tracee v0.8 releases: Container and system event tracing using eBPF
Tracee – Container, and system tracing using eBPF
Tracee is a lightweight and easy-to-use container and system tracing tool. It allows you to observe system calls and other system events in real-time. A unique feature of Tracee is that it will only trace newly created processes and containers (that were started after it has started), in order to help the user focus on relevant events instead of every single thing that happens on the system (which can be overwhelming). Adding new events to Tracee (especially system calls) is straightforward, and will usually require no more than adding few lines of code.
Other than tracing, it is also capable of capturing files written to disk or memory (“fileless”), and extracting binaries that are dynamically loaded to an application’s memory (e.g. when an application uses a packer). With these features, it is possible to quickly gain insights about the running processes that previously required the use of dynamic analysis tools and special knowledge.
When Tracee reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after it has read them. For example, a program invoked execve(“/bin/ls”, NULL, 0), it picked that up and will report that then the program changed the first argument from /bin/ls to /bin/bash, and this is what the kernel will execute. To mitigate this, it also provides “LSM” (Linux Security Module) based events, for example, the bprm_check event which can be reported by Tracee and cross-referenced with the reported regular syscall event.
- Container event enrichment with data from multiple runtimes #1809 #1886
- New Helm chart for installing tracee with postee #1812
- Tracee-rules signatures can now be written in CEL #1766
sched_process_execevent now has the binary file’s inode mode information #1889
security_file_openevent now has syscall pathname #1841
sched_process_execevent now has an
- Events now contain thread start time #1849
- Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
- Started documenting events under
- Created a new
derivedpackage for a new type of ‘derived’ events #1822
- Install instructions for nixos #1827 – Thanks @06kellyjac!
- New grafana dashboard for tracee metrics #1605 #1610
- Unrequired linux capabilities are dropped on startup #1508
- New signature for syscall hooking detection
- Capture of icmp network traffic #1362
New eBPF Events
hooked_proc_fopsfor /proc file operation detection #1718
set_task_commindicating process name change #1811
security_socket_setsockopt(LSM hook) #1859
- dns events over tcp #1807
security_mmap_file(LSM hook) #1631
- Tracee will no longer crash when tracing symbols present in kernel modules #1882
- Removed false positive for TRC-11 signature #1878
- Filtering for
hooked_seq_opsevent now works as expected #1860
- Kallsyms are updated when kernel modules are loaded
Copyright 2019 Aqua Security Software Ltd.