Bot releases are visible (Hide)
Published by github-actions[bot] about 3 years ago
Changelog
bcf7153b207b91fe618061a6b8c087b8ccf912ba helpers/btfinfo: renamed to osinfo and improved, syncing (#981)
dfdb5d66613f0a2f0b5da412bb4dce64481e9ff6 tracee-ebpf: move prepare_args() to argprinters file
e2f9f1b1f983b464c245149aac3ceeb6623a5917 tracee-ebpf: add sched_process_exec to default set
b55da80a486ee765294d4e377948ab9623e3211d Use filepath.WalkDir() to scan for signatures (#901)
90b75302cfa05b860812e7c217ea8e029cdd3710 fix json unmarshaling nil
f9b43946d8b7ea28f6a269cfc9a35df9116e8835 tracee-rules: add GetSelectedEvents
aad4c95b344209b79d3501e97c229cf00db239a7 tracee-ebpf: fix process tree disabled
9d588c980acc0cc88f6fe80250523f6ccc78a44e Implement process tree filter (#927)
e438abe3789dd40c8e805849d69407d3d5591d23 Feature/fetch system info (#945)
7910a97bb390e1409f46e2b7802c91d91c22abe1 feat: Bump OPA to v0.32.0 (#978)
d4cdac0c9aff8244e37fb42d8135db459ebe2522 tracee: move MissingKernelConfigOptions to libbpfgo helper
1aac4412f3fa00ab7e05dfa3747b8ea47ec6617f tracee-ebpf: update to latestl libbpfgo due to kconfig changes
dd77f56eb9361e1da5fdd67d95efd0e38d72343e tracee-ebpf: fix sched_process_fork arg names
dcb26c2f38455d6eec382977941e1d291471d0c9 add mknod lsm hooks (#970)
c02ae01cfa35fd11a61355ea85c5bdd843726b5b tracee-ebpf: simplify events pipeline
f184b9ed1229458fb0dc22a3eac24db2624b66f1 handle param type int[2] (#969)
a4bac2996000368acb2cad2deca02c99b3dc3d1f tracee-ebpf: mitigate deadcode optimization issue for 5.4 and less
b4181ca59be2f4d1e44694f279f86c2268fc0024 tracee-ebpf: linting: spellcheck, empty chars & statements
3f412c510b25a426abbe8aa76fa306123120685d tracee-ebpf: fix sched_process_exec argument types
0177dae1ebf63bd69e18b9b5ac72c5646d30ac1a tracee-ebpf: add capture profile documentation
7f98f9b365f9942b94235645712ad3ee2df701c6 fix incorrect cli flags in docs example
5c85d2aa1309bfe3c1f36018621baf38122cf1ff tracee-ebpf: don't send stats in done channel
c81d97531b13bb067a011e98199de311afc2a591 fix unmarshaling of string arrays
c261897e93d522e3c603248cc3272561a477b09a tracee-ebpf: fix build error after libbpfgo linting fixes
5cfba33745e93f1c010e6a1d4db0555e14a4a7bb tracee-ebpf: move printer to main package
1514fb5ae9a05eeebc203a457234041bdb7cfbca tracee-ebpf: fix network capture with latest libbpf
4584f75a3c2bfe534857dcc44a7391f063f18145 tracee-ebpf: add static build support for portability
b0eba9e2ce3957892a9a4c9189900a4d95052090 tracee-ebpf: use replace for the external package (#949)
a3c2d51ceec81b8a21a1150653f8e0621c477418 tracee-rules: update dependency Masterminds/sprig (#938)
b644fe80b4377d7b43ad44ebbfee16f40add31e4 tracee-rules: refactor non used code (#939)
61dfcd804bf35cfc7f01a7085014de3b65718b5a tracee-ebpf: add stats to external
fef7e8a987606e506fd9034aacd77f9b112f5121 tracee-ebpf: support network capture from multiple interfaces
c1ce71732a1083eb97674c0b3bfba53031cc8d27 tracee-ebpf: remove gob printer errEnc
5627299fd5ba3fd6ce5b783d8ada26015e4cff3f tracee-ebpf: fix error printing to be always text
05daef9de1b1d8d2b3e858b5e0b01d55b8c5ff07 tracee-ebpf: fix gob test (#941)
ce2b75e5d37664535997d3f436efa0d0ed29c022 tracee-ebpf: restructure and split files
5a0eb2d55bb7453e844db12ac3cd3397f0fc9256 tracee-ebpf: improve Containers object
5032dc4f8578ec9097cea312d64b38c80d2e866c tracee.go: initialize pid_to_cont_id_map during startup
e176bdc8389a97297b794aef29be1beb066b890a tracee: support external BTF files
7380f08bb773950b977bce54532c9c8c1a8065f9 tracee-ebpf: update to libbpfgo with initial btfinfo
b7007617228284c0043d6d7fee9e56e0cb0ecca2 tracee-ebpf: Change libbpfgo map methods to new prototype
ed0f4a2ae88e992b3e91fc314f8986b40b8d40dc tracee-ebpf: update libbpf to sync with libbpfgo
25ffccd0ef031f8c4772b56ef6aa8b6e2e8913e1 tracee-ebpf: update to libbpfgo v0.2.0-libbpf_0.4.0
5ae161047906e801cd3ced2f1638b8ffa63e83a1 tracee-ebpf: add syscall_nr to security_file_open
a3e048b82af91b3f28941d888f53e72b392bb2f5 tracee-ebpf: fix get syscall id from regs
3baa9520840203b4bfab0b87462a781920ab7485 tracee-ebpf: fix regression - program too large in kernel 4.19
8a434047e9d7399367371cdd2dd16ecccb9e4b8b tracee-rules: fix rego signature loading
cbc56c9351ca20c6c5a23bec48ffa2f3830fe5c2 add flags support for make test (#879)
329154eadcbe2216a0825ea485ab9ba487627736 tracee-ebpf: add --output ignore (#882)
4ad02defb824cadd9c02f59c3898fea0cf0548d8 tracee-ebpf: print help for invalid arguments
2bae871f788776f31c28a40439930cc23333de9b tracee-ebpf: remove '--capture all'
8462b71a21fcdfbf39a3bd03c6c7e538bffec4de tracee-ebpf: don't filter security_file_open for open/openat
9cd6bb51a016731382b74a2ebc6102a684b2aec1 tracee-ebpf: don't send zero-sized chunks
e277be2d9fdb45361c47d462c39028d8e2c48060 tracee-ebpf: simplify save_xxx_to_buf logic
ceece80d347ef5e23777a4f8888cfd3fca9b4447 tracee-rules: improve error logging
0770dc466114cfc7d17ba17ee257dd4cab07dbe5 add close on fileread finish
ad2596a0c1d3c76d9332803c56523a1b896d21f5 remove unneeded var
1bc09c3dab841f304369ced95b1cce1c2e29e19e change invoked_from_kernel detection method
fb605fe8803a44c97058597a173dcd7ed7169fc3 Fix CO:RE support for RHEL and RHEL derivatives
