-hash instead of exec-info (#1144)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.5
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.5
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(15.29 MB)
  • v0.6.4(Nov 15, 2021)

    Changelog

    f4788a5423e28aaa8424e97b6c432be2f2551704 tracee-ebpf: fix events sent in parallel to raw_sys_exit event 71f8ff2d9c25696e7dc0c22674b3f71c47c9b312 use plain addr argument (#1141) df364f30d984d91d49fa5ba468642d02b714e393 add user namespace to slim_cred struct (#1137) cd63e860f1d421766f46b59f34762353a58c23dd adding ctime to sched-process-exec event. Resolves: #1075 611c2002575214c496481de46f67bf5dab70df94 Update Readme.md (#1078) dc6f3afa4e5dac3aa605775666175610696b9785 Add option for raw arguments from various event flags (#1123) 95aa7afba0acbedbfaf1cb32b8ab3e1f2ec74856 tracee.bpf: fix READ_KERN incompat ptr type discards 6d90e79100b49987feb0103c363bad17a146b2b9 tracee-ebpf: fix arm64 build 74a14b5350f4953f64297482c288ffa1b32b8f98 test: even params formatter (#1100) c999952449c845dd5bd94d42a4c34ce7d7f2dc45 docs: fix formatting on prerequisites page (#1126) a67b8cc0f65c9eb481e55e98ae851e020d45337b init_module capture (#1122) 0fb7fcaa55ee6f0d8d648ac48ea022ef024dd4b5 deploy: update postee manifest with tolerations and resource limits (#1060) 4389a4abfdd472a2c6d992dbc93fbabe73534d6d add socket_dup (#1064) 25990c64475c1ea96c46b0c9f3268d42d2963515 add security_kernel_post_read_file and capture kernel modules (#1080) 7b98707171e9212ea923f9b8a5dfa4230cf42876 add more process names to allowlist (#1118) 7ab6bf6f28781d58d5a6cd02849c6d1e24518db0 add cgroup release_agent modification signature (#1116) cd216b8f243716ce673715a303d6af874c800666 removing '--security-alerts' flag. Resolves: #1106 409becca73c74dff5be62ae9cb1fff79f6d5d824 Only remove a process from the process tree filter map if it's a tgid (#1079) 340d04fa2191621a5db93b122dc9be6959a50a3c tracee-ebpf: CO-RE: add GET_FIELD_ADDR macro 09476a0aa44540904087c59ec248ea9ed5412e31 tracee-ebpf: read exec arguments without a loop f943d7f1b6b2554121b2dda0bde7743901f4ffe3 feat: Refactor clang version check and fix a panic (#1097) cf3b4cc613934a0983e2c4cadf9e577015005ebe feat: Add tests for checkRequiredCapabilities() (#1088) b029d0727facdafcedfe46fd28f8fce3ff3b2de5 Fix tracee-ebpf compilation on RHEL-likes (#1052) 020949d67882b2e5351e32febecab548b1784114 feat: Update tracee-rules base image to golang:1.17-buster (#1082) aa6fa83df4a397d177dd3010522667231e5b969e Add more tests for prepareCapture (#1087) 719d6ae0419e83ba42fca856dcac4725a88ec278 tracee-ebpf: fix verifier issue on kernel 4.19 f878b1973b4450d0c517be23d39951046a932964 Revert "tracee-ebpf: fix switch_task_ns verifier issue" a8bca3e5d6c06bc8126468c0219708e27d992a1f tracee-ebpf: use syscall_data_map to detect syscall dee2e5e4e9b47e60f223ec2581608515cc259759 tracee-ebpf: fix switch_task_ns verifier issue 766ec87d1db4f175adc649418cfa1fcc08af975a tracee-ebpf: simplify syscall data saving 7e671f2e9964ce133e9e32bf507a2b5a6fe34a57 tracee-ebpf: fix commit_creds verifier issue 0b0ac4f0a6d42a18f3b09a16f68425194b47238e Add etcd to exempted process list cc7f8f0420ae6ca40d43beead15e7590a1f1cc89 fix type of security_kernel_read_file event

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.4
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.4
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(15.50 MB)
  • v0.6.3(Oct 13, 2021)

    Changelog

    7a46f53fbb2dedb9af5f0f77cd055b1f9dbf1f02 feat: Add list-events flag for listing events (#1071) 42621824c0fe81c2a853f4b9c18618fdd6596018 chore: adding to mkdocs missing links (#1070) 203a91f9e5e9b8aa74261216f0fe73ada9f10981 tracee-ebpf: simplify code e942ffa7feecdc22aee4f07b3ae78ceb38b4b610 tracee-ebpf: save correct argnum automatically 8ce15c8c513207e8002a3d13d63d1a447d5051a5 tracee-ebpf: use event_data for buffer offset 79c28b2e4ced06613961bdac01831b376f804e83 fix missing decleration 48654aa19bfaed67ce946e524e61f48bd4cb059f fix sockaddr struct overflow and change error message a9f774b01c49ee4604a405d2a80002639920575a Parse the version from module tags (#1062)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.3
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.3
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(15.62 MB)
  • v0.6.2(Oct 9, 2021)

    Changelog

    6b927a621b058bbc0801ed7d843faaeac0ed9413 Revert: Disable WASM target (#1057) c45a719c50ce378c8b06fcf1c444e25362058904 Add documentation for undocumented output options (#1056) e6ecb4e52b70015665dba5a95a1b13b29d98ecf6 Document new tracee-rules signatures (#1055) 97ac6ec93cb30f682bf19ace5fa7912dcdec68e9 Tracee end-to-end tests (#1033) 32c3e1c3f10ff1656e07d67cbfa5e8d6cf7f0b35 add postee in kubernetes install 9ffecdbdb0db1d9ab8ada4e3e133562252fe245f tracee-ebpf: init event data once fac85529882b2337af331dc4488eb9bc2eaa0c72 add footer to readme (#1050) 2276d7ad0f2fd708a252e655699c6295c62c846e Individual module git tags (#1034) 4382fd8ca5ea4dad4d95d50e1d9c84de28d81903 Add execution information flags to tracee-ebpf (#1041) 7e32ea7488205df152f5d465cab999dfbef129c7 chore(deploy): Add tolerations to K8s deployment descriptor (#1040) 72972b0cd659071e33a73f328a5f7912754f22a5 Improve error message of being unable to find kernel headers (#1046) fccbca354ee972b918f9e61283a855f5590246fe add bunch of k8s related signatures (#1031) c8b18f56e03838a24652efdd18ce49f806f1881f fix(tracee-rules): Ignore order of elements in engine_test.go (#1042) 396ed0e2e557e673a9ab937e9a95fdeb1aad07d3 tracee-ebpf: add exit code to sched_process_exit 968b07ff27fc0c73fa8c53b24ac2886a5bd89846 tracee-ebpf: always delete from maps on exit bbc6c44dd180517b8a83a17ed9d709a4155ce889 tracee-ebpf: update exec maps in sched_process_exec 90eebe930fadb2f79b9b2885d8fe2397b4416b2e tracee-ebpf: remove save_args_from_regs 939e41807ac99a793b4081527212d446d08d13c6 tracee-ebpf: init context once 97f87c19cbffaf715a23ed84bfea30bb48a7691b tracee-ebpf: add support for unix socket in security_socket_* funcs a23f325a3ae147fb68741aebf3d817870e0f6884 tracee-ebpf: simplify saving to buf (#1016) e55abba322822bea596292a04e777b3801b337d1 improve kubernetes docs (#1028) e9c0165d19df1ef79fe5de47bc0219a4ce00ec41 tracee-rules: Upgrade external package dependency (#1024) f010325f9b263e72db0cb8d512a4da67994503a6 tracee-rules: Bump up github.com/open-policy-agent/opa from v0.32.0 to v0.32.1 (#1025) 86de9c58c29fcdb8117dea4fb8e4915e1a36eaa8 Set TINI_SUBREAPER env variable in dockerfile (#1021) 07969faccea0d1a47191b602655671222be8af3b tracee-rules: Remove duplicated code for testing Rego signatures (#1020) 91dc323bdaf727d9633b99da1cdaafd831bec796 tracee-ebpf: remove events pipeline (#1018) 71f266e50e03a642163c9e9353410ba14e41d556 chore: Add Vagrantfile to easily get started with tracee (#1017) 08cab832d9dc7c6fbbb16ce565e450ebc04647ff tracee-ebpf: don't send argument type 1629071012e98335e58597b98ff64aaa937c52e9 tracee-rules: Allow compiling and evaluating all Rego signatures at once (#1015) d6859919fccf526540de644de97f0f7fc641e6a2 tracee-ebpf: show pathname on execve failed event 43581a4b5734f66f97b3fbbc2eb7b21370fe3b28 Created new set of events IDs for user-mode events (#1013) 832d64a9a0cc49532898d12b5f62de2aea10e913 parse security_bpf cmd arg 41020e5b966a5790a7633aa4b192d905cb6bfc4d tracee-rules(test): rewrite tests for RegoSignature (#1007) c3f9b366b5df912fd1433e8e381c55de12e4b23d tracee-ebpf: use argument index instead of tags de793fed20977f1e3473257d5dd28639b5ecb4e4 update docs 8856e755a1062bff2a375a2e9548a93d4bc66906 Fix misspelled warning messages d17a71577f5612c4c138d1c668a30078b2b3930a kconfig: only show non-fatal errors if debug flag is set 9d0792f9252927fd31935d44a1f967834a428cac libbpfgo: bump to 64a32fa because of helpers/kernel_config 11f1614e441dace74b395ad72edb527af3e44d54 tracee/consts: CUSTOM_OPTION_START rename 6052623db80e287df61a1664904b71d9ae5c38d3 docs/tracee-ebpf/override-os-needed-files: os files overrides d2855287a4583d034c38a5227564d55d8e5476fe tracee: deal with possible kconfig option index error 8fee4eb90259ac2ea505d22ae2f6f2ad5722a6c9 add argument 'type' to security_kernel_read_file event (#998) 490450668866fb69b4d230685c0f8752ec8f58b4 tracee-ebpf: move filters logic to a new file b721b7daa8f99c82cbcf74feda2d7be5a73b7749 Fixed inconsistency in processes containerID value between startup and runtime 0ada16e4af9909618fb0114bbbadaa170b2080c0 tracee-ebpf: add sched_switch event 11e8451b90ae5c8445dbb4ba657fac867cdd94ab Check os-release file for rhel or centos string (#1001) cd26d25c43bfa9a75d219d4ce0a541fb95791f66 Fix readlink with relative softlinks b608d607577005b10a32165f96c631467b6fde32 feat: Add flag for Rego Target runtime (#980) dcc153e64a034e5121a869d50e92050b85d34e8a change install/prerequisites relative path (#997) 65238c4803a2402d67c3de2ef00cc640003e1f04 tracee-rules: add flag for partial evaluation (#979) b4759494bd2e556cc4365a7eac9e557a4e378e07 feat: Add flag for prepared events (#984) ce65764322611427fa49e3a15ec57eb01c329a5f Add replace directive back (#992)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.2
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.2
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(15.62 MB)
  • v0.6.1(Sep 4, 2021)

