tracee v0.6.3 releases: Container and system event tracing using eBPF
Tracee – Container, and system tracing using eBPF
Tracee is a lightweight and easy-to-use container and system tracing tool. It allows you to observe system calls and other system events in real-time. A unique feature of Tracee is that it will only trace newly created processes and containers (that were started after it has started), in order to help the user focus on relevant events instead of every single thing that happens on the system (which can be overwhelming). Adding new events to Tracee (especially system calls) is straightforward, and will usually require no more than adding few lines of code.
Other than tracing, it is also capable of capturing files written to disk or memory (“fileless”), and extracting binaries that are dynamically loaded to an application’s memory (e.g. when an application uses a packer). With these features, it is possible to quickly gain insights about the running processes that previously required the use of dynamic analysis tools and special knowledge.
When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after it has read them. For example, a program invoked execve(“/bin/ls”, NULL, 0), it picked that up and will report that then the program changed the first argument from /bin/ls to /bin/bash, and this is what the kernel will execute. To mitigate this, it also provides “LSM” (Linux Security Module) based events, for example, the bprm_check event which can be reported by Tracee and cross-referenced with the reported regular syscall event.
7a46f53 feat: Add list-events flag for listing events (#1071)
4262182 chore: adding to mkdocs missing links (#1070)
203a91f tracee-ebpf: simplify code
e942ffa tracee-ebpf: save correct argnum automatically
8ce15c8 tracee-ebpf: use event_data for buffer offset
79c28b2 fix missing decleration
48654aa fix sockaddr struct overflow and change error message
a9f774b Parse the version from module tags (#1062)
Copyright 2019 Aqua Security Software Ltd.