cb836e14c7690c4cd4e2c78572a08fcc1cd4cb22 fix rule name partially cropped in error message (#867)
82a1289c12da2255682743f6d762bf6adde69a9b tracee-ebpf: add support to custom rego helpers
147f6dec8e0526a1c2c425f57a3790ba98060fbe tracee-ebpf: fix capabilities minimum requirements
9f917a1fa938a6ee7e1c9071ed9bc77b81145283 tracee-ebpf: turn MAX_PATH_COMPONENTS down to 48 (#889)
282bcbd4717f15c34c81468fbb7453880c38059f tracee-ebpf: fix help flag to print to stdout
26a9eb22a9133fe07f4912363aa5827b7d49b893 tracee: add tini tracee docker image (#883)
aee7e8f04e08b2b869e8526dbff70e1562d016b5 tracee-ebpf: add output validate test (#881)
76a932ff09fe5fb61b71cc6d95c947236da42eab tracee-rules: enable pprof endpoints (#860)
3bca7eaabc5812715a4b6262c0db84e811fad7f9 tracee-ebpf: improve argprinters test coverage (#877)
f641d42052af02b81629ff84833a557713a92a16 tracee-rules: fix minimum requirements link
5ce9ff4c93737d25a02152ab9f4a485d861d77ad tracee-ebpf: refactor to avoid two strings.Split (#859)
4c99a2aef97774fc8291d0aeb85c710221a36ae8 Change quickstart one liner to just make note of mounting config
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.1
Published by github-actions[bot] about 3 years ago
Release highlights and discussion
Changelog
703a7a9d614724d864fff19e7bc72fd966af4fae add security_kernel_read_file lsm hook (#869)
c40c82cb86697ebe259ff0a830bbc3e1bf2a1164 Update docs to be more targeted at users, rather than developers (#870)
238cc6e76176766a83c4ba0a114c36cc91afa207 Update docs to take into account CO:RE default (#868)
fa7feae4008c0d639630af0b4347ebe487bf5806 use tcp_connect kprobe to get tcp handshake packets (#861)
6df0969653c4567f7e6dabca5a77b639c042fb83 Feature/event origin signature filter (#856)
c27e914eb4d358eac6908a47d9db1f569a0e700b add lsm hooks to event sets (#863)
4c78ac3562a33799823b843aaa5f58156cfd4737 tracee-ebpf: security_sb_mount: send exact argnum
5c84d6098b61abbd605855154478aab9e80f3e0e tracee-ebpf: add SIGTERM support (#858)
2d2845fded1561440e430412be4c363c8d296b77 tracee-rules: evaluate parsed input with OPA (#829)
de4f865ca25c06ca719af935e9cdbff0f4aad181 tracee-ebpf: extend magic_write bytes (#853)
8684eeab26c4f26a3e11cda8ffb437d4d9304b58 tracee-ebpf: fix 4th syscall param value
7aa2964f938e18ebfe712a3863fb67b8dcdf18c3 tracee-ebpf: add inode and dev to magic_write event
6a584488dfb329861a0289ec27948d29535440f6 tracee-ebpf: update external module
bbe411a2a16775309952f31f4a8b598da96633d0 tracee-ebpf: update timestamp in external func ToUnstructured()
f17c1d161b640966f77e7d9ee164ee535e141987 tracee-ebpf: Adjust MAX_PATH_COMPONENTS limit for kernels >= 5.2
4d0b1c886f9455999965f23062eee5bed36ec878 tracee-ebpf: add epoch timestamp
443955e3c087f8e7652420c9d947cf5fe3c51756 feat: Add ToUnstructured method to Event (#830)
bb6be1198cfa578da18a2a78908cd8883589774b tracee-ebpf: fix core compilation warnings (#838)
2991701f2caf1fb5288ec1ee3465a8f19fe30a52 Add embed directive to embed the compiled CORE bpf object into go binary (#818)
f5240ae1730a7d286cb7293115fe5fd205f5294b tracee-ebpf: fix print of preamble and epilogue
6da6c9f96ac71c95592bf46284d37430c704696b tracee-ebpf: add capture network to docs
8c463c7986a809c28fb9299d60409ff53077cf52 tracee-ebpf: add network debug events and context
6516b2524761ff45214b14a600fb93fba4143528 tracee-ebpf: capture network activity
3a25e7486b17668cc09c6ba99484bc800671fb2f tracee-ebpf: add args and env to sched_process_exec event
4276fba30c1ce6e39c6da89f1be3ee36c8ddce09 skip printing out if library mode
247ffc9d9c03e784db05664ae943ef7ef048fa63 fix panic due to slice outbound
a291eae79a0ec1c0e7a01d44cbaecc073f90f274 Replace external package with go module (#824)
59acd669cdc889dba8a2268d200088ba90ee5ab6 add external package as a module
b3b73465ede22996712c0e5577d33cef23cbb28c tracee-ebpf: fix incomplete path (#812)
2df1177abcd431a181f2486b9ddf34d329ceaff1 fix go rules requirement
4575262793813aecec5a9e6de39617c0616c4cc5 fix help message
faa56142fcd83cc8b8303c4f00dec35347490cd6 Update tracee logo (#809)
ad3b86b8d0fce97faaef2307b1e89fd9a93c18f9 tracee-ebpf: record context timestamp at sys_enter
8d69f428d5310af5c6bf8df0d23894be902ce209 test: Describe benchmarks for tracee-rules
31f21b85421b7d266cf2b8114a792dffc40b6d54 adding Close API to signature interface adding Load/UnloadSignature functions to tracee-rules Engine
1fbc090f5b7672120421472278e95e048fe04ba3 tracee-ebpf: improve output flag help
b8937fdb379f3a9fcbbe9395ced07b6f11bc87a1 tracee-ebpf: fix container id issues
c827ae0e4990e52aef1e57c869cd23d7942a71ad fix(benchmark): Unprotected global variable processMemFileRegexp in golang.codeInjection.Init()
ef95ded3dd6fce4ee008269385e01ab2d99de108 fix(benchmark): Use uniquely identifiable sigs in BenchmarkEngineWithNSignatures
5fc8a52686a87622d8a6cb0ec896814a7193eac8 fix: Unsynchronized send and close operations on signature channels
f773f883457e97d7008bd20caea046f917cd874a fix bugs that caused panic when tracee API used from third party app
662a668a8e065cafe54f29b92781e162f9c2ebf9 test: Add wasm target to tracee-rules benchmarks (#790)
ae07c82dc6a9e98253ffb65c0eb4f848e3abfc1e Adding exportable channel into Config struct. In this way a third party entity can read from the channel without any dependencies with the tracee printers.
