tracee

Linux Runtime Security and Forensics using eBPF

APACHE-2.0 License

Stars
3.3K
Committers
84
View Code on GitHub Visit Website View on X
Ecosystems: Kubernetes, Docker, Linux, eBPF, Go

Bot releases are visible (Hide)

tracee - v0.11.1

Published by github-actions[bot] over 1 year ago

v0.11.1 highlights and discussion

Docker images

  • docker pull docker.io/aquasec/tracee:0.11.1 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.11.1 (compiles non CO-RE eBPF object on startup)
tracee - v0.11.0

Published by github-actions[bot] over 1 year ago

v0.11.0 highlights and discussion

Docker images

  • docker pull docker.io/aquasec/tracee:0.11.0 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.11.0 (compiles non CO-RE eBPF object on startup)
tracee - v0.10.0

Published by github-actions[bot] almost 2 years ago

Release highlights and summary

馃憠 https://github.com/aquasecurity/tracee/discussions/2503

Full Changelog

tracee - v0.9.3

Published by github-actions[bot] almost 2 years ago

v0.9.3

This version continues the trend within the v0.9.X series of Tracee versions, quickly fixing bugs and updating documentation in small and fast coming releases. We're happy that this trend makes Tracee a more reliable system to depend on for having a stable latest version.

See the full release notes and closed milestone issues for highlights.

Docker images

  • docker pull docker.io/aquasec/tracee:0.9.3 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.9.3 (compiles non CO-RE eBPF object on startup)

Full Changelog

b7849938 - workflows: add stream8 back (#2327) (Rafael David Tinoco)
20daa29f - Documentation: Fix broken links, move deep dive section (#2322) (grantseltzer)
430c073b - ebpf: fix mem_prot_alert invalid args (#2324) (Yaniv Agman)
a37dcf66 - workflows: change pr to new runners (#2325) (Rafael David Tinoco)
ea11896e - Run integration test triggers in own PID (#2323) (grantseltzer)
380070e0 - flags: add a test for prepareEventsToTrace (Nadav Strahilevitz)
766f5889 - events: add a "containers" set (Nadav Strahilevitz)
31d09d4f - filter: fix wildcard not working for events (Nadav Strahilevitz)
ca2a14e1 - bucketscache: add RWMutex (#2316) (Nadav Strahilevitz)
534b6a49 - types/trace: add u8 type support to UnmarshalJson (#2312) (Alon Zivony)
4ff5914d - tracee: remove invalid events from tailcalls (#2310) (Nadav Strahilevitz)
f51b41af - filters: flags: change mntns and pidns filter expressions (#2302) (Geyslan Greg贸rio)
df6d661f - logger: move logger start to init functions (#2252) (Geyslan Greg贸rio)

tracee - v0.9.2

Published by github-actions[bot] almost 2 years ago

v0.9.2

This is release contains fixes to regressions that were introduced in the last two releases. In particular we've disabled TRC-108, TRC-1022, default capabilities drop, move libbpf back to v1.0.1.

As this comes very soon after the prior two releases, take a look at v0.9.0's release notes to see recent highlights of tracee's improvements and added features!

Docker images

  • docker pull docker.io/aquasec/tracee:0.9.2 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.9.2 (compiles non CO-RE eBPF object on startup)

Full changelog

f7a0b786 - rules: disable TRC-1022 (#2304) (Jose Donizetti)
84fd91ec - capabilities: do not drop caps by default (Rafael David Tinoco)
29b89f8e - golang: go mod tidy (Rafael David Tinoco)
70ea8369 - libbpfgo: bump to v0.4.4-libbpf-1.0.1 (Rafael David Tinoco)
6a079a95 - libbpf: back to v1.0.1 (Rafael David Tinoco)
537fe6c6 - hooked_proc_fops: remove redundant struct check and handle null pointer (#2303) (AsafEitani)
b8ac9db0 - k8s: disable signature TRC-108 (#2297) (Jose Donizetti)
bbcc6a53 - k8s: update version to 0.9.2 (#2299) (Jose Donizetti)
ae722d7a - event fix: bpf_attach map key (#2295) (roikol)

tracee - v0.9.1

Published by github-actions[bot] almost 2 years ago

v0.9.1

This is a small release that only contains bug fixes, it is recommended to use over v0.9.0. As this comes two days after the prior release, take a look at v0.9.0's release notes to see highlights of its improvements and added features!

Docker images

  • docker pull docker.io/aquasec/tracee:0.9.1 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.9.1 (compiles non CO-RE eBPF object on startup)

Full Changelog

58399f09 - k8s: update image tag to latest (#2293) (Jose Donizetti)
0842226f - capabilities: do not drop privileges in tracee-ebpf by default (Rafael David Tinoco)
00c7bd26 - symbols_loaded: raise privileges when needed (Rafael David Tinoco)
98266408 - path_resolver: raise privileges when needed (Rafael David Tinoco)
7ef3541f - probes: add NET_ADMIN capability as required for tcProbes (Rafael David Tinoco)
73fb7eb5 - capabilities: make new capabilities a singleton (Rafael David Tinoco)
02804d8b - capabilities: raise caps for init_namespaces event (Yaniv Agman)
73273d2a - caps: raise privileges for cgroupv1 mount (#2290) (Rafael David Tinoco)
cbaeac2a - pkg/ebpf: fix symbols_loaded initialization crash (#2284) (Alon Zivony)
1bb72641 - capabilities: fix: raise caps ring for privileged operations (#2280) (Rafael David Tinoco)

Full Changelog: https://github.com/aquasecurity/tracee/compare/v0.9.0...v0.9.1

tracee - v0.9.0

Published by github-actions[bot] about 2 years ago

v0.9.0

It's never been better to run Tracee in Kubernetes! This release represents a significant jump in the value of running Tracee in user's Kubernetes environment. This is most notably because of the huge contribution of Aqua's research team, adding 20+ new signatures to tracee-rules. Users can enable these to instantly gain detection of common cloud native attacks without having to write a single policy.

We've also revamped our documentation to make installing, running, and understanding Tracee even more accessible to its users.

Thank you to all our external contributors who participated in this release by either contributing code, documentation, or opening issues!

New Signatures

In #2271/2259, 20+ new signatures were introduced. Signatures allow users of Tracee to apply policies for what kind of potentially malicious behaviors they want to be alerted of.

For example, the new proc_mem_access signature alerts on common attack patterns where one process attempts to read for the memory of another vulnerable process. Credentials and secrets can be obtained this way

Check out the Available Rules page on the documentation site for an explanation of all provided signatures you can use with Tracee.