    Changelog

    bcf7153b207b91fe618061a6b8c087b8ccf912ba helpers/btfinfo: renamed to osinfo and improved, syncing (#981) dfdb5d66613f0a2f0b5da412bb4dce64481e9ff6 tracee-ebpf: move prepare_args() to argprinters file e2f9f1b1f983b464c245149aac3ceeb6623a5917 tracee-ebpf: add sched_process_exec to default set b55da80a486ee765294d4e377948ab9623e3211d Use filepath.WalkDir() to scan for signatures (#901) 90b75302cfa05b860812e7c217ea8e029cdd3710 fix json unmarshaling nil f9b43946d8b7ea28f6a269cfc9a35df9116e8835 tracee-rules: add GetSelectedEvents aad4c95b344209b79d3501e97c229cf00db239a7 tracee-ebpf: fix process tree disabled 9d588c980acc0cc88f6fe80250523f6ccc78a44e Implement process tree filter (#927) e438abe3789dd40c8e805849d69407d3d5591d23 Feature/fetch system info (#945) 7910a97bb390e1409f46e2b7802c91d91c22abe1 feat: Bump OPA to v0.32.0 (#978) d4cdac0c9aff8244e37fb42d8135db459ebe2522 tracee: move MissingKernelConfigOptions to libbpfgo helper 1aac4412f3fa00ab7e05dfa3747b8ea47ec6617f tracee-ebpf: update to latestl libbpfgo due to kconfig changes dd77f56eb9361e1da5fdd67d95efd0e38d72343e tracee-ebpf: fix sched_process_fork arg names dcb26c2f38455d6eec382977941e1d291471d0c9 add mknod lsm hooks (#970) c02ae01cfa35fd11a61355ea85c5bdd843726b5b tracee-ebpf: simplify events pipeline f184b9ed1229458fb0dc22a3eac24db2624b66f1 handle param type int[2] (#969) a4bac2996000368acb2cad2deca02c99b3dc3d1f tracee-ebpf: mitigate deadcode optimization issue for 5.4 and less b4181ca59be2f4d1e44694f279f86c2268fc0024 tracee-ebpf: linting: spellcheck, empty chars & statements 3f412c510b25a426abbe8aa76fa306123120685d tracee-ebpf: fix sched_process_exec argument types 0177dae1ebf63bd69e18b9b5ac72c5646d30ac1a tracee-ebpf: add capture profile documentation 7f98f9b365f9942b94235645712ad3ee2df701c6 fix incorrect cli flags in docs example 5c85d2aa1309bfe3c1f36018621baf38122cf1ff tracee-ebpf: don't send stats in done channel c81d97531b13bb067a011e98199de311afc2a591 fix unmarshaling of string arrays c261897e93d522e3c603248cc3272561a477b09a tracee-ebpf: fix build error after libbpfgo linting fixes 5cfba33745e93f1c010e6a1d4db0555e14a4a7bb tracee-ebpf: move printer to main package 1514fb5ae9a05eeebc203a457234041bdb7cfbca tracee-ebpf: fix network capture with latest libbpf 4584f75a3c2bfe534857dcc44a7391f063f18145 tracee-ebpf: add static build support for portability b0eba9e2ce3957892a9a4c9189900a4d95052090 tracee-ebpf: use replace for the external package (#949) a3c2d51ceec81b8a21a1150653f8e0621c477418 tracee-rules: update dependency Masterminds/sprig (#938) b644fe80b4377d7b43ad44ebbfee16f40add31e4 tracee-rules: refactor non used code (#939) 61dfcd804bf35cfc7f01a7085014de3b65718b5a tracee-ebpf: add stats to external fef7e8a987606e506fd9034aacd77f9b112f5121 tracee-ebpf: support network capture from multiple interfaces c1ce71732a1083eb97674c0b3bfba53031cc8d27 tracee-ebpf: remove gob printer errEnc 5627299fd5ba3fd6ce5b783d8ada26015e4cff3f tracee-ebpf: fix error printing to be always text 05daef9de1b1d8d2b3e858b5e0b01d55b8c5ff07 tracee-ebpf: fix gob test (#941) ce2b75e5d37664535997d3f436efa0d0ed29c022 tracee-ebpf: restructure and split files 5a0eb2d55bb7453e844db12ac3cd3397f0fc9256 tracee-ebpf: improve Containers object 5032dc4f8578ec9097cea312d64b38c80d2e866c tracee.go: initialize pid_to_cont_id_map during startup e176bdc8389a97297b794aef29be1beb066b890a tracee: support external BTF files 7380f08bb773950b977bce54532c9c8c1a8065f9 tracee-ebpf: update to libbpfgo with initial btfinfo b7007617228284c0043d6d7fee9e56e0cb0ecca2 tracee-ebpf: Change libbpfgo map methods to new prototype ed0f4a2ae88e992b3e91fc314f8986b40b8d40dc tracee-ebpf: update libbpf to sync with libbpfgo 25ffccd0ef031f8c4772b56ef6aa8b6e2e8913e1 tracee-ebpf: update to libbpfgo v0.2.0-libbpf_0.4.0 5ae161047906e801cd3ced2f1638b8ffa63e83a1 tracee-ebpf: add syscall_nr to security_file_open a3e048b82af91b3f28941d888f53e72b392bb2f5 tracee-ebpf: fix get syscall id from regs 3baa9520840203b4bfab0b87462a781920ab7485 tracee-ebpf: fix regression - program too large in kernel 4.19 8a434047e9d7399367371cdd2dd16ecccb9e4b8b tracee-rules: fix rego signature loading cbc56c9351ca20c6c5a23bec48ffa2f3830fe5c2 add flags support for make test (#879) 329154eadcbe2216a0825ea485ab9ba487627736 tracee-ebpf: add --output ignore (#882) 4ad02defb824cadd9c02f59c3898fea0cf0548d8 tracee-ebpf: print help for invalid arguments 2bae871f788776f31c28a40439930cc23333de9b tracee-ebpf: remove '--capture all' 8462b71a21fcdfbf39a3bd03c6c7e538bffec4de tracee-ebpf: don't filter security_file_open for open/openat 9cd6bb51a016731382b74a2ebc6102a684b2aec1 tracee-ebpf: don't send zero-sized chunks e277be2d9fdb45361c47d462c39028d8e2c48060 tracee-ebpf: simplify save_xxx_to_buf logic ceece80d347ef5e23777a4f8888cfd3fca9b4447 tracee-rules: improve error logging 0770dc466114cfc7d17ba17ee257dd4cab07dbe5 add close on fileread finish ad2596a0c1d3c76d9332803c56523a1b896d21f5 remove unneeded var 1bc09c3dab841f304369ced95b1cce1c2e29e19e change invoked_from_kernel detection method fb605fe8803a44c97058597a173dcd7ed7169fc3 Fix CO:RE support for RHEL and RHEL derivatives cb836e14c7690c4cd4e2c78572a08fcc1cd4cb22 fix rule name partially cropped in error message (#867) 82a1289c12da2255682743f6d762bf6adde69a9b tracee-ebpf: add support to custom rego helpers 147f6dec8e0526a1c2c425f57a3790ba98060fbe tracee-ebpf: fix capabilities minimum requirements 9f917a1fa938a6ee7e1c9071ed9bc77b81145283 tracee-ebpf: turn MAX_PATH_COMPONENTS down to 48 (#889) 282bcbd4717f15c34c81468fbb7453880c38059f tracee-ebpf: fix help flag to print to stdout 26a9eb22a9133fe07f4912363aa5827b7d49b893 tracee: add tini tracee docker image (#883) aee7e8f04e08b2b869e8526dbff70e1562d016b5 tracee-ebpf: add output validate test (#881) 76a932ff09fe5fb61b71cc6d95c947236da42eab tracee-rules: enable pprof endpoints (#860) 3bca7eaabc5812715a4b6262c0db84e811fad7f9 tracee-ebpf: improve argprinters test coverage (#877) f641d42052af02b81629ff84833a557713a92a16 tracee-rules: fix minimum requirements link 5ce9ff4c93737d25a02152ab9f4a485d861d77ad tracee-ebpf: refactor to avoid two strings.Split (#859) 4c99a2aef97774fc8291d0aeb85c710221a36ae8 Change quickstart one liner to just make note of mounting config

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.1
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.1
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(15.65 MB)
  • v0.6.0(Aug 3, 2021)

    Release highlights and discussion

    Tracee v0.6.0 released!