ef8d4ee17fbbb278fb7918f76740754b508a613a fix clean target
05c11bfb099b512a3ea99892c98be2a8dc989ff5 test: Benchmark rules engine based on number of signatures (#792)
741e7bb6e6bdfff0743394e47b52d1c6c3a92940 fix broken link (#791)
acf1752a53a7d33fe9a7c3009be1254369e17e9e test: Benchmark tracee-rules (#785)
06851ee77638cdb9f062c315df3cf60b12c3e1af tracee-ebpf: fix compilation on ubuntu
4bf8ca6bd33bc59e64e849eec89d33d3fe8bc08d Add initial CO:RE support (#759)
cca5fa9190332e44e71536254850a1705fb97ccc fix error that caused bpf code not to be loaded
422e86ebce71ee23a29849a74ffbca2f9687d8ce tracee-ebpf: fix instruction count on kernels < 5.2 (#779)
6166346e7479bc3b4b417a67a92a2493a30b949e add sched_process_exec and fix
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.0
Published by github-actions[bot] over 3 years ago
Changelog
e68ecaa4c07bd2ed085aab7fdeee181feeb4c492 tracee-ebpf: move fork logic to sched_process_fork
9eb91fb54f6aed59f5ef41838b4048d7949095e7 tracee-ebpf: bump libbpfgo version
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.4docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.4
Published by github-actions[bot] over 3 years ago
Release highlights and discussion
Changelog
8c944cf07f15045f395f7754f92b7809316c681c tracee-ebpf: add container id to context
6129122999ddf144a4e0902dd32930cc1e6d3aca feat: Tracee Profiler Mode (#725)
1e0aba550543f8eb238b77c401a6eb1a279f5662 clarify license (#760)
5cc1e8cc27d03b60c7178995a3e448337815630a fix gob type declaration (#753)
09ef6287e5892c852569e212a6c26ef8de9ed758 Optimize save_path_to_str_buf in tracee.bpf.c (#758)
9312e26ed9ac477fadb121fdffdd0a414faf530c tracee-ebpf: fix bpf compilation error
c15806966312a53264b4989bfb1f316d1d50ae27 tracee-ebpf: ignore kernel config check when init fails
f87e71faaf1d88f1151296fa1ef575d1212ab761 Update Prerequisites Link in READMe (#744)
58a120a68e88d2efe68e5e5a42b8d02f3e8476d8 tracee-ebpf: add security_bpf{,_map} events (#617) (#739)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.3docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.3
Published by github-actions[bot] over 3 years ago
Release highlights and discussion
Changelog
2fb9a7ea8884255c264ff9458faf6beba85590b1 tracee-ebpf: commit_creds: submit more credentials
6e1c370bf50fb8eaab490c89ec2e09932aa19618 add detection for writing into /etc/ld.so.preload (#733)
9387554f6b08f1c625eda034410f6141366e5478 switch to libbpf v0.4 (#738)
83a869d58d7b61cfd672faedb95276ed8c31713f fix: remove libbpfgo from this repo (#734)
94530727cde45371a0e4cacffb35ee2b19277b67 libbpfgo: Add map iterator support (#728)
da4124acec31f255ae42294662b3a04c2a51c7e1 tracee-ebpf: close gracefully on error (#729)
242d721bad3dc698540464b15a15f6aa1f16f760 libbpfgo: Check for ERR_PTR return values (#709)
94f33d0b7a9129fb22556d0af0c41929e41b72d9 work with new form of security_socket_connect
1960f31be55455694fd4a79bd5a772de95321c39 libbpfgo: Add support for AttachPerfEvent
74b3c48c070b5f775edfa72b83fa7c955f42a4ea dont set essential events to network lsm hooks
6fb4c8af528c771b1b1609894afe55b76da263f8 set network syscall events as essential events for their corresponding lsm hooks
b24f18c152aeddbef27da87d92b12e3bc2a08d48 use kernel pid instead of tgid to avoid race condition between threads
21548485d83465b46806bd4b477a64bcc78474ce set default sockfd to -1
d75a61fa9d815d45020a0133d3c7207457c569e9 remove event_id from sockfd_map key, use tgid alone instead
32191ee8a52f405bd8360d940c076b99a2817e5a fix sockfd_map comment
fcd84785f7076f72d55a9f3b3dc69a9abfd9701b added sockfd arg to network lsm hooks
dccdd841f2b0ebeb304d03319c3dd017afdecbda Add security_sb_mount lsm hook
38b402df69f26efd5e33353ce0f9f4086727bcdb tracee kubernetes deployment yamls (#680)
210d85b2bf67cedd9d91739d23ae84c6b0de857a Add tracee video hub link in README (#714)
03448380c7e3899b242e6c131fe06d691968777a add manual parameter to docs workflow (#712)
25eb688b3d04a8539bf4268ddd53dd509ecbfbb7 libbpfgo: Add AttachLSM() method
2bf844d25929d556c82b81514cdaf9635609b27b Network lsm hooks (#697)
a6f33c373c43625a7d708dba0ebecc935665b8da Load kernel config into bpf hashmap (#670)
71b887671b083fd71f792e542ce375076e3b30a1 Run libbpfgo self tests on self hosted github action runner (#693)
93809da91b9c7e559357c909b32a80b73987c5ed add manual trigger to docs workflow
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.2docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.2
Published by github-actions[bot] over 3 years ago
Release highlights and discussion
Changelog
521b52b10c29dad4702bd4e1a6d1bc824e7faec7 add build in docker to tracee-rules
24daa0e2fed028b1faf02ee87578a019078e9afd small typo fixed
8db13ca541eaa460f3a3b8bf3de962b2cf946361 Fix minimum requirements link
d6069729ff805f17d8c2933930b0a2106f704b80 fix: add check for empty bytes being written by file write channel fileWrChannel (#696)
2317a86b4db25c7a26340bc9da0ab6d7cbc7f2cd fix: trace-ebpf flag output (#632)
feb16774f64eba054b3ed3e062cd75eedaca66f1 feat: add testing envrionment matrix that includes self hosted runner (#692)
c3da07d21abd94cd6ff5d3c133b99dfc6886345e Merge pull request #688 from grantseltzer/upgrade-libbpfgo-fix
e25ba71a024a2b6ba5c3f61aa58520e5b8eff469 Merge pull request #687 from yanivagman/fix_build
71d4c839fb68a809b0ccce5879beb8323a57986b Fix build with libbpfgo
510aae763184ad808c70b8e4869f7a00b474e7e7 integrate and document gotemplate
7b3c71b78ab66361f83cc45287761a2d1be4b8f7 Merge pull request #682 from krol3/issue-681-dockerignore
ff03f7bc76bb11e39e3051b4841c61e805e59684 Merge pull request #649 from eyakubovich/fix-chan-map-race
5052cb856498a41f3ea730157f4a71531551d55c Merge pull request #678 from grantseltzer/upgrade-libbpf-v0.3
f37f3d37f1f6fde204450bfcb7fc9a57373c2b78 feat: docker ignore for tracee
29b216c9ed652c867c62d308d810016fee23a784 Merge pull request #672 from yanivagman/fix_type_mismatch
8d2664234143c38b51027f00b36fa21d77529b47 Merge pull request #679 from yanivagman/fix_docs_link
4ef3eba0a87479e86877b36226b09bb342cdfae0 fix documentation link in readme
96bdca85b812938c316ae0748836f9fdeffe7d49 improve docs
f11eced33dbf831cba15aea84ad547e00dc3cdc3 fix error handling
103ddbdd4220e4b600895b6f6a1f2d43a2d78e01 tracee-ebpf: Fix type mismatch of event arguments
d1a0c00b9ad02841255d6924e0ab89444d765880 fix: update libbpfgo go module to fix build for tracee-ebpf
c67295f85dff0c52ab641151652d3cc9413b5157 fix: upgrade libbpfgo dependency to latest
3970f7fb8282760e0256bb73df21669a7b69e497 fix: upgrade libbpf dependency to v0.3 release
