Bot releases are hidden (Show)
Published by itaysk almost 4 years ago
Changelog
d4b7008478a813486d42b4bbba0723862397a2f8 Fix bpf compilation on redhat and centos with kernel 4.18
57e2178d19c6e4e7afc58d3bf7aa13b77e51f312 Add the ability to specify filters (such as UID) using comparison operators (=, !=, >, <).
a92b1eff3e086950f351862d9d332e94e7ea074f Use more informative error when making bpf object fails
800a0799d192dc8f6d955ed843ec1e424ff8eb57 Split kernel headers to source and build
79d625e2c2a2ceb76f60e5ff2ed5b92e5d8ca854 Add security_inode_unlink event
5564d6e235bf91bd458650cb174e8dd0724f6fd7 Print bpf cmd argument and make a default event
919c261bb65c6a0e8b015dbb3e79ad5853ee50b9 Add host only mode
741f1071db1fbd3de38f2bd64f92ff422ed13ca3 Use alpine image instead of ubuntu
f302eaf0703ac93849a4972946296cc314d78b41 Fix docker build on manjaro(arch) linux
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.3.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.3.1
Published by itaysk almost 4 years ago
Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/331
Changelog
fff75d00078276e9fbeccc958e7afbd3c8637ed9 fix version for build in docker
5a7a7fcab5dc01f15188816086433ec85620ccd0 fix make libbpf headers
f1a239be10c5f759533278ce21ceb5082db3b7ac fix make clean
e210c72f743d4b65f4690952943665c8026b4d2c fix version detection for docker build
8d0ac305a004a1bda981ae15362b18218672c31a fix version detection for release
dab487d56f78bfda6c4a3bfab7d11085b54f2bcf fix version detection for release
b481f0d80f9086e09b279c738b23c34f31a99c50 update readme for release
b837b6bb2f3cae7a52babdbea631f9bca3bf5069 fix kernel headers defaults in other distros
aa5ec50335fc83f04ad85d5d3ebc3882ae7616a8 make bpf obj file version dependent
e123fcab6a69d5bbe2da125b4281b734c2c3ff23 refactor release script, include slim images in notes
87d70f913d6bfdbb02ef03c4c24a37c24132fe34 update readme
318933ebee39fa3014e653d5c8723c59f4f40c3b update readme
eb47b745ffad10c3b7b68abb5836c4998479fe46 test for bpf build in ci
5b90fd50ddf3ef8fe7af384fd1625ed4110394a6 fetch libbpf source from make if needed
52c397bd0ae6b8835f87492f33ad1f2e150a10ca fix building in docker without tools
86392ee70437dde9a1ba443bc2579a0e9c366359 fix release process and add slim image
ee46b6fcd5ac1561fea005f1de354476c140070b fix typo
85c3379737ec3dd6024ca1894fe42619f1d206b6 docker builder in cwd
151b137da5df5a56a8d68428ec330980c959e65f make docker targets real targets
ae2fd1a664bd3551b5462162d5b7119e9d446d45 improve naming of tools and fix make bpf-docker
4a9734ec2875367663b6f78bafb44872e603929e optimize docker building
5faa7c1beeefdc5a2ebb8bc4f7d4497370972447 improve building in docker
e4f502cedda2a87f98451d94c3b36e7633149f6f require llvm 9
b4ddc9937de84590e5e5b99c9e39315e200e147b Add a --filter flag which takes arguments of the form =,,...