New Events

To power some of these new signatures and add more possibilities for future ones, we've added two new events, the raw hooks that Tracee uses to gather insight. In particular they are kallsyms_lookup_name and bpf_attach. (#2255 and #2079)

Documentation

We've restructured documentation to be more accessible for users, as opposed to just developers. There's also a new quickstart guide for running Tracee in Kubernetes, the target use-case for it. Check out the documentation site here.

More Highlights

There are many fixes and code quality improvements to Tracee. This includes but isn't limited to new tests, standardizing of logging, fixing the way you can install Tracee with Helm, and upgrading to the latest version of libbpf.

Breaking Changes

  • security_inode_unlink event's 'device' argument was renamed to 'dev' (#2175)

Docker images

  • docker pull docker.io/aquasec/tracee:0.9.0 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.9.0 (compiles non CO-RE eBPF object on startup)

Full Changelog

7954dc6b - docs: add overview to docs, contributing sections (#2275) (Jose Donizetti)
dcbcb9dc - docs: stop creating docs for patch versions (#2274) (Jose Donizetti)
10b97e8c - signatures: add TRC-108 to the export list so it is installed (Rafael David Tinoco)
5271aef5 - signatures: do not install rego signatures by default (Rafael David Tinoco)
ecd378b9 - kerneltest: test new golang sigs instead of rego ones (Rafael David Tinoco)
bb5bb075 - signature: use socket_dup event instead of dup(s) syscalls in stdio_over_socket.go (RoiKol)
6a0f8a37 - signatures: use helpers to get addr argument details (RoiKol)
2694bdfa - signatures: serialize TRC IDs (RoiKol)
5add0983 - signature: use sched_process_exec instead of execve in kubernetes_api_connection.go sig (RoiKol)
3fc7d0e1 - signature: add syscall_table_hooking.go sig (RoiKol)
a5e955ac - signature: add proc_fops_hooking.go sig (RoiKol)
08e363ec - signature: add kubernetes_certificate_theft_attempt.go sig (RoiKol)
40fc0cda - signature: add kernel_module_loading.go sig (RoiKol)
00465699 - signature: add k8s_service_account_token.go sig (RoiKol)
36e5808b - signature: add illegitimate_shell.go sig (RoiKol)
305c7b4f - signature: add fileless_execution.go sig (RoiKol)
b5c88c35 - signature: add dynamic_code_loading.go sig (RoiKol)
904ace48 - signature: add disk_mount.go sig (RoiKol)
4e7fd147 - signature: add process_vm_write_code_injection.go sig (RoiKol)
cc469cbd - signature: add ptrace_code_injection.go sig (RoiKol)
cd268238 - signature: add anti_debugging_ptraceme.go sig (RoiKol)
071bdfc9 - signature: add hidden_file_created.go sig (RoiKol)
d84122cd - signature: add proc_mem_access.go sig (RoiKol)
b1013aa3 - signature: add proc_kcore_read.go sig (RoiKol)
2125a85d - signature: add core_pattern_modification.go sig (RoiKol)
a63f0b23 - signature: add rcd_modification.go sig (RoiKol)
f120665c - signature: add cgroup_release_agent_modification.go sig (RoiKol)
cc897ab4 - signature: add system_request_key_config_modification.go sig (RoiKol)
64356d74 - signature: add sched_debug_recon.go sig (RoiKol)
5150eb53 - signature: add sudoers_modification.go sig (RoiKol)
80f1aaa2 - signature: add default_loader_modification.go sig (RoiKol)
ab1f7b1b - signature: add cgroup_notify_on_release_modification.go sig (RoiKol)
7a48cea2 - signature: add ld_preload.go sig (RoiKol)
68855248 - signature: add scheduled_task_modification.go sig (RoiKol)
c173d22c - signature: add docker_abuse.go sig (RoiKol)
5b029ffc - signature: add proc_mem_code_injection.go sig (RoiKol)
7b8b9647 - signature: add dropped_executable.go sig (RoiKol)
f78982b6 - signature: add aslr_inspection.go sig (RoiKol)
4e9750a2 - Update tracee tags in deployments (#2256) (grantseltzer)
1376dfac - docs: restructuring documentation (#2265) (Jose Donizetti)
abf218b0 - docs: update RELEASING.md to publish helm (#2270) (Jose Donizetti)
cb1d0f3e - k8s: make postee optional (#2268) (Jose Donizetti)
53e1bbcb - k8s: add kind to helm publishing for testing (#2263) (Jose Donizetti)
6242a210 - rules: migrate log calls to new logger (#2224) (Shubham Palriwala)
784df91b - events: add kallsyms_lookup_name event (RoiKol)
fe7cbbb6 - events: add bpf_attach event (#2079) (roikol)
3e240718 - Upgrade libbpfgo to v0.4.3-libbpf-1.0.1 and (#2220) (grantseltzer)
2f49db42 - integration: fix integration tests (#2250) (Rafael David Tinoco)
ae125149 - refactor: improve help handling (#2241) (Jose Donizetti)
bd48dd23 - Fix helm publishing (#2247) (Jose Donizetti)
88791a7e - k8s: fix helm publishing (#2245) (Jose Donizetti)
9a1f8c9c - refactor: remove debug flag from pkg/server (#2239) (Jose Donizetti)
f44a4355 - uprobe: fix uprobe trigger triggered from multiple tracee instances (#2230) (AsafEitani)
9965fd9d - tests: add filters tests and benchmarks (Nadav Strahilevitz)
9e8ba736 - filters: refactor to allow multiple parses (Nadav Strahilevitz)
05bf6f5d - filters: add error files (Nadav Strahilevitz)
4f8684ae - filters: add Min and Max methods (Nadav Strahilevitz)
1529dbe5 - filters: move enabling logic to methods (Nadav Strahilevitz)
cb56c15d - filters: encapsulate min, max, args and ret logic (Nadav Strahilevitz)
6697e685 - filters: split into bpf filters (Nadav Strahilevitz)
98666e1e - filters: add filter constructors (Nadav Strahilevitz)
5dbc5390 - filters: reuse StringFilter in ArgFilter (Nadav Strahilevitz)
c75230e3 - flags: remove tests (Nadav Strahilevitz)
bb611da0 - events: add GetID helper (Nadav Strahilevitz)
81eb1b32 - filters: add prefix and suffix sets (Nadav Strahilevitz)
f363f1ca - pkg/ebpf: fix bug in support for arg types (#2228) (Alon Zivony)
dd41bad1 - pkg/ebpf+events: created new event for sigaction (Alon Zivony)
4a918e27 - pkg/ebpf: fix get_node_addr macro (Alon Zivony)
024d5b4c - events: include 32bit syscalls in syscall event range (#2218) (Nadav Strahilevitz)
5c2aabe5 - container enrichment: skip enriched events (#2214) (Nadav Strahilevitz)
a929e9d2 - metrics: add events filtered stat (#2212) (Nadav Strahilevitz)
c29685c2 - kerneltest: fix test name variable (#2213) (Rafael David Tinoco)
ec9bcd1a - logger: change API function names (#2208) (Geyslan Greg贸rio)
968152e0 - log: introduce logger package (#2110) (Geyslan Greg贸rio)
1efc149c - docs: fix symbols_loaded typos (Nadav Strahilevitz)
3989bc37 - events: move symbols_loaded to userspace event ids (Nadav Strahilevitz)
23666f88 - pkg/ebpf: quick fix for args_map memory leak (Alon Zivony)
374e729a - tracee.bpf.c: fix submit of shared_object_loaded (Nadav Strahilevitz)
bfdd4818 - README: Fix typo (Margarita Manterola)
306275d2 - types/trace: support arbitrary pointers in json (#2182) (Alon Zivony)
bc58ca84 - Test: Add Unit tests for params under event parsing (#2199) (Shubham Palriwala)
264056cb - refactor: clean up tracee-rules/main.go (#2194) (Jose Donizetti)
b567f6bc - fix: change k8s version to 0.8.3 (#2195) (Jose Donizetti)
c0ffcc6f - Test_getTailCalls: fix intermittent failure (#2192) (Nadav Strahilevitz)
cedb4c37 - README: fix indention of "docker run" blocks (#2193) (Nils Hanke)
fefeb08d - pprof: move to server package (#2180) (Jose Donizetti)
c0d24c74 - docs: small fixes (Yaniv Agman)
4f2d828f - bpf-nocore: remove compilation warnings and unused variables (#2179) (Rafael David Tinoco)
ccfb903f - deprecation: adjust deprecation warnings (Rafael David Tinoco)
a8a36687 - parse_args: fix {get,set}sockopt new parse option (Rafael David Tinoco)
9cd4e86c - capabilities: fix usage of kernel version interface (grantseltzer)
4848140a - libbpf: bump to v1.0.0 (Rafael David Tinoco)
ca6e82fd - libbpfgo: bump to v0.4.0-libbpf-1.0.0-8-g14c6bc9 (Rafael David Tinoco)
8468f89f - events: rename security_inode_unlink device arg (#2175) (AsafEitani)