095336c20e035841c6cfd7a6446e6c2d7af9eb55 Merge pull request #656 from eyakubovich/add-map-setters
7ace63bcad376fd4d08dfc966c30643c4638dc54 Add Resize() and GetMaxEntries() to BPFMap
7862e0e60d87fd4a20a02bbb19bbcda3b247606f Merge pull request #645 from grantseltzer/feature-check-package
4f5af968cb660b84b921972877847974222dff3d fix json output template
5c76627542088d7ef52ca0201b6573af624f1d86 add a quick video intro (#660)
2d62a69b9584ff2e985cd96ed255d25781fa9bde fix: add some tests, fix error string
69b576ef24ebe02e2cb323cc811dcc6280d41adf Merge pull request #657 from aquasecurity/docs-small-fixes
23597a0ded9379cef0666d13d6a1d7949dd9a20e Fix eventsChannels race
1092871941cc436897cddf18e819ed3fcd857ba2 fix: broken links
8482773c35ca473c5230ab98a7042a5d4b0c374c fix: match document headers with navigation links
56ede7fd0bab358a50f79ff614afb412a4161103 fix: clarify local rules directory, add libbpf to dependencies
f68cea77462294d76775320d2c4742fefa70ff1f fix: move architecture diagram and images into docs directory, update usage accordingly
2e288fdc2ed8b2275021cb2b0f0c765b174c2751 fix: small typos and table formatting
50a69404dc29093322baf0debbde29721e1ddfff refactor: Remove falcosidekick specific code and reuse templating (#653)
e868978b73de4d388707499204f4a9589efdea0e feat: Add high level overview to Readme (#650)
6acdf8c9bf7c96bcc9f07c890ee826c3aed7d2d6 feat: add constants to use for kernel configuration options
996cbd2d6d0f56ead9607a70ecbc7279be62f917 revamp documentation
7ce5943f4cb7a9cbf006537388690f22071fdd6f feat: add tests for proc gz config
cf01331724cbe0b9345035f58a52dee312031ec8 fix: libbpfgo module files
6474790eeca9d43224d30576f869a0fa024de8fd Merge pull request #638 from eyakubovich/fix-perf-buffer-stop
5e8cd40463e42cb7b897ddbd7375493c4523b49d feat: add functions to helper package for checking the kernel config options
ba273ac415bba4e7c6fcfd573f281b0334700964 types.Finding interface update (#646)
e1263ed704604a1f6464ce4ca32bd921e20895b7 fix mkdocs generation (#644)
96a39dc0dbeae23f10c9351c12f829bbe28d544f Use Go templates for stdout (#630)
77cf435059442695b6b604630406ddc8614820e8 Fix PerfBuffer shutdown
8b8045bffac178b9727c61ebb08ef62d57ab8b7a add mkdocs documentation (#633)
42edaaf734a434ac55c76461f939030ce5ffe377 Group of small fixes (#643)
97d27e024e396e94681a912fffbe22d272b25dfd Merge pull request #629 from jan0ski/main
7bac7f5a25866ef97899ed19ca0e54a82d8656a0 feat: Add support for wildcard event suffixes
f8df7da6a27f729610992b6bd52e89d510fcf384 Merge pull request #625 from krol3/labels-docker
d0d267021477b710ea9e0dbc20740aab2a03e796 fix relative link to quickstart-with-docker (#635)
1a31966e3dd1e627465ce96cd804901a8d0bfd63 Merge pull request #631 from grantseltzer/use-helpers-package-in-tracee-ebpf
443994b57b65705a8b164c18e208783417fbabe6 Merge pull request #603 from grantseltzer/selftest-actions
5f4ab2d52edb96b189ab9b6a434ae3fbf952eaff remove falcosidekick from container
656da9c3592811323a9c334d39bb7bb66200d201 Remove old helper functions from tracee-ebpf and update usage to new helpers package
25bfb2d8f8931fda3b9cc55828e881a8f50c90ad fix: update imported gomodules so libbpfgo includes the newly added helper package
f66f7bedda266d8b16bebd59bcb4632fa4d65225 Merge pull request #493 from mtcherni95/tracee-issue-485
8934c28e6e0031b66ee08ff8af3c1681a76fe1c7 fix: copy argument parsing functions from traee-ebpf into libbpfgo
9753401fa14d572b037fa254756ec3b9c40c5765 fix: move and document the signature helpers (#601)
284bb1510cdc584cc4aad8c9a347b5163e21a434 Add basic integration test framework (#606)
2e0edb21546034ababb76321a4a63d01de3c75a8 Fix "make clean"
749258023b9c4047f786c0193ab8f57813596e3d Adding labels Docker
ec34648b7aff2ca49b7307e6af2862cf34f02457 feat: Print loaded rules info at runtime
518d407b0e1e5947c89c4b746c9d2e2975a3a96f fix tracee-ebpf dockerfile for go 1.16
b9958735cb06f69195fa5b88e2d9178ee9bac1eb Merge pull request #620 from eyakubovich/fix-ringbuf-stop
09b2b47c0d4fe2c84c0f247f83da8a757789c3ad Fix RingBuffer shutdown
1fd89c3f125015b534c83de54b188011fc357715 Merge pull request #616 from icarus-sparry/better_help
2aa71c701ddaadbfdebc632595121ae8d22f2764 Better help message for missing libbpf
cb4589f4ca5aea65fbaf1949d32ae44f7905d9ab feat: add libbpfgo selftests to github actions
436c11d20c90c2241723aad033689a600e11b336 Merge pull request #598 from grantseltzer/improve-selftest
559ff36124836a5c047d6745121ec4134ec3b086 improve readme with triggering a sig
f1f3c72028bedf8474ad3486bf261792731bb820 Remove debugfs mount
c22f59cdab9b07cfaf4d33795b79ed09bbada013 feat: Use //go:embed to bundle artifacts (#596)
6b6a8d6ac59a9cdca158e07c69f33688f8c10aa6 Adding version string to --list output (#602)
a6ceb2ee5db7fd7c98e3b916172e647230f4eebe feat: Add signature versioning (#597)
64864926d3c162778fc8c85398587e61083c0d63 add tests for entrypoint
9c6d2485013706f05ac691b14e14c95237bc571b Webhook message formatting using go templates (#582)
8ab02546ed80b1fe7045094215d8a35c5ffa1fa2 fix: self test for ringbuffer should verify the integrity of the data sent from kernel space
228c6d329e86dd8f62bb5fe48761e78b67dafb39 tracee-ebpf: add magic_write event
0c581d0a120b0ac5b86e1d9e31299b660ddeb81d tracee-ebpf: move capture write filter to tail
cc2a749db98da6b6432060aaab3cc66be0326ab6 tracee-ebpf: add bytes argument type
9a25d021519e1ea15f2b87cd98dc50aa7ac42b36 Merge pull request #591 from grantseltzer/blocking-stop-channel-write
5ba8472ca590e1ca2a4e56bce7ce0715c125dbf2 feat: Bump up to go1.16 (#589)
8d3c3d5ff0e77ca75ce8227625ab875c27405ec0 Merge pull request #483 from aquasecurity/gs/ringbuf-libbpfgo
809794bfd2d29329a69bef8a51219647e3ac5fce tracee-ebpf: remove validator workarounds
828f39e80515eaf3ae6a59f17c76be124527fcbc tracee-ebpf: fix docker builder (#587)
6eb7608d8228ecb36d867667c693035be8762ccd fix: rb.stopped should be set in the Stop method
42839aa8d92de78319d18742419c69b6f6c0e503 feat: add support for ringbuffers in libbpfgo
d2867320403c0598fc6d61d78c3564ca23e4b62f feat: Add OPA tests to Github Actions (#535)
5dc13527f7732929edebce4f1ab6fdbcf8fb20a4 feat: Better formatted output for detected events. (#573)
28fbc66be8c9f3efa53f617a654cafe7421e8c70 feat: Add IDs to Signature Metadata. (#567)
05b0d915446270fe3a3e94e0270a1314ffbde956 tracee-ebpf: Fix readme for docker quickstart (#568)
097ce27ef369d3f750533a95ac5a634dad8b2d31 Added information how to run Tracee on Docker Mac
59312a14427f0fb87177137b1651c1226a578d99 tracee-ebpf: update minimal kernel version to 4.18