99c36bef218669a2918a8f599f5e5b1c252d9d0a update_logo
42e11de939ee1f9ca196301a9d944f1027e71787 fix clang version detection
efa68eee877345d13f6d48442f4bcd62b348aad6 tracee use libbpgo relatively
8d536dbe0f70528eed44062cb0574ba1d4cffea1 fix naming convention
9f5a3055573f20720784fbd83e7d7366ab60e8b0 add libbpfgo readme
5aaf2309338e7bbe13b658d41bc368e1a32fc6ca make libbpfgo a module
d5be3a6942c48f7bddf8913a10036be1265a50e8 feat: add test to ci/cd workflow
2a9d54ed435bece014e90f31c242270d531e27d7 Fix capture exec with empty string
a78a915e4b1027b1d25f2e0676c76b13b4fe2ff5 fix test target and add test-docker
1943eaa6a688e9f549567df27d875785d8cf13ee fix bundle path
4bd1c7b68812ca807b53db322d941ec54e2ec89e check minimum clang version (#310)
d8a55e7775b92b7ec50080d28424e6cf462b718f Fix and enable tests again
9edac6b77c4bf7a42ca3aeefe3d47bcce5d7ab21 Add sched_process_exit event
f35a8f393ea132322cb7077322e1060695f08d4b Add libbpf uapi headers - fix ubuntu16 compilation
aefd3cd5a0ebe8817d1ec4d1a29701488aa7bf6d Fix asm_inline for kernel > 5.4
fe77c7f30b3b14bf1fb69a5a7acf4abd3594a7c2 Print uts name in container mode
46f1e2adac79446641b5583320b2fe64a08b9262 force clang compiler
d0757229eee66ee6b7c3ea84bf7b47e1287068ca rewrite release process
2cccd1d9ce6b7f5934923e6fd2df0249893801af Update readme with build comments
71c97f07d7a340ca7f23dec160900fe8e30da65d Don't make llvm-strip a dependency
13c4d1abd56cb3a7d813bd747e656749e091e548 fix makefile dependency
9e06a2025d31be99ff651cd738f6d0823741f3a9 Fix lint and build errors
935540e5fc907e91487c448686c7767790a26106 Rename bpfwrap to libbpfgo
6cfa83d6e866b378db08141987d0707397a18591 fix docker builds for libbpf
cc7f1eae7d9cacd4d4c3f05f4efc5267fe843290 Organize probe attach code
ffe7b63f49e2c801aac8fca5b6b0b2252908bc53 Disable bpf program autoload if not required
3e7199e9ccc33febaa9174d06c31ce4415a1287c Reorganize initBPF function
6a379a2bb0ee3733da1a8cae2149dabaad8b4ad2 add build-policy flag
8fb3fa541cfc452ef8db57e1c272476fd7ae4286 use different dirs for output and install by default
b06c4811d05790df03efbee5bb1778eec08143a2 use tmp as default install path
fbf395a9041e50780d7e6654cc4d70d5cb18c488 drop capabilities during compilation
3b80e0f189507f864bc51b5849561d91fbe1df0b bundle bpf source for compilation at runtime
6ea6fbf40b44dab5a3b624057aa5e3bf1a8a9ddc compile bpf obj on startup
765d4fac5687f71173ab01b67b8ddc641de2acb8 fix bpf src injection
8c4a1bbdd472893fc4c75dbc74a0044015b59acf refactor bpf obj searching
a074b378854b5554959d7c55472992a0e42f57ee Update libbpf submodule
5109ae1f609f51a3a2e59f8056346fde8b32ef56 improve and organize build (#280)
1208adbc532a232a04db6c85988fecba894f6078 add new module creation from buffer to bpfwrap
b17be813d024b932ee4b5dde75121d6e035fb613 Remove BCC from readme
a2e43591282054955602849b6fc5ca8cf77b6eee Move from gobpf to bpfwrap (libbpf)
172655fa3412a7cec2c0af9d1d82f997844335e9 Add bpfwrap - a thin libbpf wrapper
73d4b7325c8ac42a0efc28f438332f2dcf487d2b Add libbpf submoudle
2cac3ee1ea16f8aba241ad87e2785ab5c4a5b1e1 Fix tests
49dee1eafb648899e5afb2157fb08c3682caccba Fix lint errors
f1f43f80ff84ad9fe647e17955733f837b19440b fix ci trigger
d64607a179873862f1193ac8a7be1d21cf525cb5 Fix bad string size type
7a755e3f12acca3f075d2dbea1af34d86e6519ea update go version to 1.15
d0fe845c21b7d6613216ae1f4ea37d88b54bb155 updated to golang 1.15
4964f5c75c7a2e42362067082822c5b4698fac01 Output formatting via gotemplate (#256)
a3e991f10b771ac98889792c9ed58e853a2debbe feat: Add CI/CD Workflow (#259)
5d49921f900fff50ad0e4bb32204d7fd3b2ddbf7 fix memfd files not shown in vfs_write
bc84eae22d5909c0e95fd4c2d80e76ddde5bebd8 fix sockaddr_in parsing
0bb0dbe09d5281a2e0c32fdb4029e2f95f08e01a fix error printing line break
582a3806a41e7a3376573c4d9dbac6cf7c24b972 Created a new --trace flag to replace and enhance the --pid and --container flags
4f50e28e97a2dcfd7c714877f9f9871bb4d9fe2d Revert "Created a new --trace flag to replace and enhance the --pid and --container flags"