    Changelog

    703a7a9d614724d864fff19e7bc72fd966af4fae add security_kernel_read_file lsm hook (#869) c40c82cb86697ebe259ff0a830bbc3e1bf2a1164 Update docs to be more targeted at users, rather than developers (#870) 238cc6e76176766a83c4ba0a114c36cc91afa207 Update docs to take into account CO:RE default (#868) fa7feae4008c0d639630af0b4347ebe487bf5806 use tcp_connect kprobe to get tcp handshake packets (#861) 6df0969653c4567f7e6dabca5a77b639c042fb83 Feature/event origin signature filter (#856) c27e914eb4d358eac6908a47d9db1f569a0e700b add lsm hooks to event sets (#863) 4c78ac3562a33799823b843aaa5f58156cfd4737 tracee-ebpf: security_sb_mount: send exact argnum 5c84d6098b61abbd605855154478aab9e80f3e0e tracee-ebpf: add SIGTERM support (#858) 2d2845fded1561440e430412be4c363c8d296b77 tracee-rules: evaluate parsed input with OPA (#829) de4f865ca25c06ca719af935e9cdbff0f4aad181 tracee-ebpf: extend magic_write bytes (#853) 8684eeab26c4f26a3e11cda8ffb437d4d9304b58 tracee-ebpf: fix 4th syscall param value 7aa2964f938e18ebfe712a3863fb67b8dcdf18c3 tracee-ebpf: add inode and dev to magic_write event 6a584488dfb329861a0289ec27948d29535440f6 tracee-ebpf: update external module bbe411a2a16775309952f31f4a8b598da96633d0 tracee-ebpf: update timestamp in external func ToUnstructured() f17c1d161b640966f77e7d9ee164ee535e141987 tracee-ebpf: Adjust MAX_PATH_COMPONENTS limit for kernels >= 5.2 4d0b1c886f9455999965f23062eee5bed36ec878 tracee-ebpf: add epoch timestamp 443955e3c087f8e7652420c9d947cf5fe3c51756 feat: Add ToUnstructured method to Event (#830) bb6be1198cfa578da18a2a78908cd8883589774b tracee-ebpf: fix core compilation warnings (#838) 2991701f2caf1fb5288ec1ee3465a8f19fe30a52 Add embed directive to embed the compiled CORE bpf object into go binary (#818) f5240ae1730a7d286cb7293115fe5fd205f5294b tracee-ebpf: fix print of preamble and epilogue 6da6c9f96ac71c95592bf46284d37430c704696b tracee-ebpf: add capture network to docs 8c463c7986a809c28fb9299d60409ff53077cf52 tracee-ebpf: add network debug events and context 6516b2524761ff45214b14a600fb93fba4143528 tracee-ebpf: capture network activity 3a25e7486b17668cc09c6ba99484bc800671fb2f tracee-ebpf: add args and env to sched_process_exec event 4276fba30c1ce6e39c6da89f1be3ee36c8ddce09 skip printing out if library mode 247ffc9d9c03e784db05664ae943ef7ef048fa63 fix panic due to slice outbound a291eae79a0ec1c0e7a01d44cbaecc073f90f274 Replace external package with go module (#824) 59acd669cdc889dba8a2268d200088ba90ee5ab6 add external package as a module b3b73465ede22996712c0e5577d33cef23cbb28c tracee-ebpf: fix incomplete path (#812) 2df1177abcd431a181f2486b9ddf34d329ceaff1 fix go rules requirement 4575262793813aecec5a9e6de39617c0616c4cc5 fix help message faa56142fcd83cc8b8303c4f00dec35347490cd6 Update tracee logo (#809) ad3b86b8d0fce97faaef2307b1e89fd9a93c18f9 tracee-ebpf: record context timestamp at sys_enter 8d69f428d5310af5c6bf8df0d23894be902ce209 test: Describe benchmarks for tracee-rules 31f21b85421b7d266cf2b8114a792dffc40b6d54 adding Close API to signature interface adding Load/UnloadSignature functions to tracee-rules Engine 1fbc090f5b7672120421472278e95e048fe04ba3 tracee-ebpf: improve output flag help b8937fdb379f3a9fcbbe9395ced07b6f11bc87a1 tracee-ebpf: fix container id issues c827ae0e4990e52aef1e57c869cd23d7942a71ad fix(benchmark): Unprotected global variable processMemFileRegexp in golang.codeInjection.Init() ef95ded3dd6fce4ee008269385e01ab2d99de108 fix(benchmark): Use uniquely identifiable sigs in BenchmarkEngineWithNSignatures 5fc8a52686a87622d8a6cb0ec896814a7193eac8 fix: Unsynchronized send and close operations on signature channels f773f883457e97d7008bd20caea046f917cd874a fix bugs that caused panic when tracee API used from third party app 662a668a8e065cafe54f29b92781e162f9c2ebf9 test: Add wasm target to tracee-rules benchmarks (#790) ae07c82dc6a9e98253ffb65c0eb4f848e3abfc1e Adding exportable channel into Config struct. In this way a third party entity can read from the channel without any dependencies with the tracee printers. ef8d4ee17fbbb278fb7918f76740754b508a613a fix clean target 05c11bfb099b512a3ea99892c98be2a8dc989ff5 test: Benchmark rules engine based on number of signatures (#792) 741e7bb6e6bdfff0743394e47b52d1c6c3a92940 fix broken link (#791) acf1752a53a7d33fe9a7c3009be1254369e17e9e test: Benchmark tracee-rules (#785) 06851ee77638cdb9f062c315df3cf60b12c3e1af tracee-ebpf: fix compilation on ubuntu 4bf8ca6bd33bc59e64e849eec89d33d3fe8bc08d Add initial CO:RE support (#759) cca5fa9190332e44e71536254850a1705fb97ccc fix error that caused bpf code not to be loaded 422e86ebce71ee23a29849a74ffbca2f9687d8ce tracee-ebpf: fix instruction count on kernels < 5.2 (#779) 6166346e7479bc3b4b417a67a92a2493a30b949e add sched_process_exec and fix

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.6.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.6.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(16.33 MB)
  • v0.5.4(Jun 17, 2021)

    Changelog

    e68ecaa4c07bd2ed085aab7fdeee181feeb4c492 tracee-ebpf: move fork logic to sched_process_fork 9eb91fb54f6aed59f5ef41838b4048d7949095e7 tracee-ebpf: bump libbpfgo version

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.4
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.4
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(14.65 MB)
  • v0.5.3(Jun 15, 2021)

    Release highlights and discussion

    Tracee v0.5.3 released!

    Changelog

    8c944cf07f15045f395f7754f92b7809316c681c tracee-ebpf: add container id to context 6129122999ddf144a4e0902dd32930cc1e6d3aca feat: Tracee Profiler Mode (#725) 1e0aba550543f8eb238b77c401a6eb1a279f5662 clarify license (#760) 5cc1e8cc27d03b60c7178995a3e448337815630a fix gob type declaration (#753) 09ef6287e5892c852569e212a6c26ef8de9ed758 Optimize save_path_to_str_buf in tracee.bpf.c (#758) 9312e26ed9ac477fadb121fdffdd0a414faf530c tracee-ebpf: fix bpf compilation error c15806966312a53264b4989bfb1f316d1d50ae27 tracee-ebpf: ignore kernel config check when init fails f87e71faaf1d88f1151296fa1ef575d1212ab761 Update Prerequisites Link in READMe (#744) 58a120a68e88d2efe68e5e5a42b8d02f3e8476d8 tracee-ebpf: add security_bpf{,_map} events (#617) (#739)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.3
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.3
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(14.57 MB)
  • v0.5.2(Jun 3, 2021)

    Release highlights and discussion

    Tracee v0.5.2 released!

    Changelog

    2fb9a7ea8884255c264ff9458faf6beba85590b1 tracee-ebpf: commit_creds: submit more credentials 6e1c370bf50fb8eaab490c89ec2e09932aa19618 add detection for writing into /etc/ld.so.preload (#733) 9387554f6b08f1c625eda034410f6141366e5478 switch to libbpf v0.4 (#738) 83a869d58d7b61cfd672faedb95276ed8c31713f fix: remove libbpfgo from this repo (#734) 94530727cde45371a0e4cacffb35ee2b19277b67 libbpfgo: Add map iterator support (#728) da4124acec31f255ae42294662b3a04c2a51c7e1 tracee-ebpf: close gracefully on error (#729) 242d721bad3dc698540464b15a15f6aa1f16f760 libbpfgo: Check for ERR_PTR return values (#709) 94f33d0b7a9129fb22556d0af0c41929e41b72d9 work with new form of security_socket_connect 1960f31be55455694fd4a79bd5a772de95321c39 libbpfgo: Add support for AttachPerfEvent 74b3c48c070b5f775edfa72b83fa7c955f42a4ea dont set essential events to network lsm hooks 6fb4c8af528c771b1b1609894afe55b76da263f8 set network syscall events as essential events for their corresponding lsm hooks b24f18c152aeddbef27da87d92b12e3bc2a08d48 use kernel pid instead of tgid to avoid race condition between threads 21548485d83465b46806bd4b477a64bcc78474ce set default sockfd to -1 d75a61fa9d815d45020a0133d3c7207457c569e9 remove event_id from sockfd_map key, use tgid alone instead 32191ee8a52f405bd8360d940c076b99a2817e5a fix sockfd_map comment fcd84785f7076f72d55a9f3b3dc69a9abfd9701b added sockfd arg to network lsm hooks dccdd841f2b0ebeb304d03319c3dd017afdecbda Add security_sb_mount lsm hook 38b402df69f26efd5e33353ce0f9f4086727bcdb tracee kubernetes deployment yamls (#680) 210d85b2bf67cedd9d91739d23ae84c6b0de857a Add tracee video hub link in README (#714) 03448380c7e3899b242e6c131fe06d691968777a add manual parameter to docs workflow (#712) 25eb688b3d04a8539bf4268ddd53dd509ecbfbb7 libbpfgo: Add AttachLSM() method 2bf844d25929d556c82b81514cdaf9635609b27b Network lsm hooks (#697) a6f33c373c43625a7d708dba0ebecc935665b8da Load kernel config into bpf hashmap (#670) 71b887671b083fd71f792e542ce375076e3b30a1 Run libbpfgo self tests on self hosted github action runner (#693) 93809da91b9c7e559357c909b32a80b73987c5ed add manual trigger to docs workflow

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.2
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.2
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(14.55 MB)
  • v0.5.1(Apr 18, 2021)

    Release highlights and discussion

    Tracee v0.5.1 released!