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.1
Published by github-actions[bot] over 3 years ago
Release highlights and discussion
Changelog
2001ffec81a817ce22457728e7822ce9d5fe3fb4 fix dynamic code loading sig
e5f25a7ce93f366778d58f78ef749ad603f281de fix release
24ea252c323f958e8776e70367b51b4e9bc4d783 fix docker image contains glibc artifacts
1b9c59fde755c6e0179071d53e2adbe469d332ea fix release to fetch submodules
6c2b2e5b6143e5ebd1c4235b916f87dfde707994 fix dependency resolution in tracee-rules
0575cb7b157d101d4ed01a95a5ca0978330f3b7c Revert "fix release as monorepo"
ef7e96ace8592fe6eb2333008391f0bfb9b6ce8e update import paths after restructure
f1f841daefca9bb4acf0a7ee6d1c9405c104c77a remove code injection sig from go
b4501be6552cb982824b170e84b5109053cb68ce Fix stdio over socket (#552)
a7c47e96da0ff4373ad818978da4dd2178d2bf15 fix release as monorepo
a750666805849c14bc64094494d363a27e32c864 tracee-ebpf: add switch_task_ns event
c92b5c551495a3eeffc7249acbbfa8b4f0ce72ac fix match for non af_inet sockets
5b2a740b8d4a0487478b67853f853171b9347952 Add signatures (#528)
3fcee47b02d9b7ed1cfb5c6565815f541e04afcd update entrypoint to use security-alerts
6ea5773ba30e84694894b95f1d51691d2b5e2ad7 tracee-ebpf: Add commit_creds event
4bd2e3cd1cf32411526f2869d91e38e0fc37a6c7 fix make release didn't build slim image
c34c10f390fc611406e6f8f5f7362c7869b50198 fix: trace-ebpf: Fix typo in clang option (#526)
f0604fba5474e8a4995bc057e785792e20dc19df Merge pull request #525 from grantseltzer/list-flag-output-fix
b1bf684f55054dd241fc9c364d26528f76d3d6f9 fix: Move example sigs into own dir and exclude from build. (#523)
fc534300281f1ca60498cf49b196825432054e07 add tracee container
4255857da3a8ca9c8202b537cd4612725bedf51d fix makefile
6d632e3c8582d5cccd799b5ac32c6cb4aa68daa2 add option to make bpf from root
f474f44066e4f012dba8bf07d9f5c67e7cd56ebe Merge pull request #518 from grantseltzer/input-source-unit-tests
2e827a37b8bff5cc5e5cc01b08a71b6d5c9ffabc Fix: rename signatures and add spacing to printing of them with --list flag
a5e8040018c18a4345621d87436dfbb8affc1ef5 start of unit tests for input source setup functions
f41c794d8ce23b180ac22be0a30dfc4c28a2880e fix webhook panic when server returns error
b54cfda365ec79c444a18ea16d5e68cf2fa64e52 Merge pull request #500 from grantseltzer/gs/print-help-tracee-rules
dbc56af61a0c1fccca6b42fc5c09676973484c51 Update readme, fix default logic
8645c0a1ca0a965d06e7988454f450d717dc09ba Update tracee-rules/input.go
86c09583560df3f0e2785602bffc19184b81e4c1 fix: Address a few typos
4d43dc1187154939297c20efc72540229f0aecc0 rename tracee input parsing functions
eb8f7dbacd55950df69478283376fdb703552967 rename help error
48bd0d32299b4b07e3102a4c87a0f016bac49bf9 Remove more references to EOT, set default values for tracee input (gob from stdin)
696053a35f9c9d4570209385facb48d722308a50 Close on EOF, not on EOT
b2756e5dbcbe713b44fa04a68be52ec1aa025a0a remove the eof/eot option
311e42378d8bac1df0c39803b3c44e8812a2b504 adress feedback about help being displayed
effd1f6ca2862518b9b9537e0c53ddef7ae5128b Remove old flags
9829d2b6719ee61b349d10cfa7a119c5c59d7cdd add minimal unit tests
8cc046fcc0e11c45ee92cb978f985985a6aa86a6 add invalid input checks
0e5c733cedfdd6422613643169c2a3c38a88627f Refactor flags in tracee-rules
3590ef06f32af21d7cdc7b318712ac041a772e5d feat: Add tests for core engine functionality (#477)
8e4e7b35902bb17ad2df1071cbf14f9a9c27257a Merge pull request #510 from aquasecurity/remove-eot-tracee-ebpf
0e61c188eb0b2bb99d3e957f5d1e38baa0eb8796 Update contributing guidelines (aka team agreements)
9deb2cea3c9002d5537a4537b8a488b686d4adcb Remove the notion of an EOT event signalling end of transmision
da310b07bbc71705b1c12c2e6ccb6cb19a5cbf33 refactor: tracee-rules use types from tracee-ebpf
775ac46c8cb5e5b708af39ef1a02a2ad4bc0d385 rename tracee execuable to tracee-ebpf
17d840f899562a047c33b2eae9370061978a37e1 feat: add root level Makefile for release
5ac1db482a097a14b39ae9e552242f62473c2d62 feat: mostlyclean target
b04facc55a4ac4995f71eaf7d0bd8f619f64835d fix: improve makefile targets
a95d52dd2b338446b5a2cf040c1dfb79b2c3d3fe fix: don't send context when building builder
062c7b15b989da6ec27b3a9097be14f4ca701ef9 fix: docker builder file creation and cleanup
d931f21bc3315ce2ebfb0dcbc4d297e030812514 fix: make in docker without git
02900d92b91ca3ea77193c5333252a76a53e6740 fix: make in docker ignoring target
d28d4cca4ad20852b5fc392ec37ab31a51fc01ed feat: convert anti_debugging sig to rego
5905ce4fa267a0069b1b70402cf8364a3f9a640e feat: add rego tests
febd3de75f5522938e08e155e70e8154ffe4c8e1 lint: Address a few idiomatic Go improvements (#427)
4fdcba8ad7ad51f7bff77faed1add657ecbbf2fa Merge pull request #449 from aquasecurity/traceprint
dd1dbb15074cd47bbcdf143d73ba3cee303e6af8 Add tracee-rules pr workflow
a3d574896bc4c547535d6467842d8190e532cd31 Fix tracee-rules build
c43b1c3394ec639bb0ea71ef69ef75d27fe522a0 Restructure repo as monorepo (#459)
57797050702a3dba5c816f343122ce1c8bcbc2da fix: allow reading from stdin
5fc24f000b3ae93abcf7c7576e478ee73995077a docs: add tracee-rules readme
bb3d227392fa5ab9306dbaab64e01440c995792d fix sigs building
e6b431e7147301f3de301e3c8a3f15b0d5b92d35 fix regosig numeral handling
86c815c5ea0385247c705e4fb51757cb35997ded rego optimizations
07aa51f8335cb5cd9dcebed4995dee14be7a2d30 add support for rego signatures
9a8c83602df1a6e47b6dff8a7e0c75c6fd859dd2 simplify finding data
4025eff51bb490ad52f36c8699ca46b81050940d add code injection signature
de77008dc253e292221d1f63f4aa0560f203d5b6 add anti debugging signature and sigs tests infra
e12b1ce274796f1c3ad07a8aae93b70404d6c8be improve signature error handling
56fa8977f55922307c97cdcd1b4463dd965b929f tracee-rules rewrite
8841bc018318489e03241a9c848933375ccb965d Rule engine initial commit
1d879fc587151b76720bb6c2a033982675ae7ad5 write errors to stderr, and close file
4d721af558196cd03dc7ecb41ac316790e6da508 feat: add TracePrint to libbpfgo
a87426a702aa1b69d38dbe1f96b8179f38471ea5 fix: default output format
fbdf5a6f72e60bb6ead7b8b2612c4e5358065d44 fix: written files index relative to out dir
871c1db8bd2d3586130b1247336727f40dd8d390 Add pin, unpin and setpin for maps in libbpfgo (#437)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.0
Published by github-actions[bot] over 3 years ago
Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/441
Changelog
da6a281ffc9480a0412925811e34c73cd3d442ca fix release workflow for github actions
c22b85562f800e8a9b44a85245625b01785cac5b release with github action