tracee - v0.8.3

Published by github-actions[bot] about 2 years ago

v0.8.3

This is a very small release mostly triggered by a security update to OPA.

Breaking changes

There should be no breaking changes.

Highlights

Fixes/Security Updates

  • Bump OPA dependency from v0.42.0 to v0.44.0 (#2172)
  • Fixed security_file_open event dependencies (#2166)

Improvements

  • New /healthz endpoint for both tracee-ebpf and tracee-rules (#2116)
  • security_inode_unlink event has been enriched with more arguments (#2136)
  • You can now specify env DEBUG=1 while building to include DWARF symbols (#2164)

Docker images

  • docker pull docker.io/aquasec/tracee:0.8.3 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.8.3 (compiles non CO-RE eBPF object on startup)

Full Changelog

792b5106 - security: bump OPA from 0.42.0 to 0.44.0 (#2172) (Rafael David Tinoco)
5b91c25d - events_derived: merge into existing files (Nadav Strahilevitz)
f1ebce64 - events/derive: simplify files (Nadav Strahilevitz)
a573fe22 - tracee: debug mode: only enable net probes if needed (Rafael David Tinoco)
0321b787 - docs/installing: add 'tracee-system' namespace to the manual installation (#2167) (Vitor Duque)
e53c5c0c - net_events: remove current net debugging mechanism (Rafael David Tinoco)
42d9a2c5 - tracee.bpf.c: move license and kernel version to the top (Rafael David Tinoco)
048daa89 - pkg/ebpf: enrich security_inode_unlink (#2136) (Alon Zivony)
7a828314 - events: add execve and execveat to security_file_open syscalls (#2166) (Nadav Strahilevitz)
63cead8a - feat: add healthz endpoint (#2116) (Jose Donizetti)
c83ac80f - Makefile: add DEBUG flag to enable symbols (#2164) (Geyslan Greg贸rio)
999e44fc - k8s: fix tracee version to latest release v0.8.2 (#2162) (Jose Donizetti)

tracee - v0.8.2

Published by github-actions[bot] about 2 years ago

v0.8.2

This release continues the trend of more frequent smaller releases. It contains mostly bug fixes and performance optimizations.

Highlights

Breaking Changes

There should be no breaking changes

Fixes

  • Optimizations to syscall enter/exit hooks (#2080)
  • Optimizations with likely/unlikely macros (#2131)
  • Lowered the threshold to drop CAP_SYS_ADMIN for better consistency on various distributions (#2078)
  • Resolved arm64 compilation problems (#2103)
  • Use /proc/self/exe instead of Go os.Executable to resolve runtime errors (#2103)
  • Add requirement of CAP_SYS_PTRACE to the capture_exec event (#1932)
  • Remove symbols loaded errors that should be warnings (#2129)
  • Added LIBBPFGO_OSRELEASE_FILE to falco sidekick k8s deployment (#2142)
  • Resolved an issue with applying the context from triggering events (#2090)
  • Style fixes (#2112)
  • Updated postee in helm charts (#2111)
  • Resolved an issue where a nil pointer dereference occurred when net interface wasn't specified (#2066)

New Features

  • New ability to bypass dropping of capabilities via --caps allow-failed-drop and --caps cancel-drop` options (#2008)
  • Daily tests workflow and bad (#2064)

Thanks for your valuable contributions @cdelzotti!

Docker images

  • docker pull docker.io/aquasec/tracee:0.8.2 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.8.2 (compiles non CO-RE eBPF object on startup)