    Changelog

    521b52b10c29dad4702bd4e1a6d1bc824e7faec7 add build in docker to tracee-rules 24daa0e2fed028b1faf02ee87578a019078e9afd small typo fixed 8db13ca541eaa460f3a3b8bf3de962b2cf946361 Fix minimum requirements link d6069729ff805f17d8c2933930b0a2106f704b80 fix: add check for empty bytes being written by file write channel fileWrChannel (#696) 2317a86b4db25c7a26340bc9da0ab6d7cbc7f2cd fix: trace-ebpf flag output (#632) feb16774f64eba054b3ed3e062cd75eedaca66f1 feat: add testing envrionment matrix that includes self hosted runner (#692) c3da07d21abd94cd6ff5d3c133b99dfc6886345e Merge pull request #688 from grantseltzer/upgrade-libbpfgo-fix e25ba71a024a2b6ba5c3f61aa58520e5b8eff469 Merge pull request #687 from yanivagman/fix_build 71d4c839fb68a809b0ccce5879beb8323a57986b Fix build with libbpfgo 510aae763184ad808c70b8e4869f7a00b474e7e7 integrate and document gotemplate 7b3c71b78ab66361f83cc45287761a2d1be4b8f7 Merge pull request #682 from krol3/issue-681-dockerignore ff03f7bc76bb11e39e3051b4841c61e805e59684 Merge pull request #649 from eyakubovich/fix-chan-map-race 5052cb856498a41f3ea730157f4a71531551d55c Merge pull request #678 from grantseltzer/upgrade-libbpf-v0.3 f37f3d37f1f6fde204450bfcb7fc9a57373c2b78 feat: docker ignore for tracee 29b216c9ed652c867c62d308d810016fee23a784 Merge pull request #672 from yanivagman/fix_type_mismatch 8d2664234143c38b51027f00b36fa21d77529b47 Merge pull request #679 from yanivagman/fix_docs_link 4ef3eba0a87479e86877b36226b09bb342cdfae0 fix documentation link in readme 96bdca85b812938c316ae0748836f9fdeffe7d49 improve docs f11eced33dbf831cba15aea84ad547e00dc3cdc3 fix error handling 103ddbdd4220e4b600895b6f6a1f2d43a2d78e01 tracee-ebpf: Fix type mismatch of event arguments d1a0c00b9ad02841255d6924e0ab89444d765880 fix: update libbpfgo go module to fix build for tracee-ebpf c67295f85dff0c52ab641151652d3cc9413b5157 fix: upgrade libbpfgo dependency to latest 3970f7fb8282760e0256bb73df21669a7b69e497 fix: upgrade libbpf dependency to v0.3 release 095336c20e035841c6cfd7a6446e6c2d7af9eb55 Merge pull request #656 from eyakubovich/add-map-setters 7ace63bcad376fd4d08dfc966c30643c4638dc54 Add Resize() and GetMaxEntries() to BPFMap 7862e0e60d87fd4a20a02bbb19bbcda3b247606f Merge pull request #645 from grantseltzer/feature-check-package 4f5af968cb660b84b921972877847974222dff3d fix json output template 5c76627542088d7ef52ca0201b6573af624f1d86 add a quick video intro (#660) 2d62a69b9584ff2e985cd96ed255d25781fa9bde fix: add some tests, fix error string 69b576ef24ebe02e2cb323cc811dcc6280d41adf Merge pull request #657 from aquasecurity/docs-small-fixes 23597a0ded9379cef0666d13d6a1d7949dd9a20e Fix eventsChannels race 1092871941cc436897cddf18e819ed3fcd857ba2 fix: broken links 8482773c35ca473c5230ab98a7042a5d4b0c374c fix: match document headers with navigation links 56ede7fd0bab358a50f79ff614afb412a4161103 fix: clarify local rules directory, add libbpf to dependencies f68cea77462294d76775320d2c4742fefa70ff1f fix: move architecture diagram and images into docs directory, update usage accordingly 2e288fdc2ed8b2275021cb2b0f0c765b174c2751 fix: small typos and table formatting 50a69404dc29093322baf0debbde29721e1ddfff refactor: Remove falcosidekick specific code and reuse templating (#653) e868978b73de4d388707499204f4a9589efdea0e feat: Add high level overview to Readme (#650) 6acdf8c9bf7c96bcc9f07c890ee826c3aed7d2d6 feat: add constants to use for kernel configuration options 996cbd2d6d0f56ead9607a70ecbc7279be62f917 revamp documentation 7ce5943f4cb7a9cbf006537388690f22071fdd6f feat: add tests for proc gz config cf01331724cbe0b9345035f58a52dee312031ec8 fix: libbpfgo module files 6474790eeca9d43224d30576f869a0fa024de8fd Merge pull request #638 from eyakubovich/fix-perf-buffer-stop 5e8cd40463e42cb7b897ddbd7375493c4523b49d feat: add functions to helper package for checking the kernel config options ba273ac415bba4e7c6fcfd573f281b0334700964 types.Finding interface update (#646) e1263ed704604a1f6464ce4ca32bd921e20895b7 fix mkdocs generation (#644) 96a39dc0dbeae23f10c9351c12f829bbe28d544f Use Go templates for stdout (#630) 77cf435059442695b6b604630406ddc8614820e8 Fix PerfBuffer shutdown 8b8045bffac178b9727c61ebb08ef62d57ab8b7a add mkdocs documentation (#633) 42edaaf734a434ac55c76461f939030ce5ffe377 Group of small fixes (#643) 97d27e024e396e94681a912fffbe22d272b25dfd Merge pull request #629 from jan0ski/main 7bac7f5a25866ef97899ed19ca0e54a82d8656a0 feat: Add support for wildcard event suffixes f8df7da6a27f729610992b6bd52e89d510fcf384 Merge pull request #625 from krol3/labels-docker d0d267021477b710ea9e0dbc20740aab2a03e796 fix relative link to quickstart-with-docker (#635) 1a31966e3dd1e627465ce96cd804901a8d0bfd63 Merge pull request #631 from grantseltzer/use-helpers-package-in-tracee-ebpf 443994b57b65705a8b164c18e208783417fbabe6 Merge pull request #603 from grantseltzer/selftest-actions 5f4ab2d52edb96b189ab9b6a434ae3fbf952eaff remove falcosidekick from container 656da9c3592811323a9c334d39bb7bb66200d201 Remove old helper functions from tracee-ebpf and update usage to new helpers package 25bfb2d8f8931fda3b9cc55828e881a8f50c90ad fix: update imported gomodules so libbpfgo includes the newly added helper package f66f7bedda266d8b16bebd59bcb4632fa4d65225 Merge pull request #493 from mtcherni95/tracee-issue-485 8934c28e6e0031b66ee08ff8af3c1681a76fe1c7 fix: copy argument parsing functions from traee-ebpf into libbpfgo 9753401fa14d572b037fa254756ec3b9c40c5765 fix: move and document the signature helpers (#601) 284bb1510cdc584cc4aad8c9a347b5163e21a434 Add basic integration test framework (#606) 2e0edb21546034ababb76321a4a63d01de3c75a8 Fix "make clean" 749258023b9c4047f786c0193ab8f57813596e3d Adding labels Docker ec34648b7aff2ca49b7307e6af2862cf34f02457 feat: Print loaded rules info at runtime 518d407b0e1e5947c89c4b746c9d2e2975a3a96f fix tracee-ebpf dockerfile for go 1.16 b9958735cb06f69195fa5b88e2d9178ee9bac1eb Merge pull request #620 from eyakubovich/fix-ringbuf-stop 09b2b47c0d4fe2c84c0f247f83da8a757789c3ad Fix RingBuffer shutdown 1fd89c3f125015b534c83de54b188011fc357715 Merge pull request #616 from icarus-sparry/better_help 2aa71c701ddaadbfdebc632595121ae8d22f2764 Better help message for missing libbpf cb4589f4ca5aea65fbaf1949d32ae44f7905d9ab feat: add libbpfgo selftests to github actions 436c11d20c90c2241723aad033689a600e11b336 Merge pull request #598 from grantseltzer/improve-selftest 559ff36124836a5c047d6745121ec4134ec3b086 improve readme with triggering a sig f1f3c72028bedf8474ad3486bf261792731bb820 Remove debugfs mount c22f59cdab9b07cfaf4d33795b79ed09bbada013 feat: Use //go:embed to bundle artifacts (#596) 6b6a8d6ac59a9cdca158e07c69f33688f8c10aa6 Adding version string to --list output (#602) a6ceb2ee5db7fd7c98e3b916172e647230f4eebe feat: Add signature versioning (#597) 64864926d3c162778fc8c85398587e61083c0d63 add tests for entrypoint 9c6d2485013706f05ac691b14e14c95237bc571b Webhook message formatting using go templates (#582) 8ab02546ed80b1fe7045094215d8a35c5ffa1fa2 fix: self test for ringbuffer should verify the integrity of the data sent from kernel space 228c6d329e86dd8f62bb5fe48761e78b67dafb39 tracee-ebpf: add magic_write event 0c581d0a120b0ac5b86e1d9e31299b660ddeb81d tracee-ebpf: move capture write filter to tail cc2a749db98da6b6432060aaab3cc66be0326ab6 tracee-ebpf: add bytes argument type 9a25d021519e1ea15f2b87cd98dc50aa7ac42b36 Merge pull request #591 from grantseltzer/blocking-stop-channel-write 5ba8472ca590e1ca2a4e56bce7ce0715c125dbf2 feat: Bump up to go1.16 (#589) 8d3c3d5ff0e77ca75ce8227625ab875c27405ec0 Merge pull request #483 from aquasecurity/gs/ringbuf-libbpfgo 809794bfd2d29329a69bef8a51219647e3ac5fce tracee-ebpf: remove validator workarounds 828f39e80515eaf3ae6a59f17c76be124527fcbc tracee-ebpf: fix docker builder (#587) 6eb7608d8228ecb36d867667c693035be8762ccd fix: rb.stopped should be set in the Stop method 42839aa8d92de78319d18742419c69b6f6c0e503 feat: add support for ringbuffers in libbpfgo d2867320403c0598fc6d61d78c3564ca23e4b62f feat: Add OPA tests to Github Actions (#535) 5dc13527f7732929edebce4f1ab6fdbcf8fb20a4 feat: Better formatted output for detected events. (#573) 28fbc66be8c9f3efa53f617a654cafe7421e8c70 feat: Add IDs to Signature Metadata. (#567) 05b0d915446270fe3a3e94e0270a1314ffbde956 tracee-ebpf: Fix readme for docker quickstart (#568) 097ce27ef369d3f750533a95ac5a634dad8b2d31 Added information how to run Tracee on Docker Mac 59312a14427f0fb87177137b1651c1226a578d99 tracee-ebpf: update minimal kernel version to 4.18