60f353e4dc92f1a5d82c045a3b59b2f3f4b38b71 remove redundant go setup steps
4f289b5131bb430dcca756c025ca9bb3b354d45e update readme
16f16888e3b527c6e32f286c3cc01bc5fbb47249 refactor output flag
afa9b2d73e2965f16a074580816736e6301398eb improve --capture help
7d2ce345dfca4f1f24f2aa1a0a99a97e5ad0952f Add return value filter
3098430da6eb26d2ea4bf05dfe99ebd868fa3f53 Make '--capture clear-dir' safer
ee2d9bb8918bb4cbbc12692f073f58f12a4b3371 Handle capture output dir in capture flag
534d012f692e8db09a57737b36bc69518cc2496f Decouple and remove filter-file-write flag
062947d2e4e9cd844f94202abc7c783b8572bd27 Add prefix operator to argument filters
b47bbc51c38387cd105adb01cff1d7cf2875195f Remove trace flag and add new filters
199357787bb6068321f7215c9edcbb47b72dbbd7 Remove vfs_write(v) and ioctl from default set
d38fbefedcd5f3c5561ed22466998aa31f3bce15 Added --stack-addresses flag to log stack addresses to JSON output
487d1e44fcdaa04a1fa3c9430fdb225317cc2731 added 'DeleteKey' and 'GetValue' to 'libbpfgo'
409f21e8053141fdac323441ede51ef5e6198e68 Move pidns trace mode to filter flag
b486a253a3ba6c1aedb48049ed92c8a9be58c92d Use filters instead of modes in bpf code
6b4fe815d47b7404237d939730dc0bef69c36264 Move follow trace mode to filter flag
4b3d318ab1e48924601900e8e8c548cb2b6053b2 Add EventID postfix to new syscall events to fit convention
3ac6a21adaddf5e0f29b0dcdfd1d19721c72759f Add support for filtering an event by its argument
f44eb206bf8e80efeb1da68641cb61f3f00c522c Supporting new syscalls from kernel version 5.7 - Resolves #372
7ce92f6979378923f2803ae000c86dc8ce93b3bf Fix bad param renaming
3c622e0f00acf94e274f0fcba32e70e601c616be Fix comm and uts filters
e36e8805b6df57ccbfd85197216febaa8fe62a9a fix libbpf import
96ed00e0dd8db229e742d046195eca9c878b63ca Issue-398 add arguments to events
d387056175263bbbed05b865e691d011a62c91f5 Add indexing of written files
b4f0a0aa796b64dbfd9b071bb041d6862ede4a0b Support using filter prefix for common filters
1edeff85251d3a55c018634ed6702a7ddff10de3 Move event flags into filter flag
1bd03a90465240563871deea857a92be7b601366 Change trace modes and add container filter
f1968a7d2b7a1fc78f3ce7a6ecd27cff0f73e99b refactor Event and params
ff0cb90450cf58c4bbc3d6e446eb145864df02ac fix compat detection for older kernels
54d324f23175dae81e98b3961b9f3eb607464ddb Add support for arm64 32bit compatibility mode
af0ea0885dae740b9c894d2e30c7bf543d01bed1 Fix ptrace request argument print
0536237598401df49b6effc78ec68d04773d3cc2 remove redundant var
ad3cb5db11b9113700c83b9ea770731c9b012a77 Fix event listing
21720aff70ffa60a50785c2be1fc68372df1c8b9 Simplify filters logic
ea5dca15faee3c8d578dfad3a3858ed4abc1e5d4 Move pid filter to filter flag
c3d5c4d5e1f78ed75a7dd2b46803925572d2646f signal end of transmission for gob output
84180be0b00511033a08192ce6cdd788ff06c2b5 Support ARM64 architecture
bfcabb20f8715d876c8b3b6807902e38c2e19016 Set TRACEE_BPF_FILE to point to file instead of dir
68d6c712cfc55c2a44b3aa6d972c67818fa54451 Fix execve pointer errors
8ed6772a2760534820d47be98b6fd8def7b8dbaf Fix pidns filter erroneously set to mntns
f32c50b66e75e5465cb73d21b5b42024cf69f601 Add process follow mode
22ffc4ed78bcbeeeb08937e3d3daeb59cf7b42e5 rename master to main
5702252d72743122576d6814f682bf1c3b4da2f0 Merge filters and set bit size
ef665e3a683623f5d58076092539545124cffb50 Rearrange bpf filtering code
11b251f5e81a0aa886a68354c0413d222cbce950 Add UTS and COMM filters
88f5d6bb6725a31bd22cd2b19efde032c4653b31 Add mnt ns and pid ns filters
64a084afc813374e7c74d819692a8c58482c7d32 Simplify uid filtering code
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.4.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.4.0
Published by itaysk almost 4 years ago
Changelog
d4b7008478a813486d42b4bbba0723862397a2f8 Fix bpf compilation on redhat and centos with kernel 4.18
57e2178d19c6e4e7afc58d3bf7aa13b77e51f312 Add the ability to specify filters (such as UID) using comparison operators (=, !=, >, <).
a92b1eff3e086950f351862d9d332e94e7ea074f Use more informative error when making bpf object fails
800a0799d192dc8f6d955ed843ec1e424ff8eb57 Split kernel headers to source and build
79d625e2c2a2ceb76f60e5ff2ed5b92e5d8ca854 Add security_inode_unlink event
5564d6e235bf91bd458650cb174e8dd0724f6fd7 Print bpf cmd argument and make a default event
919c261bb65c6a0e8b015dbb3e79ad5853ee50b9 Add host only mode
741f1071db1fbd3de38f2bd64f92ff422ed13ca3 Use alpine image instead of ubuntu
f302eaf0703ac93849a4972946296cc314d78b41 Fix docker build on manjaro(arch) linux
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.3.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.3.1
Published by itaysk almost 4 years ago
Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/331
Changelog
fff75d00078276e9fbeccc958e7afbd3c8637ed9 fix version for build in docker
5a7a7fcab5dc01f15188816086433ec85620ccd0 fix make libbpf headers
f1a239be10c5f759533278ce21ceb5082db3b7ac fix make clean
e210c72f743d4b65f4690952943665c8026b4d2c fix version detection for docker build
8d0ac305a004a1bda981ae15362b18218672c31a fix version detection for release
dab487d56f78bfda6c4a3bfab7d11085b54f2bcf fix version detection for release
b481f0d80f9086e09b279c738b23c34f31a99c50 update readme for release
b837b6bb2f3cae7a52babdbea631f9bca3bf5069 fix kernel headers defaults in other distros
aa5ec50335fc83f04ad85d5d3ebc3882ae7616a8 make bpf obj file version dependent
e123fcab6a69d5bbe2da125b4281b734c2c3ff23 refactor release script, include slim images in notes
87d70f913d6bfdbb02ef03c4c24a37c24132fe34 update readme
318933ebee39fa3014e653d5c8723c59f4f40c3b update readme
eb47b745ffad10c3b7b68abb5836c4998479fe46 test for bpf build in ci
5b90fd50ddf3ef8fe7af384fd1625ed4110394a6 fetch libbpf source from make if needed
52c397bd0ae6b8835f87492f33ad1f2e150a10ca fix building in docker without tools
86392ee70437dde9a1ba443bc2579a0e9c366359 fix release process and add slim image
ee46b6fcd5ac1561fea005f1de354476c140070b fix typo
85c3379737ec3dd6024ca1894fe42619f1d206b6 docker builder in cwd
151b137da5df5a56a8d68428ec330980c959e65f make docker targets real targets
ae2fd1a664bd3551b5462162d5b7119e9d446d45 improve naming of tools and fix make bpf-docker
4a9734ec2875367663b6f78bafb44872e603929e optimize docker building
5faa7c1beeefdc5a2ebb8bc4f7d4497370972447 improve building in docker
e4f502cedda2a87f98451d94c3b36e7633149f6f require llvm 9
b4ddc9937de84590e5e5b99c9e39315e200e147b Add a --filter flag which takes arguments of the form =,,...