Full Changelog

1bca1524 - docs/tracing: fix typo (#2149) (P1nant0m)
afa63476 - deprecation: adjust deprecation warnings (Rafael David Tinoco)
9001dbc8 - capabilities: fix usage of kernel version interface (grantseltzer)
fdacd945 - parse_args: fix {get,set}sockopt new parse option (grantseltzer)
eb1fe11d - libbpfgo: update to latest (1.0.0+) (Rafael David Tinoco)
911d01b7 - libbpf: upgrade to v1.0.0 (grantseltzer)
1c8fef2b - docs/building: fix typo (grantseltzer)
d7ff24eb - makefile: remove clang-tidy as checker (Rafael David Tinoco)
49e75bca - makefile: get rid of dist/tracee.bpf bundle (Rafael David Tinoco)
d1c360ec - ebpf: add get_task_syscall_id helper (#2134) (Nadav Strahilevitz)
9e390794 - bug: add LIBBPFGO_OSRELEASE_FILE to falcosidekick (#2142) (Jose Donizetti)
8f1b398e - pkg/events/derive: silence symbols loaded errors (#2129) (Alon Zivony)
66ee9a71 - tracee.bpf.c: optimize with unlikely (#2131) (Nadav Strahilevitz)
fef38714 - tracee.bpf.c: optimize sys_enter and sys_exit (#2080) (Nadav Strahilevitz)
a038cc7d - refactor: remove not used return argument (Jose Donizetti)
913c2a72 - uprobes: adjust calling convention for uprobe handlers (Rafael David Tinoco)
2c041f61 - uprobes: open /proc/self/exe instead of os.Executable() (Rafael David Tinoco)
ba229396 - arm64: move comment for better indentation (Rafael David Tinoco)
0aa26f46 - tracee: do not tailcall undefined syscalls (Rafael David Tinoco)
2bc75195 - arm_kprobe: change hook point to satisfy arm64 missing symbol (Rafael David Tinoco)
cbd102b2 - tracee.bpf.c: fix arm64 compilation problems (Rafael David Tinoco)
509dc06d - events: change addr arguments to type pointer (#2128) (roikol)
b6dcf115 - pkg/ebpf: open files in output dir using FD (Alon Zivony)
da381170 - pkg/events: add missing capabilities to capture exec (Alon Zivony)
997cc379 - cmd/tracee-ebpf: divide capabilities dropping to stages (Alon Zivony)
c2bfd111 - containers/runtime: move autodiscover to package (#2081) (Nadav Strahilevitz)
c20afb46 - refactor: style fixes (#2112) (Jose Donizetti)
c631debe - feat(deps): Bump up Postee Helm chart version. (#2111) (simar7)
2af18f32 - README: remove badge for removed workflow (Rafael David Tinoco)
ea5fcc8e - workflows: remove redundant test being done to each PR (#2106) (Rafael David Tinoco)
5ebdfe72 - k8s: fix tracee version to latest release v0.8.1 (#2099) (Jose Donizetti)
bedba052 - k8s: fix kustomization.yaml (#2101) (Jose Donizetti)
edcaf819 - trigger: fix context apply (#2090) (Nadav Strahilevitz)
d4ad6124 - tracee-tester: spin-off tracee-tester related files (#2091) (Rafael David Tinoco)
a2fd2c49 - trigger: move event triggering logic out of derive (#2069) (Nadav Strahilevitz)
5f765aa8 - enrich: add queue cleaner goroutine (#2084) (Nadav Strahilevitz)
f396d916 - events: add security_inode_rename event (#2045) (Rafael David Tinoco)
70975338 - ebpf: parse events fd arguments to filenames (Geyslan Greg贸rio)
df76fa10 - ebpf: standardize and reorder syscall names (Geyslan Greg贸rio)
eef81b1f - tracee-ebpf: remove bufs_off map (#1866) (Yaniv Agman)
f6799198 - Lowering the thresold to drop CAP_SYS_ADMIN (#2078) (cdelzotti)
5a5762ed - cmd/tracee-ebpf: add capabilities dropping bypasses (#2008) (Alon Zivony)
3f8f4092 - Add daily tests workflow and respective badge (#2064) (G Greg贸rio)
3f78d226 - parse_args: fix cases where arg type didn't change (#2072) (Nadav Strahilevitz)
0cc61667 - fix: capture net filter nil pointer error (#2067) (cdelzotti)
32748d6d - docs/integrating: fix docker run command (#2065) (Calvin Xiao)

tracee - v0.8.1

Published by github-actions[bot] about 2 years ago

v0.8.1

This release is smaller than v0.8.0 which is an intended trend towards more frequent smaller releases.
It contains many fixes and some impactful new features.

Docker images

  • docker pull docker.io/aquasec/tracee:0.8.1 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.8.1 (compiles non CO-RE eBPF object on startup)

Highlights

Breaking Changes

  • There should be no breaking changes

Fixes

  • Fixed a lot of errors being surfaced via loading symbols (#2037)
  • Tracee container won't duplicate probing of linux proc capabilities (#2056 thanks @cdelzotti!)
  • Added perf_event_paranoid dependent capability support (#2033 thanks @cdelzotti!)
  • Recomissioned disabled integration tests (#2017)
  • Converted manually run eBPF programs to use uprobes instead of ioctls (#2031)
  • many more... see full changelog

New Features

  • New package for initializing a tracee-ebpf object (#2006)
  • New symbols_loaded event to monitor shared object exported symbols (#2014)
  • Added ELF interpreter ctime to sched_process_exec event (#1977)