120204f26529bb484c0247a18debcc6ab7ecbc87 Created a new --trace flag to replace and enhance the --pid and --container flags
aec1ef6ea44bb70008347d6cc1a928990cae399f Fix send bin chunk size
d58cd29cba127702f05ddd5e39d7f00eb67e6a0c Fix broken kernel 4.14 support
e753945963f6f811574280d05656a8b76e55df9d Made the typo change as requested
91fcd92d56f93c27f40d7c81edc15c9a6a4edfa3 Typo Corrected in README.md to sound more meaningfull
42cd0b70d39ae8bc0b41cb452fe6702f8d07b005 change readiness file format
751f38ddedea869c3cd4c6d8944484060ad9ccac Various Grammatical and Spelling Changes (#246)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.3.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.3.0
Published by itaysk about 4 years ago
Changelog
8ce4688 Small typo fixes (#245)
e97ca4a add contribution guidelines (#242)
bd05ede chore(docs): Added badges in README.md file (#236)
a756211 Read kernel pointers with bpf_probe_read
214346a improve code portability and be generic
f4ad395 Don't monitor events generated by tracee
84c3a7a fix_32bit_before_4.17
Docker images
docker pull docker.io/aquasec/tracee:0.2.1docker pull docker.io/aquasec/tracee:latest
Published by itaysk about 4 years ago
Changelog
f85878a Add vfs_writev event
a3af9ac Clean essential events from map
aeab9b3 Add pids in raw_syscalls instead of execve handler
b1297cf save_context_generic
Docker images
docker pull docker.io/aquasec/tracee:0.2.0docker pull docker.io/aquasec/tracee:latest
Published by itaysk about 4 years ago
Changelog
b497d9d fix capture exec when sharing pidns (#208)
b5fb620 Use generic return for execve syscalls
31887af Simplify raw_syscalls logic and remove security_alerts workaround
bc2ee10 clear output dir (#222)
c40f64a Fix fork of traced processes not traced when clone event not chosen
d20395c signal readiness using a file in output dir (#218)
1fbce2e Fix decoding errors when save_args fails
389e596 Handle raw tracepoints fallback
aefee76 Enable support for all syscalls
915a1cc Handle events parameters types and names using parameters map
1adf1e4 Add events parameters map
29f5ee9 Add 32bit syscalls support
0e4adff Reduce syscalls handlers instructions size
8b17cf9 Use tracepoints instead of kprobes for syscalls
60b2e09 check null terminated string size
932a706 Add system calls sets
ddccf41 Update args macro to be more compact
425193e Use bigger buffer size
bdaa084 Update intro video in readme
c962d21 Add more syscalls
c2b7e4f Add events by sets
57fd98b Pretty print event list
0cebf01 Print raw syscalls only when event was not requested
da1e24b Update readme to reflect verbose output
Docker images
docker pull docker.io/aquasec/tracee:0.1.0docker pull docker.io/aquasec/tracee:latest
Published by yanivagman about 4 years ago
Changelog
6df40c6 Fix double printing of first arg
4795a63 Fix print indentation
077916a Update readme file to include host pid when running from docker
adab925 fix context parsing
040463a improve table output
9c9e4b7 update readme example
3fdcbbb comma separate args in table
9983e23 retstore tid to table
dba88af widen pid column
100834d improve table output
7d9c8d1 Fix capture exec for containers
425ecb7 Save host and container pids in host mode
1f5dd76 add host pids to context
b93fff5 Add clone flags
54b1b34 Save writes to /dev/null by pid
b100a20 improve output of args
3137927 Don't print raw_syscall if event exists
2d4ba36 Remove essentialEvents map and simplify code
7805c5e Change event print location in table output
46d9ccc Handle events in a pipeline
4245623 Remove global EventNameToID map
701547d Code refactoring
f29810f Optimize string array buffer layout
6a80860 Optimize string array buffer layout
a591013 Support tracing by pid
35105ce Decouple event data extraction from event parsing
0f5236d Use event id constants for performance
50a7e17 Add argument names
378263e Fix error counter always 0
568afc5 Fix broken raw syscalls feature
7c257ce Beautify table print
888c0e7 Fix getsockname error on null string
dce995d fix capture exec for non-filesystem files