99c36bef218669a2918a8f599f5e5b1c252d9d0a update_logo
42e11de939ee1f9ca196301a9d944f1027e71787 fix clang version detection
efa68eee877345d13f6d48442f4bcd62b348aad6 tracee use libbpgo relatively
8d536dbe0f70528eed44062cb0574ba1d4cffea1 fix naming convention
9f5a3055573f20720784fbd83e7d7366ab60e8b0 add libbpfgo readme
5aaf2309338e7bbe13b658d41bc368e1a32fc6ca make libbpfgo a module
d5be3a6942c48f7bddf8913a10036be1265a50e8 feat: add test to ci/cd workflow
2a9d54ed435bece014e90f31c242270d531e27d7 Fix capture exec with empty string
a78a915e4b1027b1d25f2e0676c76b13b4fe2ff5 fix test target and add test-docker
1943eaa6a688e9f549567df27d875785d8cf13ee fix bundle path
4bd1c7b68812ca807b53db322d941ec54e2ec89e check minimum clang version (#310)
d8a55e7775b92b7ec50080d28424e6cf462b718f Fix and enable tests again
9edac6b77c4bf7a42ca3aeefe3d47bcce5d7ab21 Add sched_process_exit event
f35a8f393ea132322cb7077322e1060695f08d4b Add libbpf uapi headers - fix ubuntu16 compilation
aefd3cd5a0ebe8817d1ec4d1a29701488aa7bf6d Fix asm_inline for kernel > 5.4
fe77c7f30b3b14bf1fb69a5a7acf4abd3594a7c2 Print uts name in container mode
46f1e2adac79446641b5583320b2fe64a08b9262 force clang compiler
d0757229eee66ee6b7c3ea84bf7b47e1287068ca rewrite release process
2cccd1d9ce6b7f5934923e6fd2df0249893801af Update readme with build comments
71c97f07d7a340ca7f23dec160900fe8e30da65d Don't make llvm-strip a dependency
13c4d1abd56cb3a7d813bd747e656749e091e548 fix makefile dependency
9e06a2025d31be99ff651cd738f6d0823741f3a9 Fix lint and build errors
935540e5fc907e91487c448686c7767790a26106 Rename bpfwrap to libbpfgo
6cfa83d6e866b378db08141987d0707397a18591 fix docker builds for libbpf
cc7f1eae7d9cacd4d4c3f05f4efc5267fe843290 Organize probe attach code
ffe7b63f49e2c801aac8fca5b6b0b2252908bc53 Disable bpf program autoload if not required
3e7199e9ccc33febaa9174d06c31ce4415a1287c Reorganize initBPF function
6a379a2bb0ee3733da1a8cae2149dabaad8b4ad2 add build-policy flag
8fb3fa541cfc452ef8db57e1c272476fd7ae4286 use different dirs for output and install by default
b06c4811d05790df03efbee5bb1778eec08143a2 use tmp as default install path
fbf395a9041e50780d7e6654cc4d70d5cb18c488 drop capabilities during compilation
3b80e0f189507f864bc51b5849561d91fbe1df0b bundle bpf source for compilation at runtime
6ea6fbf40b44dab5a3b624057aa5e3bf1a8a9ddc compile bpf obj on startup
765d4fac5687f71173ab01b67b8ddc641de2acb8 fix bpf src injection
8c4a1bbdd472893fc4c75dbc74a0044015b59acf refactor bpf obj searching
a074b378854b5554959d7c55472992a0e42f57ee Update libbpf submodule
5109ae1f609f51a3a2e59f8056346fde8b32ef56 improve and organize build (#280)
1208adbc532a232a04db6c85988fecba894f6078 add new module creation from buffer to bpfwrap
b17be813d024b932ee4b5dde75121d6e035fb613 Remove BCC from readme
a2e43591282054955602849b6fc5ca8cf77b6eee Move from gobpf to bpfwrap (libbpf)
172655fa3412a7cec2c0af9d1d82f997844335e9 Add bpfwrap - a thin libbpf wrapper
73d4b7325c8ac42a0efc28f438332f2dcf487d2b Add libbpf submoudle
2cac3ee1ea16f8aba241ad87e2785ab5c4a5b1e1 Fix tests
49dee1eafb648899e5afb2157fb08c3682caccba Fix lint errors
f1f43f80ff84ad9fe647e17955733f837b19440b fix ci trigger
d64607a179873862f1193ac8a7be1d21cf525cb5 Fix bad string size type
7a755e3f12acca3f075d2dbea1af34d86e6519ea update go version to 1.15
d0fe845c21b7d6613216ae1f4ea37d88b54bb155 updated to golang 1.15
4964f5c75c7a2e42362067082822c5b4698fac01 Output formatting via gotemplate (#256)
a3e991f10b771ac98889792c9ed58e853a2debbe feat: Add CI/CD Workflow (#259)
5d49921f900fff50ad0e4bb32204d7fd3b2ddbf7 fix memfd files not shown in vfs_write
bc84eae22d5909c0e95fd4c2d80e76ddde5bebd8 fix sockaddr_in parsing
0bb0dbe09d5281a2e0c32fdb4029e2f95f08e01a fix error printing line break
582a3806a41e7a3376573c4d9dbac6cf7c24b972 Created a new --trace flag to replace and enhance the --pid and --container flags
4f50e28e97a2dcfd7c714877f9f9871bb4d9fe2d Revert "Created a new --trace flag to replace and enhance the --pid and --container flags"
120204f26529bb484c0247a18debcc6ab7ecbc87 Created a new --trace flag to replace and enhance the --pid and --container flags
aec1ef6ea44bb70008347d6cc1a928990cae399f Fix send bin chunk size
d58cd29cba127702f05ddd5e39d7f00eb67e6a0c Fix broken kernel 4.14 support
e753945963f6f811574280d05656a8b76e55df9d Made the typo change as requested
91fcd92d56f93c27f40d7c81edc15c9a6a4edfa3 Typo Corrected in README.md to sound more meaningfull
42cd0b70d39ae8bc0b41cb452fe6702f8d07b005 change readiness file format
751f38ddedea869c3cd4c6d8944484060ad9ccac Various Grammatical and Spelling Changes (#246)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.3.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.3.0
Published by itaysk about 4 years ago
Changelog
8ce4688 Small typo fixes (#245)
e97ca4a add contribution guidelines (#242)
bd05ede chore(docs): Added badges in README.md file (#236)
a756211 Read kernel pointers with bpf_probe_read
214346a improve code portability and be generic
f4ad395 Don't monitor events generated by tracee
84c3a7a fix_32bit_before_4.17
Docker images
docker pull docker.io/aquasec/tracee:0.2.1docker pull docker.io/aquasec/tracee:latest
Published by itaysk about 4 years ago
Changelog
f85878a Add vfs_writev event
a3af9ac Clean essential events from map
aeab9b3 Add pids in raw_syscalls instead of execve handler
b1297cf save_context_generic
Docker images
docker pull docker.io/aquasec/tracee:0.2.0docker pull docker.io/aquasec/tracee:latest
Published by itaysk about 4 years ago
Changelog
b497d9d fix capture exec when sharing pidns (#208)
b5fb620 Use generic return for execve syscalls
31887af Simplify raw_syscalls logic and remove security_alerts workaround
bc2ee10 clear output dir (#222)
c40f64a Fix fork of traced processes not traced when clone event not chosen
d20395c signal readiness using a file in output dir (#218)
1fbce2e Fix decoding errors when save_args fails
389e596 Handle raw tracepoints fallback
aefee76 Enable support for all syscalls
915a1cc Handle events parameters types and names using parameters map
1adf1e4 Add events parameters map
29f5ee9 Add 32bit syscalls support
0e4adff Reduce syscalls handlers instructions size
8b17cf9 Use tracepoints instead of kprobes for syscalls
60b2e09 check null terminated string size
932a706 Add system calls sets
ddccf41 Update args macro to be more compact
425193e Use bigger buffer size
bdaa084 Update intro video in readme
c962d21 Add more syscalls
c2b7e4f Add events by sets
57fd98b Pretty print event list
0cebf01 Print raw syscalls only when event was not requested
da1e24b Update readme to reflect verbose output
Docker images
docker pull docker.io/aquasec/tracee:0.1.0docker pull docker.io/aquasec/tracee:latest
Published by yanivagman about 4 years ago
Changelog
6df40c6 Fix double printing of first arg
4795a63 Fix print indentation
077916a Update readme file to include host pid when running from docker
adab925 fix context parsing
040463a improve table output
9c9e4b7 update readme example
3fdcbbb comma separate args in table
9983e23 retstore tid to table
dba88af widen pid column
100834d improve table output
7d9c8d1 Fix capture exec for containers
425ecb7 Save host and container pids in host mode
1f5dd76 add host pids to context
b93fff5 Add clone flags
54b1b34 Save writes to /dev/null by pid
b100a20 improve output of args
3137927 Don't print raw_syscall if event exists
2d4ba36 Remove essentialEvents map and simplify code
7805c5e Change event print location in table output
46d9ccc Handle events in a pipeline
4245623 Remove global EventNameToID map
701547d Code refactoring
f29810f Optimize string array buffer layout
6a80860 Optimize string array buffer layout
a591013 Support tracing by pid
35105ce Decouple event data extraction from event parsing
0f5236d Use event id constants for performance
50a7e17 Add argument names
378263e Fix error counter always 0
568afc5 Fix broken raw syscalls feature
7c257ce Beautify table print
888c0e7 Fix getsockname error on null string
dce995d fix capture exec for non-filesystem files