Full Changelog

8d6da1b5 - pkg/events/derive: prevent spam errors with symbols_loaded (#2037) (Alon Zivony)
546aa652 - retain context of triggering event to the triggered event (#2049) (AsafEitani)
57bda50b - fix: fix hooked_seq_ops argument type and register in gob (#2058) (AsafEitani)
5bdaedc6 - delete minor unreachable code caused by t.FailNow (#2057) (Abirdcfly)
42f50741 - builder: Remove cap probing for trace subcommand (#2056) (cdelzotti)
30f20786 - refactor: add TODO comments for a future refactoring PR (AsafEitani)
a1dcca74 - fix: satisfy verifier on kernel 5.4 (AsafEitani)
1f67247e - events: combine hooked_seq_ops event output to one event (AsafEitani)
4105fe7d - bpf: refactor save_u64_arr_to_buf (AsafEitani)
803b6b4f - probes: create new uprobe hooks for needed uprobe triggers (AsafEitani)
1ad5f609 - docs: fix symbols_loaded event doc (#2054) (Alon Zivony)
67941b67 - derive: fix libs whitelist of symbols_loaded (#2048) (Alon Zivony)
9b31c56b - Add perf_event_paranoid capability support (#2033) (cdelzotti)
362a6f2b - tracee-bench: prometheus.sh to be executed from any origin (Rafael David Tinoco)
8782c179 - tracee-bench: adjust makefile targets (Rafael David Tinoco)
f4a8ec51 - tracee-bench: tool to track performance information (#1985) (Nadav Strahilevitz)
f35e039f - pkg/ebpf: fix container started flag value (#2044) (Alon Zivony)
f4baab6b - pkg/ebpf: add container_started event flag (#2032) (Alon Zivony)
e785ea98 - types: add context flags with container flag to event (#2041) (Alon Zivony)
db8fc2bf - fix broken link for prerequest in ReadMe file (#2040) (Mor Weinberger)
c7c717c0 - recomission integration tests (#2017) (Nadav Strahilevitz)
fcdb1d61 - pkg/ebpf: change authentication symbol for kallsyms (#2035) (Alon Zivony)
fdc4e7fc - ebpf: add event to monitor SOs exported symbols (#2014) (Alon Zivony)
09f73af2 - fix: typo fix in comment (p1nant0m)
cb56c6ac - kerneltest: improve error handling and stderr output (Rafael David Tinoco)
db8d7f53 - Revert "pkg/ebpf: add container_started event flag (#1984)" (Rafael David Tinoco)
97b03631 - Revert "types: add context flags with container flag to event (#2007)" (Rafael David Tinoco)
d2d00619 - fix: verifier error on arm due to register reuse (#2024) (AsafEitani)
13710895 - tests: disable fail-fast on pr workflow (#2021) (Nadav Strahilevitz)
d6de9ef1 - pkg/ebpf: add container_started event flag (#1984) (Alon Zivony)
45d2bad0 - tests: use kerneltest.sh instead of distro-tester logic (Rafael David Tinoco)
d1a9b998 - tests: remove distro-tester after replaced by kerneltest.sh (Rafael David Tinoco)
2339d3e8 - types: add context flags with container flag to event (#2007) (Alon Zivony)
82d5f2bd - pkg/utils/shared_objects: load dynamic symbols (Alon Zivony)
b02939c5 - pkg/containers: resolve host absolute container path (Alon Zivony)
d5320eda - tracee-ebpf: export initialization logic (#2006) (Nadav Strahilevitz)
d7552d64 - tests: remove core and non-core tests temporarily (Rafael David Tinoco)
2cdb276b - containers: containers_map set by package initialization (#1998) (Rafael David Tinoco)
cd0db366 - ubuntu: impish is EOL, move things to jammy (LTS) (#2004) (Rafael David Tinoco)
1cd5e6da - events_enrich: do not try to close nil channel (#2000) (Rafael David Tinoco)
9639325a - tracee: split new between new and init (#1997) (Nadav Strahilevitz)
da72927c - pipeline: fix container lifecycle events (Yaniv Agman)
1286f6fc - ebpf: don't submit exit events unless required (Yaniv Agman)
0b29052c - filters: package cleanup and streamlining (#1995) (Nadav Strahilevitz)
aaf3bd9b - flags: file renames and add tests (#1993) (Nadav Strahilevitz)
5153bbc1 - pkg/ebpf: add interpreter ctime (#1977) (Alon Zivony)
dc946f7e - filters: separate into new package (#1992) (Nadav Strahilevitz)
8ee9e0af - ebpf: simplify filters logic (Yaniv Agman)
277d3050 - containers: add Close function for cleanup (#1982) (Nadav Strahilevitz)
226d50ca - fix: update kallsyms only when hooked events are selected (#1983) (AsafEitani)
35b39b5a - feat(deps): Upgrade Postee Helm chart version (#1924) (simar7)
41077b3b - k8s: fix tracee version to latest release v0.8.0 (#1975) (Rafael David Tinoco)
8f8b5157 - ebpf: fix old pid_ns resolution (#1972) (#1973) (Song Chen)

tracee - v0.8.0

Published by github-actions[bot] over 2 years ago

v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

  • Helm Chart still pointing to v0.7.0 release (fix it manually please) #1975

Breaking Changes

New Features

  • Container event enrichment with data from multiple runtimes #1809 #1886
  • New Helm chart for installing tracee with postee #1812
  • Tracee-rules signatures can now be written in CEL #1766
  • The sched_process_exec event now has the binary file's inode mode information #1889
  • The security_file_open event now has syscall pathname #1841
  • The sched_process_exec event now has an interp field #1831
  • Events now contain thread start time #1849
  • Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
  • Started documenting events under docs/events #1808
  • Created a new derived package for a new type of 'derived' events #1822
  • Install instructions for nixos #1827 - Thanks @06kellyjac!
  • New grafana dashboard for tracee metrics #1605 #1610
  • Unrequired linux capabilities are dropped on startup #1508
  • New signature for syscall hooking detection
  • Capture of icmp network traffic #1362

New eBPF Events

  • device_add #1690
  • net_packet, dns_query, dns_response #1515
  • hooked_proc_fops for /proc file operation detection #1718
  • hidden_sockets #1730
  • set_task_comm indicating process name change #1811
  • security_socket_setsockopt (LSM hook) #1859
  • dns events over tcp #1807
  • do_init_module #1708
  • security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
  • device_add #1690

Fixes

  • Tracee will no longer crash when tracing symbols present in kernel modules #1882
  • Removed false positive for TRC-11 signature #1878
  • Filtering for hooked_seq_ops event now works as expected #1860
  • Kallsyms are updated when kernel modules are loaded

Full Changelog:

tracee - v0.8.0-rc-2

Published by github-actions[bot] over 2 years ago

Docker images

  • docker pull docker.io/aquasec/tracee:0.8.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-0.8.0-rc-2 (compiles non CO-RE eBPF object on startup)
tracee - v0.8.0-rc-1

Published by github-actions[bot] over 2 years ago

v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:v0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

Breaking Changes

New Features

  • Container event enrichment with data from multiple runtimes #1809 #1886
  • New Helm chart for installing tracee with postee #1812
  • Tracee-rules signatures can now be written in CEL #1766
  • The sched_process_exec event now has the binary file's inode mode information #1889
  • The security_file_open event now has syscall pathname #1841
  • The sched_process_exec event now has an interp field #1831
  • Events now contain thread start time #1849
  • Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
  • Started documenting events under docs/events #1808
  • Created a new derived package for a new type of 'derived' events #1822
  • Install instructions for nixos #1827 - Thanks @06kellyjac!
  • New grafana dashboard for tracee metrics #1605 #1610
  • Unrequired linux capabilities are dropped on startuip #1508
  • New signature for syscall hooking detection
  • Capture of icmp network traffic #1362

New eBPF Events

  • device_add #1690
  • net_packet, dns_query, dns_response #1515
  • hooked_proc_fops for /proc file operation detection #1718
  • hidden_sockets #1730
  • set_task_comm indicating process name change #1811
  • security_socket_setsockopt (LSM hook) #1859
  • dns events over tcp #1807
  • do_init_module #1708
  • security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
  • device_add #1690

Fixes

  • Tracee will no longer crash when tracing symbols present in kernel modules #1882
  • Removed false positive for TRC-11 signature #1878
  • Filtering for hooked_seq_ops event now works as expected #1860
  • Kallsyms are updated when kernel modules are loaded

Full Changelog:

tracee - v0.7.0

Published by github-actions[bot] over 2 years ago

v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!