Docker images
docker pull docker.io/aquasec/tracee:0.0.3docker pull docker.io/aquasec/tracee:latest
Published by itaysk over 4 years ago
Changelog
a87a69e remove python version
398138d fix mem alert when not capturing
ebb5563 Add exclude event flag
6c63231 Remove PrintSyscall func
0dbb1ef Fix chmod invalid file
f1a66bd Append file write if written file type is char, socket or fifo
de74185 change socket address output format
726059c Remove unix socket leading zero in json output
267dae5 Fix unix socket name when there are leading zeros
7c4b242 fix json tags spelling
32051f8 Update readme to include capture flag
e2b935b Update readme to include file and binary capture
dbacd6e Change consts to use go naming conventions
4cc05ea Change mmap_alert and mprotect_alert to one mem_prot_alert
951fbb2 Support multiple probes for one event
7818daa Use alert struct and save alert payload using timestamp
ef4c92e validate capture options
8e79924 don't capture same exec twice
58ead5d Add mmap and mprotect security alerts and data extraction
4074a94 Add chosen events map
bbe5fe4 Fix "memory leaks" in bin_args_map and args_map
87a4a78 fix test for ptrace printing
a523eae fix file capture when dependent event is missing
b10961f Fix write error when buffer and chunk are equal in size
9602d12 allow granular selection of capture-files
6c3fc99 fix ptrace flags print
8114f9c Remove EventsIDToName map
6a6f918 auto build essentialEvens map
165a971 print all raw_syscall names
3e72e64 Add event configuration map
309aab7 fix lost event counter
2cb8a20 print errors to a dedicated file
b27aca3 fix raw_syscall printing if syscall is not known to tracee
ffa8183 capture executed files
395e9da add hook to process events and use it to show raw_syscall name
17c619d refactor stats collection and printing
2abdacb fix map update issue with old kernels
5fb424a Change save_args key to be unique
e2b0a8a decouple internal and external types
90988aa Add tail call event handler
db158f1 Use generic method to send binary data
da567dd add output gob output format
c3af6f3 Support file-write filters up to 64 chars
bad16bc Add Tracee logo
498265d cleanup file event handling code
17a08ad decouple should_trace and init_context
280ad5d Handle buffers more efficiently
e8eca12 parameterize stdout in tracee package
c9b0e91 simplify tracee config
9f17b17 remove args brackets
758145d don't show raw_syscalls by default
0bcf7a8 change printed time resolution from seconds to microseconds
ff413c4 Check for privileges
2a74671 read file buffer with struct
e84324c move should_trace to a function
45516c7 remove get_config wrapper functions
c8982e4 Change vfs_write flags
c448b3e Port vfs_write to go
05cfc5a Add configuration flags for vfs_write
89e3b64 Correlate vfs_write with execve and open with dev_id and inode_nr
7ca4b05 Support vfs_write filters
184610d Change output path to include mnt ns id
55917d5 Use tail calls to send vfs writes
c77a643 Support multiple chunks in file send
a41baa1 Add vfs_write event and file writes extraction
5d28b9d remove redundant casting
61d273f Use full submission buffer size
d278132 Remove type argument from save_str_to_buf
39bb47e Save path using helper function
75cb776 Remove R_PATH type and handle as regular string
d20cf0d fix make build dependencies
799ed4f add support for tracepoints and implement raw_syscalls tracepoint (#89)
2d5d1cc refactor events map
55b6cc6 update gobpf to include memory leak fix
68b2ce8 add youtube demo to readme
Docker images
docker pull docker.io/aquasec/tracee:0.0.2docker pull docker.io/aquasec/tracee:latest
Published by itaysk over 4 years ago
Changelog
5dc755f work around gobpf memory leak
2187ecb add makefile target to build docker image
a207a16 add make target to build using docker
5179077 fix dockerfile
e42865f update readme with release
5294f4c save_context
0fcfd26 add release procedure using goreleaser (#75)
e21954c fix events flag in python
2efa61d fix dockerfile
1a6a69c rename events-to-trace flag to event (#73)
2684f1c update readme (#72)