Docker images
docker pull docker.io/aquasec/tracee:0.0.3docker pull docker.io/aquasec/tracee:latest
Published by itaysk over 4 years ago
Changelog
a87a69e remove python version
398138d fix mem alert when not capturing
ebb5563 Add exclude event flag
6c63231 Remove PrintSyscall func
0dbb1ef Fix chmod invalid file
f1a66bd Append file write if written file type is char, socket or fifo
de74185 change socket address output format
726059c Remove unix socket leading zero in json output
267dae5 Fix unix socket name when there are leading zeros
7c4b242 fix json tags spelling
32051f8 Update readme to include capture flag
e2b935b Update readme to include file and binary capture
dbacd6e Change consts to use go naming conventions
4cc05ea Change mmap_alert and mprotect_alert to one mem_prot_alert
951fbb2 Support multiple probes for one event
7818daa Use alert struct and save alert payload using timestamp
ef4c92e validate capture options
8e79924 don't capture same exec twice
58ead5d Add mmap and mprotect security alerts and data extraction
4074a94 Add chosen events map
bbe5fe4 Fix "memory leaks" in bin_args_map and args_map
87a4a78 fix test for ptrace printing
a523eae fix file capture when dependent event is missing
b10961f Fix write error when buffer and chunk are equal in size
9602d12 allow granular selection of capture-files
6c3fc99 fix ptrace flags print
8114f9c Remove EventsIDToName map
6a6f918 auto build essentialEvens map
165a971 print all raw_syscall names
3e72e64 Add event configuration map
309aab7 fix lost event counter
2cb8a20 print errors to a dedicated file
b27aca3 fix raw_syscall printing if syscall is not known to tracee
ffa8183 capture executed files
395e9da add hook to process events and use it to show raw_syscall name
17c619d refactor stats collection and printing
2abdacb fix map update issue with old kernels
5fb424a Change save_args key to be unique
e2b0a8a decouple internal and external types
90988aa Add tail call event handler
db158f1 Use generic method to send binary data
da567dd add output gob output format
c3af6f3 Support file-write filters up to 64 chars
bad16bc Add Tracee logo
498265d cleanup file event handling code
17a08ad decouple should_trace and init_context
280ad5d Handle buffers more efficiently
e8eca12 parameterize stdout in tracee package
c9b0e91 simplify tracee config
9f17b17 remove args brackets
758145d don't show raw_syscalls by default
0bcf7a8 change printed time resolution from seconds to microseconds
ff413c4 Check for privileges
2a74671 read file buffer with struct
e84324c move should_trace to a function
45516c7 remove get_config wrapper functions
c8982e4 Change vfs_write flags
c448b3e Port vfs_write to go
05cfc5a Add configuration flags for vfs_write
89e3b64 Correlate vfs_write with execve and open with dev_id and inode_nr
7ca4b05 Support vfs_write filters
184610d Change output path to include mnt ns id
55917d5 Use tail calls to send vfs writes
c77a643 Support multiple chunks in file send
a41baa1 Add vfs_write event and file writes extraction
5d28b9d remove redundant casting
61d273f Use full submission buffer size
d278132 Remove type argument from save_str_to_buf
39bb47e Save path using helper function
75cb776 Remove R_PATH type and handle as regular string
d20cf0d fix make build dependencies
799ed4f add support for tracepoints and implement raw_syscalls tracepoint (#89)
2d5d1cc refactor events map
55b6cc6 update gobpf to include memory leak fix
68b2ce8 add youtube demo to readme
Docker images
docker pull docker.io/aquasec/tracee:0.0.2docker pull docker.io/aquasec/tracee:latest
Published by itaysk over 4 years ago
Changelog
5dc755f work around gobpf memory leak
2187ecb add makefile target to build docker image
a207a16 add make target to build using docker
5179077 fix dockerfile
e42865f update readme with release
5294f4c save_context
0fcfd26 add release procedure using goreleaser (#75)
e21954c fix events flag in python
2efa61d fix dockerfile
1a6a69c rename events-to-trace flag to event (#73)
2684f1c update readme (#72)
5687bce build distributable binary (#71)
c06e936 update readme (#70)
6697bea update dockerfile to go
613717d handle lost events and support configurable buffer size
2d6e437 fix list command to show recent additions
dd0cedc add chown chmod and pkey_mprotect syscalls
541ae53 fix missing threads in system mode
35202dc fix makefile
9eb9f29 fix json arguments formatting to match python version
d770f33 fix comment
e366065 superficial tests for readArgFromBuff function
b9bd744 fix socket type print
67a3ac1 fix POINTER_T parsing and printing
c0b87ea fix open flags printing
6bc4686 support security_file_open lsm hook
dff978e show stats in table epilogue
b6ea608 update readme about go
189a6e7 add bprm_check event (#54)
4b9bad2 print prctl ptrace options in go
1ae06bc print sockaddr common families in go (#52)
6b2ce47 Add lsm bprm_check hook to get exec absolute path (#46)
fd8a89b implement show-exec-env in go
7278173 fix event validation
56bd72e Rewrite Python code in Go (#47)
08d5a9a Add prctl option and ptrace request enums
aee95da Add sockaddr struct fields for unix, inet, inet6 sockets
05372ab Handle failed read to buffer
8fddef9 Add optional exec-env flag to show env in execve
431eaae performance: get buffer once
58f76e7 fix missing flags
61f172f avoid fork handler code duplication
4fa4d54 Show syscall name in internal kprobes
85afe0b save container mode
04a921c update readme
58b19d9 events: add setXid syscalls
9369869 fix failed tests
6db7ef7 readme: update optional arguments
6d1effc Add config map and verify configuration
649b19f catch keyboard interrupt
4defbd5 Remove container prefix from files
3aa5c75 mount debugfs before starting
6121f73 add dockerfile
39c28ae Generic event handling in userspace
8afaa4a performance: improve performance and reduce lost events
ff9aa14 set submission array size according real cpu number
631c9f1 Merge pull request #26 from yanivagman/execve_known_issue
bdd847a Readme: update execve known issue status
5b6bffc Merge pull request #23 from yanivagman/add_event_list
7b2ce5b Add event list and update readme
e0f5549 workaround PT_REGS_PARM macros bug in new kernels
0762844 Support new kernels
8d2a31c events: add mount, umount, unlink, unlinkat syscalls
0630258 Merge pull request #12 from aquasecurity/fix_missing_stat_syscalls
4ffb880 readme: add omitted title
fbdd2e7 Add system tracing mode
2e296cf fix: stat syscalls are ignored
79c4159 Correct name in NOTICE file
f3c0e5a Merge pull request #10 from aquasecurity/add_container_id_from_uts_ns_rebased
c80ee7a Add container id by using UTS namespace node name
69f490d Merge pull request #8 from aquasecurity/event-filter
31f1a58 fix: kprobe for do_exit is essential
49132fc feat: filter events to trace
c691511 Start tracee without -v for stdout output
a069238 tracee_test: Add tests for get_sockaddr_from_buf and move offsets on init
ea9b0ec tracee_test: Add test cases for open_flags_to_str
d7bcba9 tracee_test: Add test cases for open_flags_to_str
efc2f14 tracee_test: Add tests for execveat_flags_to_str
d0f474f tracee: Apply more pep-8 fixes
95aff98 tracee: cleanup imports
630a71c .git: update gitignore
a8c2f1d tracee: Move helper methods out of EventMonitor class
ad6401f tracee: init tests and a new makefile
03f18e7 Merge pull request #4 from aquasecurity/readme
5fd4547 update readme file
e1050f8 Update readme files
9f22b49 remove execve redundant structs
2e33567 Change kernel-userspace communication buffer
9871c7a add creat syscall and fix open incorrect flags bug
220d5ed expand syscall enum for all syscalls
af9abf3 add getdents(64) syscalls
50c939e add symlink(at) syscalls
2fdcfd7 add prctl, ptrace, process_vm_read(write)v, (f)init_module, delete_module syscalls
279aabf suport python 2 json
ba4f4ac Add authors info
1fe3310 Add kernel version & usage to README
90440ef Create NOTICE
aa5bb68 Create LICENSE
3cf9917 Container tracing using eBPF
b30fc5c Initial commit
Docker images
docker pull docker.io/aquasec/tracee:0.0.1docker pull docker.io/aquasec/tracee:latest