Docker images

  • docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)

What's Changed

Features

  • BTFHub Support (#1226)
  • Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
  • sched_process_fork event now includes pid of both processes (#1280)
  • New Hidden Inode event (#1187)
  • New capabilities package (#1256)
  • Many new documentation files and improvements
  • New process context map (#1300)
  • Support for libbpf/libbpfgo 0.7
  • Container lifecycle events (#1397)
  • Container ID filtering (#1426)
  • Sorting of events by timestamp (#1103)
  • New decoder package (#1405)
  • Introducing packages for linux distros (#1403, #1479)
  • Prometheus support (#1404)
  • New net_packet event (#1469)
  • New security_path_symlink event (#1490)
  • Expanded kconfig to BPF code (#1512)
  • New existing_containers event (#1519)
  • eBPF events caching option (#1527)

Fixes

  • Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
  • Remove false positives for memfd executables (#1207)
  • Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
  • Corrected incorrect PPID in ebpf events (#1244)
  • Fix non-systemd docker runtime support (#1319)
  • Fix tracee-rules --list-events output to remove duplicates and sort (#1327)
  • eBPF non-core will not be built during tracee-ebpf execution (#1273)
  • Proper handling of errors when BPF object can't be loaded (#1349)
  • Reordering variables on the stack (#1281)
  • Refactoring of events map (#1293)
  • Update to go 1.17 (#1084)
  • Stats for lost events are printed to stderr (#1387)
  • Fixed missing security lockdown sysfs file (#1402)
  • Improved testing (#1282, #1410, #1411, #1416)
  • Fix for inequality filter in tracee-ebpf (#1419)
  • Fixed pcap packet data (#1500)

New Contributors

Full Changelog: https://github.com/aquasecurity/tracee/compare/v0.6.5...v0.7.0

tracee - v0.7.0-rc-2

Published by github-actions[bot] over 2 years ago

Docker images

  • docker pull docker.io/aquasec/tracee:v0.7.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-2 (compiles non CO-RE eBPF object on startup)
tracee - v0.7.0-rc-1

Published by github-actions[bot] over 2 years ago

Docker images

  • docker pull docker.io/aquasec/tracee:v0.7.0-rc-1 (embedded eBPF CO-RE obj with BTFHUB support)
  • docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-1 (compiles non CO-RE eBPF object on startup)
tracee - v0.6.5

Published by github-actions[bot] almost 3 years ago

Changelog

2bdb16edf5dd5899cff0b48ea9e6855fb24f46a6 fix help on output flags (#1205)
8f7c296445851f421136229568bd0602b9f6e751 add type of stdin in sched_process_exec (#1214)
e1352f864ff50bf644b25979ffaa6c1edbf6a04c get file types from inode struct instead of file_operations (#1213)
83155b242f48e8c24dd61e4679e4b754848d2ae4 tracee-ebpf: fix pid 0 with CO-RE
9ab89faf3b0ebae11c84a467e1713e127b716383 chore: install docker in the Vagrant vm (#1197)
d9cfba20e33163206a065f5f6345e92ff503a10f tracee-ebpf: turn CO-RE v4.18 and beyond compatible
e22f05be6686bcf4b71019a54d3b52a546227f95 tracee-ebpf: comments for co-re type flavors
fd5a64b1f46615bad52ceb34e18108ee0c9558de tracee-ebpf: fix kernfs_node CORE access in RHEL8
d2a942de3f2bbdbe046c0d40e3b23291909b09a3 wait for tracee-ebpf to load
15deef4bc9994cc4825f202162918af87f001323 support writing to existing files
3354b32b65fba97633f2b14b721a1e3830c1b580 move readiness file out of library to main
6f3ceeebf9cf47880f62a172215b049b68c860d8 docs: Re-add section for MacOS (#1194)
7e2186f7c9de66d1ccf3b3e4891c28e24be16be0 add ctime to security_file_open and fix variable type (#1167)
060b5549602f07d5f476242128a2e06a1f16ebbc Checking /proc/sys/kernel/ftrace_enabled (#1152)
7f9c2dc8d2a3c4c7ba9c3249be226e6f8d300ca7 fix reading sockaddr_in struct
7a6c1afeaef6cd1a8c0cf5e35e93b036905ce931 tracee-ebpf: keep deleted containers
bbc98ed5b885a6c97fe3d74d815754fe81abde45 tracee-ebpf: reformat fixes
1b52e964c2175b9c28fb86496cca6e1f2a66efd1 tracee-ebpf: reformat suggestions for better readability
0c87b72722adc780c1d859e83a2d673cd3998f3f tracee-ebpf: remove unneeded asm_inline clang mitigation
7474fcc422b3c09bd6a5295c6b7b3bb98fe25214 Upgrade dependencies (#1176)
ea58aba751e2709cd08ea9674835c5145dfa78f3 tracee-ebpf: rename co-re headers
e9b0ed6cb0634f440bd95bc09e17a0be5e72280c Fix linux headers broken link in readme
74ad130a3e9f63e0500d7ea69693bfd6f07d4be1 tracee-ebpf: single vmlinux header file for CO-RE
3bedc4f2a4774dd272df80cdb5b91c152af8ffad tracee-ebpf: remove unused VM_LINUX_H from Makefile
c1ff3f625a0f7956492c40f1c044cc14cf07a0e1 tracee-ebpf: clean up unused task_struct fields
c5c96c3c8a6894f4c8f23551162c5cbc6698574c tracee-ebpf: get rid of BPF_NO_PRESERVE_ACCESS_INDEX ifdefs
2c2b00812bff3d65185789c0335aa2b361c8a198 tracee-ebpf: fix CO-RE sk_protocol access in 5.6 kernels
5e9ead903c2be510f88c4b2d38049d433b0855b8 vmlinux: introduce vmlinux-flavored.h to contain flavored types
d23987bd3b8ce2ca107b64becd684e73962ee466 tracee-ebpf: CO-RE shouldn't rely in LINUX_VERSION_CODE
a2703cfe057877af96ca8f6478859c61415b8110 vmlinux: unify x86_64 and arm64 vmlinux CO-RE header files
0b4c9a308307d110a1c921ca557933ff9ad4180c vmlinux.h: remove full vmlinux.h files
439943c708e16420f366f5ba85410f08dc43108f vmlinux: create vmlinux-core.h for arm64 builds
2a5ecebcc84610d28f30fa717614eba6c4ee173f vmlinux: introduce vmlinux-core for x86_64
c82f5470e71c4a077fa7273c19b2524aa16eb4ee makefile: fix ordering of -Wno-* flags
dbbd97005a24bc056ffb061bf405fbea763c78e0 fix: use alpine:3.15 as base image to build tracee (#1173)
a38f51805090ac9cfb6feaecc1a735b806471198 docs: use mkdocs macros plugin to specify version of tracee release artifacts (#1164)
e9a25270e29ada8846e941aeae19e20ffbafa310 docs: update mkdocs version dependency (#1168)
729fe32f546900ded1352a66fb40058ea4b12b15 docs: add git_semver variable to mkdocs (#1166)
0893a08c17569170098ade19c8f0fcf1b8aa2ec3 fix: install the tini package in the tracee:slim container image (#1162)
9962191d9554237e5138fd7f051316e3e9389de7 refactor: tests for Go signatures (#1128)
c75bd90775859d5df3103b36733a0076cc0591d7 docs: fix formatting on eBPF Compilation page (#1163)
1cb78ec28d586f8d0791d7cbae169e4744ad15ff docs: add cgroupns=host docker option
ea71755c0c1c174ea440b6cd516b967a32d8a238 tracee-ebpf: filter containers using cgroup id
5198ee0e9cae220529c6c9cf1f9d963ea7d4dfa4 fix wrong type assertion (#1153)
d421bb95d93728561b08d4492bb052ced23a659b tracee-ebpf: use cgroup id for container id resolution (#1130)
90ed35e988bf84b360b96d366b9115018ebb0457 tracee-ebpf: don't parse pointers when parse-arguments is chosen
11915a67f5aad0ff8e628a0affabe6f93c35250e tracee-ebpf: introduce MemProtAlert type in external package
a22531c422c2f95566f909105b556c535eae1ab5 add READ_USER (#1147)
7df0e9b2319cc0a487179bebbc214800ca0af6c2 fix: using exec-hash instead of exec-info (#1144)