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.1
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.1
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(13.99 MB)
  • v0.5.0(Feb 18, 2021)

    Release highlights and discussion

    Tracee v0.5.0 released!

    Changelog

    2001ffec81a817ce22457728e7822ce9d5fe3fb4 fix dynamic code loading sig e5f25a7ce93f366778d58f78ef749ad603f281de fix release 24ea252c323f958e8776e70367b51b4e9bc4d783 fix docker image contains glibc artifacts 1b9c59fde755c6e0179071d53e2adbe469d332ea fix release to fetch submodules 6c2b2e5b6143e5ebd1c4235b916f87dfde707994 fix dependency resolution in tracee-rules 0575cb7b157d101d4ed01a95a5ca0978330f3b7c Revert "fix release as monorepo" ef7e96ace8592fe6eb2333008391f0bfb9b6ce8e update import paths after restructure f1f841daefca9bb4acf0a7ee6d1c9405c104c77a remove code injection sig from go b4501be6552cb982824b170e84b5109053cb68ce Fix stdio over socket (#552) a7c47e96da0ff4373ad818978da4dd2178d2bf15 fix release as monorepo a750666805849c14bc64094494d363a27e32c864 tracee-ebpf: add switch_task_ns event c92b5c551495a3eeffc7249acbbfa8b4f0ce72ac fix match for non af_inet sockets 5b2a740b8d4a0487478b67853f853171b9347952 Add signatures (#528) 3fcee47b02d9b7ed1cfb5c6565815f541e04afcd update entrypoint to use security-alerts 6ea5773ba30e84694894b95f1d51691d2b5e2ad7 tracee-ebpf: Add commit_creds event 4bd2e3cd1cf32411526f2869d91e38e0fc37a6c7 fix make release didn't build slim image c34c10f390fc611406e6f8f5f7362c7869b50198 fix: trace-ebpf: Fix typo in clang option (#526) f0604fba5474e8a4995bc057e785792e20dc19df Merge pull request #525 from grantseltzer/list-flag-output-fix b1bf684f55054dd241fc9c364d26528f76d3d6f9 fix: Move example sigs into own dir and exclude from build. (#523) fc534300281f1ca60498cf49b196825432054e07 add tracee container 4255857da3a8ca9c8202b537cd4612725bedf51d fix makefile 6d632e3c8582d5cccd799b5ac32c6cb4aa68daa2 add option to make bpf from root f474f44066e4f012dba8bf07d9f5c67e7cd56ebe Merge pull request #518 from grantseltzer/input-source-unit-tests 2e827a37b8bff5cc5e5cc01b08a71b6d5c9ffabc Fix: rename signatures and add spacing to printing of them with --list flag a5e8040018c18a4345621d87436dfbb8affc1ef5 start of unit tests for input source setup functions f41c794d8ce23b180ac22be0a30dfc4c28a2880e fix webhook panic when server returns error b54cfda365ec79c444a18ea16d5e68cf2fa64e52 Merge pull request #500 from grantseltzer/gs/print-help-tracee-rules dbc56af61a0c1fccca6b42fc5c09676973484c51 Update readme, fix default logic 8645c0a1ca0a965d06e7988454f450d717dc09ba Update tracee-rules/input.go 86c09583560df3f0e2785602bffc19184b81e4c1 fix: Address a few typos 4d43dc1187154939297c20efc72540229f0aecc0 rename tracee input parsing functions eb8f7dbacd55950df69478283376fdb703552967 rename help error 48bd0d32299b4b07e3102a4c87a0f016bac49bf9 Remove more references to EOT, set default values for tracee input (gob from stdin) 696053a35f9c9d4570209385facb48d722308a50 Close on EOF, not on EOT b2756e5dbcbe713b44fa04a68be52ec1aa025a0a remove the eof/eot option 311e42378d8bac1df0c39803b3c44e8812a2b504 adress feedback about help being displayed effd1f6ca2862518b9b9537e0c53ddef7ae5128b Remove old flags 9829d2b6719ee61b349d10cfa7a119c5c59d7cdd add minimal unit tests 8cc046fcc0e11c45ee92cb978f985985a6aa86a6 add invalid input checks 0e5c733cedfdd6422613643169c2a3c38a88627f Refactor flags in tracee-rules 3590ef06f32af21d7cdc7b318712ac041a772e5d feat: Add tests for core engine functionality (#477) 8e4e7b35902bb17ad2df1071cbf14f9a9c27257a Merge pull request #510 from aquasecurity/remove-eot-tracee-ebpf 0e61c188eb0b2bb99d3e957f5d1e38baa0eb8796 Update contributing guidelines (aka team agreements) 9deb2cea3c9002d5537a4537b8a488b686d4adcb Remove the notion of an EOT event signalling end of transmision da310b07bbc71705b1c12c2e6ccb6cb19a5cbf33 refactor: tracee-rules use types from tracee-ebpf 775ac46c8cb5e5b708af39ef1a02a2ad4bc0d385 rename tracee execuable to tracee-ebpf 17d840f899562a047c33b2eae9370061978a37e1 feat: add root level Makefile for release 5ac1db482a097a14b39ae9e552242f62473c2d62 feat: mostlyclean target b04facc55a4ac4995f71eaf7d0bd8f619f64835d fix: improve makefile targets a95d52dd2b338446b5a2cf040c1dfb79b2c3d3fe fix: don't send context when building builder 062c7b15b989da6ec27b3a9097be14f4ca701ef9 fix: docker builder file creation and cleanup d931f21bc3315ce2ebfb0dcbc4d297e030812514 fix: make in docker without git 02900d92b91ca3ea77193c5333252a76a53e6740 fix: make in docker ignoring target d28d4cca4ad20852b5fc392ec37ab31a51fc01ed feat: convert anti_debugging sig to rego 5905ce4fa267a0069b1b70402cf8364a3f9a640e feat: add rego tests febd3de75f5522938e08e155e70e8154ffe4c8e1 lint: Address a few idiomatic Go improvements (#427) 4fdcba8ad7ad51f7bff77faed1add657ecbbf2fa Merge pull request #449 from aquasecurity/traceprint dd1dbb15074cd47bbcdf143d73ba3cee303e6af8 Add tracee-rules pr workflow a3d574896bc4c547535d6467842d8190e532cd31 Fix tracee-rules build c43b1c3394ec639bb0ea71ef69ef75d27fe522a0 Restructure repo as monorepo (#459) 57797050702a3dba5c816f343122ce1c8bcbc2da fix: allow reading from stdin 5fc24f000b3ae93abcf7c7576e478ee73995077a docs: add tracee-rules readme bb3d227392fa5ab9306dbaab64e01440c995792d fix sigs building e6b431e7147301f3de301e3c8a3f15b0d5b92d35 fix regosig numeral handling 86c815c5ea0385247c705e4fb51757cb35997ded rego optimizations 07aa51f8335cb5cd9dcebed4995dee14be7a2d30 add support for rego signatures 9a8c83602df1a6e47b6dff8a7e0c75c6fd859dd2 simplify finding data 4025eff51bb490ad52f36c8699ca46b81050940d add code injection signature de77008dc253e292221d1f63f4aa0560f203d5b6 add anti debugging signature and sigs tests infra e12b1ce274796f1c3ad07a8aae93b70404d6c8be improve signature error handling 56fa8977f55922307c97cdcd1b4463dd965b929f tracee-rules rewrite 8841bc018318489e03241a9c848933375ccb965d Rule engine initial commit 1d879fc587151b76720bb6c2a033982675ae7ad5 write errors to stderr, and close file 4d721af558196cd03dc7ecb41ac316790e6da508 feat: add TracePrint to libbpfgo a87426a702aa1b69d38dbe1f96b8179f38471ea5 fix: default output format fbdf5a6f72e60bb6ead7b8b2612c4e5358065d44 fix: written files index relative to out dir 871c1db8bd2d3586130b1247336727f40dd8d390 Add pin, unpin and setpin for maps in libbpfgo (#437)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.5.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.5.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(13.95 MB)
  • v0.4.0(Jan 24, 2021)

    Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/441

    Changelog

    da6a281ffc9480a0412925811e34c73cd3d442ca fix release workflow for github actions c22b85562f800e8a9b44a85245625b01785cac5b release with github action 60f353e4dc92f1a5d82c045a3b59b2f3f4b38b71 remove redundant go setup steps 4f289b5131bb430dcca756c025ca9bb3b354d45e update readme 16f16888e3b527c6e32f286c3cc01bc5fbb47249 refactor output flag afa9b2d73e2965f16a074580816736e6301398eb improve --capture help 7d2ce345dfca4f1f24f2aa1a0a99a97e5ad0952f Add return value filter 3098430da6eb26d2ea4bf05dfe99ebd868fa3f53 Make '--capture clear-dir' safer ee2d9bb8918bb4cbbc12692f073f58f12a4b3371 Handle capture output dir in capture flag 534d012f692e8db09a57737b36bc69518cc2496f Decouple and remove filter-file-write flag 062947d2e4e9cd844f94202abc7c783b8572bd27 Add prefix operator to argument filters b47bbc51c38387cd105adb01cff1d7cf2875195f Remove trace flag and add new filters 199357787bb6068321f7215c9edcbb47b72dbbd7 Remove vfs_write(v) and ioctl from default set d38fbefedcd5f3c5561ed22466998aa31f3bce15 Added --stack-addresses flag to log stack addresses to JSON output 487d1e44fcdaa04a1fa3c9430fdb225317cc2731 added 'DeleteKey' and 'GetValue' to 'libbpfgo' 409f21e8053141fdac323441ede51ef5e6198e68 Move pidns trace mode to filter flag b486a253a3ba6c1aedb48049ed92c8a9be58c92d Use filters instead of modes in bpf code 6b4fe815d47b7404237d939730dc0bef69c36264 Move follow trace mode to filter flag 4b3d318ab1e48924601900e8e8c548cb2b6053b2 Add EventID postfix to new syscall events to fit convention 3ac6a21adaddf5e0f29b0dcdfd1d19721c72759f Add support for filtering an event by its argument f44eb206bf8e80efeb1da68641cb61f3f00c522c Supporting new syscalls from kernel version 5.7 - Resolves #372 7ce92f6979378923f2803ae000c86dc8ce93b3bf Fix bad param renaming 3c622e0f00acf94e274f0fcba32e70e601c616be Fix comm and uts filters e36e8805b6df57ccbfd85197216febaa8fe62a9a fix libbpf import 96ed00e0dd8db229e742d046195eca9c878b63ca Issue-398 add arguments to events d387056175263bbbed05b865e691d011a62c91f5 Add indexing of written files b4f0a0aa796b64dbfd9b071bb041d6862ede4a0b Support using filter prefix for common filters 1edeff85251d3a55c018634ed6702a7ddff10de3 Move event flags into filter flag 1bd03a90465240563871deea857a92be7b601366 Change trace modes and add container filter f1968a7d2b7a1fc78f3ce7a6ecd27cff0f73e99b refactor Event and params ff0cb90450cf58c4bbc3d6e446eb145864df02ac fix compat detection for older kernels 54d324f23175dae81e98b3961b9f3eb607464ddb Add support for arm64 32bit compatibility mode af0ea0885dae740b9c894d2e30c7bf543d01bed1 Fix ptrace request argument print 0536237598401df49b6effc78ec68d04773d3cc2 remove redundant var ad3cb5db11b9113700c83b9ea770731c9b012a77 Fix event listing 21720aff70ffa60a50785c2be1fc68372df1c8b9 Simplify filters logic ea5dca15faee3c8d578dfad3a3858ed4abc1e5d4 Move pid filter to filter flag c3d5c4d5e1f78ed75a7dd2b46803925572d2646f signal end of transmission for gob output 84180be0b00511033a08192ce6cdd788ff06c2b5 Support ARM64 architecture bfcabb20f8715d876c8b3b6807902e38c2e19016 Set TRACEE_BPF_FILE to point to file instead of dir 68d6c712cfc55c2a44b3aa6d972c67818fa54451 Fix execve pointer errors 8ed6772a2760534820d47be98b6fd8def7b8dbaf Fix pidns filter erroneously set to mntns f32c50b66e75e5465cb73d21b5b42024cf69f601 Add process follow mode 22ffc4ed78bcbeeeb08937e3d3daeb59cf7b42e5 rename master to main 5702252d72743122576d6814f682bf1c3b4da2f0 Merge filters and set bit size ef665e3a683623f5d58076092539545124cffb50 Rearrange bpf filtering code 11b251f5e81a0aa886a68354c0413d222cbce950 Add UTS and COMM filters 88f5d6bb6725a31bd22cd2b19efde032c4653b31 Add mnt ns and pid ns filters 64a084afc813374e7c74d819692a8c58482c7d32 Simplify uid filtering code

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.4.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.4.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(3.43 MB)
  • v0.3.1(Dec 9, 2020)

    Changelog

    d4b7008478a813486d42b4bbba0723862397a2f8 Fix bpf compilation on redhat and centos with kernel 4.18 57e2178d19c6e4e7afc58d3bf7aa13b77e51f312 Add the ability to specify filters (such as UID) using comparison operators (=, !=, >, <). a92b1eff3e086950f351862d9d332e94e7ea074f Use more informative error when making bpf object fails 800a0799d192dc8f6d955ed843ec1e424ff8eb57 Split kernel headers to source and build 79d625e2c2a2ceb76f60e5ff2ed5b92e5d8ca854 Add security_inode_unlink event 5564d6e235bf91bd458650cb174e8dd0724f6fd7 Print bpf cmd argument and make a default event 919c261bb65c6a0e8b015dbb3e79ad5853ee50b9 Add host only mode 741f1071db1fbd3de38f2bd64f92ff422ed13ca3 Use alpine image instead of ubuntu f302eaf0703ac93849a4972946296cc314d78b41 Fix docker build on manjaro(arch) linux

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.3.1
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.3.1
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(3.40 MB)
  • v0.3.0(Nov 29, 2020)

    Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/331

    Changelog

    fff75d00078276e9fbeccc958e7afbd3c8637ed9 fix version for build in docker 5a7a7fcab5dc01f15188816086433ec85620ccd0 fix make libbpf headers f1a239be10c5f759533278ce21ceb5082db3b7ac fix make clean e210c72f743d4b65f4690952943665c8026b4d2c fix version detection for docker build 8d0ac305a004a1bda981ae15362b18218672c31a fix version detection for release dab487d56f78bfda6c4a3bfab7d11085b54f2bcf fix version detection for release b481f0d80f9086e09b279c738b23c34f31a99c50 update readme for release b837b6bb2f3cae7a52babdbea631f9bca3bf5069 fix kernel headers defaults in other distros aa5ec50335fc83f04ad85d5d3ebc3882ae7616a8 make bpf obj file version dependent e123fcab6a69d5bbe2da125b4281b734c2c3ff23 refactor release script, include slim images in notes 87d70f913d6bfdbb02ef03c4c24a37c24132fe34 update readme 318933ebee39fa3014e653d5c8723c59f4f40c3b update readme eb47b745ffad10c3b7b68abb5836c4998479fe46 test for bpf build in ci 5b90fd50ddf3ef8fe7af384fd1625ed4110394a6 fetch libbpf source from make if needed 52c397bd0ae6b8835f87492f33ad1f2e150a10ca fix building in docker without tools 86392ee70437dde9a1ba443bc2579a0e9c366359 fix release process and add slim image ee46b6fcd5ac1561fea005f1de354476c140070b fix typo 85c3379737ec3dd6024ca1894fe42619f1d206b6 docker builder in cwd 151b137da5df5a56a8d68428ec330980c959e65f make docker targets real targets ae2fd1a664bd3551b5462162d5b7119e9d446d45 improve naming of tools and fix make bpf-docker 4a9734ec2875367663b6f78bafb44872e603929e optimize docker building 5faa7c1beeefdc5a2ebb8bc4f7d4497370972447 improve building in docker e4f502cedda2a87f98451d94c3b36e7633149f6f require llvm 9 b4ddc9937de84590e5e5b99c9e39315e200e147b Add a --filter flag which takes arguments of the form =,,... 99c36bef218669a2918a8f599f5e5b1c252d9d0a update_logo 42e11de939ee1f9ca196301a9d944f1027e71787 fix clang version detection efa68eee877345d13f6d48442f4bcd62b348aad6 tracee use libbpgo relatively 8d536dbe0f70528eed44062cb0574ba1d4cffea1 fix naming convention 9f5a3055573f20720784fbd83e7d7366ab60e8b0 add libbpfgo readme 5aaf2309338e7bbe13b658d41bc368e1a32fc6ca make libbpfgo a module d5be3a6942c48f7bddf8913a10036be1265a50e8 feat: add test to ci/cd workflow 2a9d54ed435bece014e90f31c242270d531e27d7 Fix capture exec with empty string a78a915e4b1027b1d25f2e0676c76b13b4fe2ff5 fix test target and add test-docker 1943eaa6a688e9f549567df27d875785d8cf13ee fix bundle path 4bd1c7b68812ca807b53db322d941ec54e2ec89e check minimum clang version (#310) d8a55e7775b92b7ec50080d28424e6cf462b718f Fix and enable tests again 9edac6b77c4bf7a42ca3aeefe3d47bcce5d7ab21 Add sched_process_exit event f35a8f393ea132322cb7077322e1060695f08d4b Add libbpf uapi headers - fix ubuntu16 compilation aefd3cd5a0ebe8817d1ec4d1a29701488aa7bf6d Fix asm_inline for kernel > 5.4 fe77c7f30b3b14bf1fb69a5a7acf4abd3594a7c2 Print uts name in container mode 46f1e2adac79446641b5583320b2fe64a08b9262 force clang compiler d0757229eee66ee6b7c3ea84bf7b47e1287068ca rewrite release process 2cccd1d9ce6b7f5934923e6fd2df0249893801af Update readme with build comments 71c97f07d7a340ca7f23dec160900fe8e30da65d Don't make llvm-strip a dependency 13c4d1abd56cb3a7d813bd747e656749e091e548 fix makefile dependency 9e06a2025d31be99ff651cd738f6d0823741f3a9 Fix lint and build errors 935540e5fc907e91487c448686c7767790a26106 Rename bpfwrap to libbpfgo 6cfa83d6e866b378db08141987d0707397a18591 fix docker builds for libbpf cc7f1eae7d9cacd4d4c3f05f4efc5267fe843290 Organize probe attach code ffe7b63f49e2c801aac8fca5b6b0b2252908bc53 Disable bpf program autoload if not required 3e7199e9ccc33febaa9174d06c31ce4415a1287c Reorganize initBPF function 6a379a2bb0ee3733da1a8cae2149dabaad8b4ad2 add build-policy flag 8fb3fa541cfc452ef8db57e1c272476fd7ae4286 use different dirs for output and install by default b06c4811d05790df03efbee5bb1778eec08143a2 use tmp as default install path fbf395a9041e50780d7e6654cc4d70d5cb18c488 drop capabilities during compilation 3b80e0f189507f864bc51b5849561d91fbe1df0b bundle bpf source for compilation at runtime 6ea6fbf40b44dab5a3b624057aa5e3bf1a8a9ddc compile bpf obj on startup 765d4fac5687f71173ab01b67b8ddc641de2acb8 fix bpf src injection 8c4a1bbdd472893fc4c75dbc74a0044015b59acf refactor bpf obj searching a074b378854b5554959d7c55472992a0e42f57ee Update libbpf submodule 5109ae1f609f51a3a2e59f8056346fde8b32ef56 improve and organize build (#280) 1208adbc532a232a04db6c85988fecba894f6078 add new module creation from buffer to bpfwrap b17be813d024b932ee4b5dde75121d6e035fb613 Remove BCC from readme a2e43591282054955602849b6fc5ca8cf77b6eee Move from gobpf to bpfwrap (libbpf) 172655fa3412a7cec2c0af9d1d82f997844335e9 Add bpfwrap - a thin libbpf wrapper 73d4b7325c8ac42a0efc28f438332f2dcf487d2b Add libbpf submoudle 2cac3ee1ea16f8aba241ad87e2785ab5c4a5b1e1 Fix tests 49dee1eafb648899e5afb2157fb08c3682caccba Fix lint errors f1f43f80ff84ad9fe647e17955733f837b19440b fix ci trigger d64607a179873862f1193ac8a7be1d21cf525cb5 Fix bad string size type 7a755e3f12acca3f075d2dbea1af34d86e6519ea update go version to 1.15 d0fe845c21b7d6613216ae1f4ea37d88b54bb155 updated to golang 1.15 4964f5c75c7a2e42362067082822c5b4698fac01 Output formatting via gotemplate (#256) a3e991f10b771ac98889792c9ed58e853a2debbe feat: Add CI/CD Workflow (#259) 5d49921f900fff50ad0e4bb32204d7fd3b2ddbf7 fix memfd files not shown in vfs_write bc84eae22d5909c0e95fd4c2d80e76ddde5bebd8 fix sockaddr_in parsing 0bb0dbe09d5281a2e0c32fdb4029e2f95f08e01a fix error printing line break 582a3806a41e7a3376573c4d9dbac6cf7c24b972 Created a new --trace flag to replace and enhance the --pid and --container flags 4f50e28e97a2dcfd7c714877f9f9871bb4d9fe2d Revert "Created a new --trace flag to replace and enhance the --pid and --container flags" 120204f26529bb484c0247a18debcc6ab7ecbc87 Created a new --trace flag to replace and enhance the --pid and --container flags aec1ef6ea44bb70008347d6cc1a928990cae399f Fix send bin chunk size d58cd29cba127702f05ddd5e39d7f00eb67e6a0c Fix broken kernel 4.14 support e753945963f6f811574280d05656a8b76e55df9d Made the typo change as requested 91fcd92d56f93c27f40d7c81edc15c9a6a4edfa3 Typo Corrected in README.md to sound more meaningfull 42cd0b70d39ae8bc0b41cb452fe6702f8d07b005 change readiness file format 751f38ddedea869c3cd4c6d8944484060ad9ccac Various Grammatical and Spelling Changes (#246)

    Docker images

    • docker pull docker.io/aquasec/tracee:latest
    • docker pull docker.io/aquasec/tracee:0.3.0
    • docker pull docker.io/aquasec/tracee:slim
    • docker pull docker.io/aquasec/tracee:slim-0.3.0
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(85 bytes)
    tracee.tar.gz(3.40 MB)
  • v0.2.1(Oct 11, 2020)

    Changelog

    8ce4688 Small typo fixes (#245) e97ca4a add contribution guidelines (#242) bd05ede chore(docs): Added badges in README.md file (#236) a756211 Read kernel pointers with bpf_probe_read 214346a improve code portability and be generic f4ad395 Don't monitor events generated by tracee 84c3a7a fix_32bit_before_4.17

    Docker images

    • docker pull docker.io/aquasec/tracee:0.2.1
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.74 MB)
  • v0.2.0(Sep 16, 2020)

  • v0.1.0(Sep 10, 2020)

    Changelog

    b497d9d fix capture exec when sharing pidns (#208) b5fb620 Use generic return for execve syscalls 31887af Simplify raw_syscalls logic and remove security_alerts workaround bc2ee10 clear output dir (#222) c40f64a Fix fork of traced processes not traced when clone event not chosen d20395c signal readiness using a file in output dir (#218) 1fbce2e Fix decoding errors when save_args fails 389e596 Handle raw tracepoints fallback aefee76 Enable support for all syscalls 915a1cc Handle events parameters types and names using parameters map 1adf1e4 Add events parameters map 29f5ee9 Add 32bit syscalls support 0e4adff Reduce syscalls handlers instructions size 8b17cf9 Use tracepoints instead of kprobes for syscalls 60b2e09 check null terminated string size 932a706 Add system calls sets ddccf41 Update args macro to be more compact 425193e Use bigger buffer size bdaa084 Update intro video in readme c962d21 Add more syscalls c2b7e4f Add events by sets 57fd98b Pretty print event list 0cebf01 Print raw syscalls only when event was not requested da1e24b Update readme to reflect verbose output

    Docker images

    • docker pull docker.io/aquasec/tracee:0.1.0
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.74 MB)
  • v0.0.3(Aug 5, 2020)

    Changelog

    6df40c6 Fix double printing of first arg 4795a63 Fix print indentation 077916a Update readme file to include host pid when running from docker adab925 fix context parsing 040463a improve table output 9c9e4b7 update readme example 3fdcbbb comma separate args in table 9983e23 retstore tid to table dba88af widen pid column 100834d improve table output 7d9c8d1 Fix capture exec for containers 425ecb7 Save host and container pids in host mode 1f5dd76 add host pids to context b93fff5 Add clone flags 54b1b34 Save writes to /dev/null by pid b100a20 improve output of args 3137927 Don't print raw_syscall if event exists 2d4ba36 Remove essentialEvents map and simplify code 7805c5e Change event print location in table output 46d9ccc Handle events in a pipeline 4245623 Remove global EventNameToID map 701547d Code refactoring f29810f Optimize string array buffer layout 6a80860 Optimize string array buffer layout a591013 Support tracing by pid 35105ce Decouple event data extraction from event parsing 0f5236d Use event id constants for performance 50a7e17 Add argument names 378263e Fix error counter always 0 568afc5 Fix broken raw syscalls feature 7c257ce Beautify table print 888c0e7 Fix getsockname error on null string dce995d fix capture exec for non-filesystem files

    Docker images

    • docker pull docker.io/aquasec/tracee:0.0.3
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.70 MB)
  • v0.0.2(Jul 23, 2020)

    Changelog

    a87a69e remove python version 398138d fix mem alert when not capturing ebb5563 Add exclude event flag 6c63231 Remove PrintSyscall func 0dbb1ef Fix chmod invalid file f1a66bd Append file write if written file type is char, socket or fifo de74185 change socket address output format 726059c Remove unix socket leading zero in json output 267dae5 Fix unix socket name when there are leading zeros 7c4b242 fix json tags spelling 32051f8 Update readme to include capture flag e2b935b Update readme to include file and binary capture dbacd6e Change consts to use go naming conventions 4cc05ea Change mmap_alert and mprotect_alert to one mem_prot_alert 951fbb2 Support multiple probes for one event 7818daa Use alert struct and save alert payload using timestamp ef4c92e validate capture options 8e79924 don't capture same exec twice 58ead5d Add mmap and mprotect security alerts and data extraction 4074a94 Add chosen events map bbe5fe4 Fix "memory leaks" in bin_args_map and args_map 87a4a78 fix test for ptrace printing a523eae fix file capture when dependent event is missing b10961f Fix write error when buffer and chunk are equal in size 9602d12 allow granular selection of capture-files 6c3fc99 fix ptrace flags print 8114f9c Remove EventsIDToName map 6a6f918 auto build essentialEvens map 165a971 print all raw_syscall names 3e72e64 Add event configuration map 309aab7 fix lost event counter 2cb8a20 print errors to a dedicated file b27aca3 fix raw_syscall printing if syscall is not known to tracee ffa8183 capture executed files 395e9da add hook to process events and use it to show raw_syscall name 17c619d refactor stats collection and printing 2abdacb fix map update issue with old kernels 5fb424a Change save_args key to be unique e2b0a8a decouple internal and external types 90988aa Add tail call event handler db158f1 Use generic method to send binary data da567dd add output gob output format c3af6f3 Support file-write filters up to 64 chars bad16bc Add Tracee logo 498265d cleanup file event handling code 17a08ad decouple should_trace and init_context 280ad5d Handle buffers more efficiently e8eca12 parameterize stdout in tracee package c9b0e91 simplify tracee config 9f17b17 remove args brackets 758145d don't show raw_syscalls by default 0bcf7a8 change printed time resolution from seconds to microseconds ff413c4 Check for privileges 2a74671 read file buffer with struct e84324c move should_trace to a function 45516c7 remove get_config wrapper functions c8982e4 Change vfs_write flags c448b3e Port vfs_write to go 05cfc5a Add configuration flags for vfs_write 89e3b64 Correlate vfs_write with execve and open with dev_id and inode_nr 7ca4b05 Support vfs_write filters 184610d Change output path to include mnt ns id 55917d5 Use tail calls to send vfs writes c77a643 Support multiple chunks in file send a41baa1 Add vfs_write event and file writes extraction 5d28b9d remove redundant casting 61d273f Use full submission buffer size d278132 Remove type argument from save_str_to_buf 39bb47e Save path using helper function 75cb776 Remove R_PATH type and handle as regular string d20cf0d fix make build dependencies 799ed4f add support for tracepoints and implement raw_syscalls tracepoint (#89) 2d5d1cc refactor events map 55b6cc6 update gobpf to include memory leak fix 68b2ce8 add youtube demo to readme