5687bce build distributable binary (#71)
c06e936 update readme (#70)
6697bea update dockerfile to go
613717d handle lost events and support configurable buffer size
2d6e437 fix list command to show recent additions
dd0cedc add chown chmod and pkey_mprotect syscalls
541ae53 fix missing threads in system mode
35202dc fix makefile
9eb9f29 fix json arguments formatting to match python version
d770f33 fix comment
e366065 superficial tests for readArgFromBuff function
b9bd744 fix socket type print
67a3ac1 fix POINTER_T parsing and printing
c0b87ea fix open flags printing
6bc4686 support security_file_open lsm hook
dff978e show stats in table epilogue
b6ea608 update readme about go
189a6e7 add bprm_check event (#54)
4b9bad2 print prctl ptrace options in go
1ae06bc print sockaddr common families in go (#52)
6b2ce47 Add lsm bprm_check hook to get exec absolute path (#46)
fd8a89b implement show-exec-env in go
7278173 fix event validation
56bd72e Rewrite Python code in Go (#47)
08d5a9a Add prctl option and ptrace request enums
aee95da Add sockaddr struct fields for unix, inet, inet6 sockets
05372ab Handle failed read to buffer
8fddef9 Add optional exec-env flag to show env in execve
431eaae performance: get buffer once
58f76e7 fix missing flags
61f172f avoid fork handler code duplication
4fa4d54 Show syscall name in internal kprobes
85afe0b save container mode
04a921c update readme
58b19d9 events: add setXid syscalls
9369869 fix failed tests
6db7ef7 readme: update optional arguments
6d1effc Add config map and verify configuration
649b19f catch keyboard interrupt
4defbd5 Remove container prefix from files
3aa5c75 mount debugfs before starting
6121f73 add dockerfile
39c28ae Generic event handling in userspace
8afaa4a performance: improve performance and reduce lost events
ff9aa14 set submission array size according real cpu number
631c9f1 Merge pull request #26 from yanivagman/execve_known_issue
bdd847a Readme: update execve known issue status
5b6bffc Merge pull request #23 from yanivagman/add_event_list
7b2ce5b Add event list and update readme
e0f5549 workaround PT_REGS_PARM macros bug in new kernels
0762844 Support new kernels
8d2a31c events: add mount, umount, unlink, unlinkat syscalls
0630258 Merge pull request #12 from aquasecurity/fix_missing_stat_syscalls
4ffb880 readme: add omitted title
fbdd2e7 Add system tracing mode
2e296cf fix: stat syscalls are ignored
79c4159 Correct name in NOTICE file
f3c0e5a Merge pull request #10 from aquasecurity/add_container_id_from_uts_ns_rebased
c80ee7a Add container id by using UTS namespace node name
69f490d Merge pull request #8 from aquasecurity/event-filter
31f1a58 fix: kprobe for do_exit is essential
49132fc feat: filter events to trace
c691511 Start tracee without -v for stdout output
a069238 tracee_test: Add tests for get_sockaddr_from_buf and move offsets on init
ea9b0ec tracee_test: Add test cases for open_flags_to_str
d7bcba9 tracee_test: Add test cases for open_flags_to_str
efc2f14 tracee_test: Add tests for execveat_flags_to_str
d0f474f tracee: Apply more pep-8 fixes
95aff98 tracee: cleanup imports
630a71c .git: update gitignore
a8c2f1d tracee: Move helper methods out of EventMonitor class
ad6401f tracee: init tests and a new makefile
03f18e7 Merge pull request #4 from aquasecurity/readme
5fd4547 update readme file
e1050f8 Update readme files
9f22b49 remove execve redundant structs
2e33567 Change kernel-userspace communication buffer
9871c7a add creat syscall and fix open incorrect flags bug
220d5ed expand syscall enum for all syscalls
af9abf3 add getdents(64) syscalls
50c939e add symlink(at) syscalls
2fdcfd7 add prctl, ptrace, process_vm_read(write)v, (f)init_module, delete_module syscalls
279aabf suport python 2 json
ba4f4ac Add authors info
1fe3310 Add kernel version & usage to README
90440ef Create NOTICE
aa5bb68 Create LICENSE
3cf9917 Container tracing using eBPF
b30fc5c Initial commit
Docker images
docker pull docker.io/aquasec/tracee:0.0.1docker pull docker.io/aquasec/tracee:latest