Docker images

  • docker pull docker.io/aquasec/tracee:latest
  • docker pull docker.io/aquasec/tracee:0.6.5
  • docker pull docker.io/aquasec/tracee:slim
  • docker pull docker.io/aquasec/tracee:slim-0.6.5
tracee - v0.6.4

Published by github-actions[bot] almost 3 years ago

Changelog

f4788a5423e28aaa8424e97b6c432be2f2551704 tracee-ebpf: fix events sent in parallel to raw_sys_exit event
71f8ff2d9c25696e7dc0c22674b3f71c47c9b312 use plain addr argument (#1141)
df364f30d984d91d49fa5ba468642d02b714e393 add user namespace to slim_cred struct (#1137)
cd63e860f1d421766f46b59f34762353a58c23dd adding ctime to sched-process-exec event. Resolves: #1075
611c2002575214c496481de46f67bf5dab70df94 Update Readme.md (#1078)
dc6f3afa4e5dac3aa605775666175610696b9785 Add option for raw arguments from various event flags (#1123)
95aa7afba0acbedbfaf1cb32b8ab3e1f2ec74856 tracee.bpf: fix READ_KERN incompat ptr type discards
6d90e79100b49987feb0103c363bad17a146b2b9 tracee-ebpf: fix arm64 build
74a14b5350f4953f64297482c288ffa1b32b8f98 test: even params formatter (#1100)
c999952449c845dd5bd94d42a4c34ce7d7f2dc45 docs: fix formatting on prerequisites page (#1126)
a67b8cc0f65c9eb481e55e98ae851e020d45337b init_module capture (#1122)
0fb7fcaa55ee6f0d8d648ac48ea022ef024dd4b5 deploy: update postee manifest with tolerations and resource limits (#1060)
4389a4abfdd472a2c6d992dbc93fbabe73534d6d add socket_dup (#1064)
25990c64475c1ea96c46b0c9f3268d42d2963515 add security_kernel_post_read_file and capture kernel modules (#1080)
7b98707171e9212ea923f9b8a5dfa4230cf42876 add more process names to allowlist (#1118)
7ab6bf6f28781d58d5a6cd02849c6d1e24518db0 add cgroup release_agent modification signature (#1116)
cd216b8f243716ce673715a303d6af874c800666 removing '--security-alerts' flag. Resolves: #1106
409becca73c74dff5be62ae9cb1fff79f6d5d824 Only remove a process from the process tree filter map if it's a tgid (#1079)
340d04fa2191621a5db93b122dc9be6959a50a3c tracee-ebpf: CO-RE: add GET_FIELD_ADDR macro
09476a0aa44540904087c59ec248ea9ed5412e31 tracee-ebpf: read exec arguments without a loop
f943d7f1b6b2554121b2dda0bde7743901f4ffe3 feat: Refactor clang version check and fix a panic (#1097)
cf3b4cc613934a0983e2c4cadf9e577015005ebe feat: Add tests for checkRequiredCapabilities() (#1088)
b029d0727facdafcedfe46fd28f8fce3ff3b2de5 Fix tracee-ebpf compilation on RHEL-likes (#1052)
020949d67882b2e5351e32febecab548b1784114 feat: Update tracee-rules base image to golang:1.17-buster (#1082)
aa6fa83df4a397d177dd3010522667231e5b969e Add more tests for prepareCapture (#1087)
719d6ae0419e83ba42fca856dcac4725a88ec278 tracee-ebpf: fix verifier issue on kernel 4.19
f878b1973b4450d0c517be23d39951046a932964 Revert "tracee-ebpf: fix switch_task_ns verifier issue"
a8bca3e5d6c06bc8126468c0219708e27d992a1f tracee-ebpf: use syscall_data_map to detect syscall
dee2e5e4e9b47e60f223ec2581608515cc259759 tracee-ebpf: fix switch_task_ns verifier issue
766ec87d1db4f175adc649418cfa1fcc08af975a tracee-ebpf: simplify syscall data saving
7e671f2e9964ce133e9e32bf507a2b5a6fe34a57 tracee-ebpf: fix commit_creds verifier issue
0b0ac4f0a6d42a18f3b09a16f68425194b47238e Add etcd to exempted process list
cc7f8f0420ae6ca40d43beead15e7590a1f1cc89 fix type of security_kernel_read_file event

Docker images

  • docker pull docker.io/aquasec/tracee:latest
  • docker pull docker.io/aquasec/tracee:0.6.4
  • docker pull docker.io/aquasec/tracee:slim
  • docker pull docker.io/aquasec/tracee:slim-0.6.4
tracee - v0.6.3

Published by github-actions[bot] about 3 years ago

Changelog

7a46f53fbb2dedb9af5f0f77cd055b1f9dbf1f02 feat: Add list-events flag for listing events (#1071)
42621824c0fe81c2a853f4b9c18618fdd6596018 chore: adding to mkdocs missing links (#1070)
203a91f9e5e9b8aa74261216f0fe73ada9f10981 tracee-ebpf: simplify code
e942ffa7feecdc22aee4f07b3ae78ceb38b4b610 tracee-ebpf: save correct argnum automatically
8ce15c8c513207e8002a3d13d63d1a447d5051a5 tracee-ebpf: use event_data for buffer offset
79c28b2e4ced06613961bdac01831b376f804e83 fix missing decleration
48654aa19bfaed67ce946e524e61f48bd4cb059f fix sockaddr struct overflow and change error message
a9f774b01c49ee4604a405d2a80002639920575a Parse the version from module tags (#1062)