    Docker images

    • docker pull docker.io/aquasec/tracee:0.0.2
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.68 MB)
  • v0.0.1(May 18, 2020)

    Changelog

    5dc755f work around gobpf memory leak 2187ecb add makefile target to build docker image a207a16 add make target to build using docker 5179077 fix dockerfile e42865f update readme with release 5294f4c save_context 0fcfd26 add release procedure using goreleaser (#75) e21954c fix events flag in python 2efa61d fix dockerfile 1a6a69c rename events-to-trace flag to event (#73) 2684f1c update readme (#72) 5687bce build distributable binary (#71) c06e936 update readme (#70) 6697bea update dockerfile to go 613717d handle lost events and support configurable buffer size 2d6e437 fix list command to show recent additions dd0cedc add chown chmod and pkey_mprotect syscalls 541ae53 fix missing threads in system mode 35202dc fix makefile 9eb9f29 fix json arguments formatting to match python version d770f33 fix comment e366065 superficial tests for readArgFromBuff function b9bd744 fix socket type print 67a3ac1 fix POINTER_T parsing and printing c0b87ea fix open flags printing 6bc4686 support security_file_open lsm hook dff978e show stats in table epilogue b6ea608 update readme about go 189a6e7 add bprm_check event (#54) 4b9bad2 print prctl ptrace options in go 1ae06bc print sockaddr common families in go (#52) 6b2ce47 Add lsm bprm_check hook to get exec absolute path (#46) fd8a89b implement show-exec-env in go 7278173 fix event validation 56bd72e Rewrite Python code in Go (#47) 08d5a9a Add prctl option and ptrace request enums aee95da Add sockaddr struct fields for unix, inet, inet6 sockets 05372ab Handle failed read to buffer 8fddef9 Add optional exec-env flag to show env in execve 431eaae performance: get buffer once 58f76e7 fix missing flags 61f172f avoid fork handler code duplication 4fa4d54 Show syscall name in internal kprobes 85afe0b save container mode 04a921c update readme 58b19d9 events: add setXid syscalls 9369869 fix failed tests 6db7ef7 readme: update optional arguments 6d1effc Add config map and verify configuration 649b19f catch keyboard interrupt 4defbd5 Remove container prefix from files 3aa5c75 mount debugfs before starting 6121f73 add dockerfile 39c28ae Generic event handling in userspace 8afaa4a performance: improve performance and reduce lost events ff9aa14 set submission array size according real cpu number 631c9f1 Merge pull request #26 from yanivagman/execve_known_issue bdd847a Readme: update execve known issue status 5b6bffc Merge pull request #23 from yanivagman/add_event_list 7b2ce5b Add event list and update readme e0f5549 workaround PT_REGS_PARM macros bug in new kernels 0762844 Support new kernels 8d2a31c events: add mount, umount, unlink, unlinkat syscalls 0630258 Merge pull request #12 from aquasecurity/fix_missing_stat_syscalls 4ffb880 readme: add omitted title fbdd2e7 Add system tracing mode 2e296cf fix: stat syscalls are ignored 79c4159 Correct name in NOTICE file f3c0e5a Merge pull request #10 from aquasecurity/add_container_id_from_uts_ns_rebased c80ee7a Add container id by using UTS namespace node name 69f490d Merge pull request #8 from aquasecurity/event-filter 31f1a58 fix: kprobe for do_exit is essential 49132fc feat: filter events to trace c691511 Start tracee without -v for stdout output a069238 tracee_test: Add tests for get_sockaddr_from_buf and move offsets on init ea9b0ec tracee_test: Add test cases for open_flags_to_str d7bcba9 tracee_test: Add test cases for open_flags_to_str efc2f14 tracee_test: Add tests for execveat_flags_to_str d0f474f tracee: Apply more pep-8 fixes 95aff98 tracee: cleanup imports 630a71c .git: update gitignore a8c2f1d tracee: Move helper methods out of EventMonitor class ad6401f tracee: init tests and a new makefile 03f18e7 Merge pull request #4 from aquasecurity/readme 5fd4547 update readme file e1050f8 Update readme files 9f22b49 remove execve redundant structs 2e33567 Change kernel-userspace communication buffer 9871c7a add creat syscall and fix open incorrect flags bug 220d5ed expand syscall enum for all syscalls af9abf3 add getdents(64) syscalls 50c939e add symlink(at) syscalls 2fdcfd7 add prctl, ptrace, process_vm_read(write)v, (f)init_module, delete_module syscalls 279aabf suport python 2 json ba4f4ac Add authors info 1fe3310 Add kernel version & usage to README 90440ef Create NOTICE aa5bb68 Create LICENSE 3cf9917 Container tracing using eBPF b30fc5c Initial commit

    Docker images

    • docker pull docker.io/aquasec/tracee:0.0.1
    • docker pull docker.io/aquasec/tracee:latest
    Source code(tar.gz)
    Source code(zip)
    checksums.txt(80 bytes)
    tracee.tar.gz(1.50 MB)
Owner
Aqua Security
Full lifecycle security for containers and cloud-native applications
Aqua Security
androidqf (Android Quick Forensics) helps quickly gathering forensic evidence from Android devices, in order to identify potential traces of compromise.

androidqf androidqf (Android Quick Forensics) is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the

Nex 129 Jun 23, 2022
Web-Security-Academy - Web Security Academy, developed in GO

Web-Security-Academy - Web Security Academy, developed in GO

Xavier Llauca 1 Feb 23, 2022
A mobile security hash generator using golang

Mobile Security Hash Generator Project scope This little script is my first experiment using Go. I wrote it for my friend @marcotrumpet because he nee

null 0 Jan 31, 2022
Cossack Labs 1k Jun 22, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Yahoo 917 Jun 14, 2022
A scalable overlay networking tool with a focus on performance, simplicity and security

What is Nebula? Nebula is a scalable overlay networking tool with a focus on performance, simplicity and security. It lets you seamlessly connect comp

Slack 10k Jul 1, 2022
GoPhish by default tips your hand to defenders and security solutions. T

GoPhish by default tips your hand to defenders and security solutions. The container here strips those indicators and makes other changes to hopefully evade detection during operations.

null 88 Jun 26, 2022
Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled

Go Hunt Weak PEs Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled (ASLR, DEP, CFG etc). Usage $ ./go-hunt-

m0rv4i 13 Oct 28, 2021
Analyse binaries for missing security features, information disclosure and more.

extrude Analyse binaries for missing security features, information disclosure and more. ?? Extrude is in the early stages of development, and current

Liam Galvin 43 Jun 16, 2022
QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security and store it on physical paper.

QR Secrets QR secrets is a cryptographically secure mechanism to store secret data with the highest levels of security. Incorporating; AES256-GCM-HKDF

Go Compile 0 Jan 12, 2022
HTTP middleware for Go that facilitates some quick security wins.

Secure Secure is an HTTP middleware for Go that facilitates some quick security wins. It's a standard net/http Handler, and can be used with many fram

Cory Jacobsen 2k Jun 28, 2022
Gryffin is a large scale web security scanning platform.

Gryffin (beta) Gryffin is a large scale web security scanning platform. It is not yet another scanner. It was written to solve two specific problems w

Yahoo 2.1k Jun 29, 2022
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Fabien Potencier 913 Jun 30, 2022
Sqreen's Application Security Management for the Go language

Sqreen's Application Security Management for Go After performance monitoring (APM), error and log monitoring it’s time to add a security component int

Sqreen 160 Jun 18, 2022
How to systematically secure anything: a repository about security engineering

How to Secure Anything Security engineering is the discipline of building secure systems. Its lessons are not just applicable to computer security. In

Veeral Patel 9.3k Jun 27, 2022
Convenience of containers, security of virtual machines

Convenience of containers, security of virtual machines With firebuild, you can build and deploy secure VMs directly from Dockerfiles and Docker image

null 47 May 15, 2022
MQTT安全测试工具 (MQTT Security Tools)

███╗ ███╗ ██████╗ ████████╗████████╗███████╗ ████╗ ████║██╔═══██╗╚══██╔══╝╚══██╔══╝██╔════╝ ██╔████╔██║██║ ██║ ██║ ██║ ███████╗ ██║╚██╔╝█

null 25 Jun 17, 2022
gosec - Golang Security Checker

Inspects source code for security problems by scanning the Go AST.

Secure Go 6.1k Jun 25, 2022
One Time Passwords (OTPs) are an mechanism to improve security over passwords alone.

otp: One Time Password utilities Go / Golang Why One Time Passwords? One Time Passwords (OTPs) are an mechanism to improve security over passwords alo

Paul Querna 1.4k Jun 30, 2022