Docker images

  • docker pull docker.io/aquasec/tracee:latest
  • docker pull docker.io/aquasec/tracee:0.6.3
  • docker pull docker.io/aquasec/tracee:slim
  • docker pull docker.io/aquasec/tracee:slim-0.6.3
tracee - v0.6.2

Published by github-actions[bot] about 3 years ago

Changelog

6b927a621b058bbc0801ed7d843faaeac0ed9413 Revert: Disable WASM target (#1057)
c45a719c50ce378c8b06fcf1c444e25362058904 Add documentation for undocumented output options (#1056)
e6ecb4e52b70015665dba5a95a1b13b29d98ecf6 Document new tracee-rules signatures (#1055)
97ac6ec93cb30f682bf19ace5fa7912dcdec68e9 Tracee end-to-end tests (#1033)
32c3e1c3f10ff1656e07d67cbfa5e8d6cf7f0b35 add postee in kubernetes install
9ffecdbdb0db1d9ab8ada4e3e133562252fe245f tracee-ebpf: init event data once
fac85529882b2337af331dc4488eb9bc2eaa0c72 add footer to readme (#1050)
2276d7ad0f2fd708a252e655699c6295c62c846e Individual module git tags (#1034)
4382fd8ca5ea4dad4d95d50e1d9c84de28d81903 Add execution information flags to tracee-ebpf (#1041)
7e32ea7488205df152f5d465cab999dfbef129c7 chore(deploy): Add tolerations to K8s deployment descriptor (#1040)
72972b0cd659071e33a73f328a5f7912754f22a5 Improve error message of being unable to find kernel headers (#1046)
fccbca354ee972b918f9e61283a855f5590246fe add bunch of k8s related signatures (#1031)
c8b18f56e03838a24652efdd18ce49f806f1881f fix(tracee-rules): Ignore order of elements in engine_test.go (#1042)
396ed0e2e557e673a9ab937e9a95fdeb1aad07d3 tracee-ebpf: add exit code to sched_process_exit
968b07ff27fc0c73fa8c53b24ac2886a5bd89846 tracee-ebpf: always delete from maps on exit
bbc6c44dd180517b8a83a17ed9d709a4155ce889 tracee-ebpf: update exec maps in sched_process_exec
90eebe930fadb2f79b9b2885d8fe2397b4416b2e tracee-ebpf: remove save_args_from_regs
939e41807ac99a793b4081527212d446d08d13c6 tracee-ebpf: init context once
97f87c19cbffaf715a23ed84bfea30bb48a7691b tracee-ebpf: add support for unix socket in security_socket_* funcs
a23f325a3ae147fb68741aebf3d817870e0f6884 tracee-ebpf: simplify saving to buf (#1016)
e55abba322822bea596292a04e777b3801b337d1 improve kubernetes docs (#1028)
e9c0165d19df1ef79fe5de47bc0219a4ce00ec41 tracee-rules: Upgrade external package dependency (#1024)
f010325f9b263e72db0cb8d512a4da67994503a6 tracee-rules: Bump up github.com/open-policy-agent/opa from v0.32.0 to v0.32.1 (#1025)
86de9c58c29fcdb8117dea4fb8e4915e1a36eaa8 Set TINI_SUBREAPER env variable in dockerfile (#1021)
07969faccea0d1a47191b602655671222be8af3b tracee-rules: Remove duplicated code for testing Rego signatures (#1020)
91dc323bdaf727d9633b99da1cdaafd831bec796 tracee-ebpf: remove events pipeline (#1018)
71f266e50e03a642163c9e9353410ba14e41d556 chore: Add Vagrantfile to easily get started with tracee (#1017)
08cab832d9dc7c6fbbb16ce565e450ebc04647ff tracee-ebpf: don't send argument type
1629071012e98335e58597b98ff64aaa937c52e9 tracee-rules: Allow compiling and evaluating all Rego signatures at once (#1015)
d6859919fccf526540de644de97f0f7fc641e6a2 tracee-ebpf: show pathname on execve failed event
43581a4b5734f66f97b3fbbc2eb7b21370fe3b28 Created new set of events IDs for user-mode events (#1013)
832d64a9a0cc49532898d12b5f62de2aea10e913 parse security_bpf cmd arg
41020e5b966a5790a7633aa4b192d905cb6bfc4d tracee-rules(test): rewrite tests for RegoSignature (#1007)
c3f9b366b5df912fd1433e8e381c55de12e4b23d tracee-ebpf: use argument index instead of tags
de793fed20977f1e3473257d5dd28639b5ecb4e4 update docs
8856e755a1062bff2a375a2e9548a93d4bc66906 Fix misspelled warning messages
d17a71577f5612c4c138d1c668a30078b2b3930a kconfig: only show non-fatal errors if debug flag is set
9d0792f9252927fd31935d44a1f967834a428cac libbpfgo: bump to 64a32fa because of helpers/kernel_config
11f1614e441dace74b395ad72edb527af3e44d54 tracee/consts: CUSTOM_OPTION_START rename
6052623db80e287df61a1664904b71d9ae5c38d3 docs/tracee-ebpf/override-os-needed-files: os files overrides
d2855287a4583d034c38a5227564d55d8e5476fe tracee: deal with possible kconfig option index error
8fee4eb90259ac2ea505d22ae2f6f2ad5722a6c9 add argument 'type' to security_kernel_read_file event (#998)
490450668866fb69b4d230685c0f8752ec8f58b4 tracee-ebpf: move filters logic to a new file
b721b7daa8f99c82cbcf74feda2d7be5a73b7749 Fixed inconsistency in processes containerID value between startup and runtime
0ada16e4af9909618fb0114bbbadaa170b2080c0 tracee-ebpf: add sched_switch event
11e8451b90ae5c8445dbb4ba657fac867cdd94ab Check os-release file for rhel or centos string (#1001)
cd26d25c43bfa9a75d219d4ce0a541fb95791f66 Fix readlink with relative softlinks
b608d607577005b10a32165f96c631467b6fde32 feat: Add flag for Rego Target runtime (#980)
dcc153e64a034e5121a869d50e92050b85d34e8a change install/prerequisites relative path (#997)
65238c4803a2402d67c3de2ef00cc640003e1f04 tracee-rules: add flag for partial evaluation (#979)
b4759494bd2e556cc4365a7eac9e557a4e378e07 feat: Add flag for prepared events (#984)
ce65764322611427fa49e3a15ec57eb01c329a5f Add replace directive back (#992)

Docker images

  • docker pull docker.io/aquasec/tracee:latest
  • docker pull docker.io/aquasec/tracee:0.6.2
  • docker pull docker.io/aquasec/tracee:slim
  • docker pull docker.io/aquasec/tracee:slim-0.6.2
Package Rankings
Top 1.5% on Proxy.golang.org