v0.14.0

⚡️ Release notes: https://github.com/aquasecurity/tracee/discussions/3041 ⚡️

Docker Image (x86_64 only)

• docker pull docker.io/aquasec/tracee:0.14.0

Docker Images (per architecture)

• docker pull docker.io/aquasec/tracee:x86_64-0.14.0
• docker pull docker.io/aquasec/tracee:aarch64-0.14.0

What's Changed

• fix: strip v from docker images tags by @josedonizetti in #2985
• temporary: adjust github image tags for latest releases by @rafaeldtinoco in #2986
• temporary: typo fix for arm64 release tag by @rafaeldtinoco in #2987
• temporary: remove temporary workflow that fixed docker tags by @rafaeldtinoco in #2988
• performance: introduce automated performance dashboard with pyroscope by @rafaeldtinoco in #2968
• logger: refactor logger configuration by @NDStrahilevitz in #2971
• feat: support unmarshalling trace types by @roikol in #2937
• chore: bump postee to 2.9.0 by @josedonizetti in #2981
• capabilities: drop capabilities by default by @rafaeldtinoco in #2924
• fix: add file to error message when parsing yaml by @josedonizetti in #2995
• consume remaining events after ctx is done by @geyslan in #2969
• docs: remove tracee-action metion by @josedonizetti in #2997
• Important Network Fixes for Tracee by @rafaeldtinoco in #2982
• Enable a Debug Shell for Test Runners by @rafaeldtinoco in #2999
• workflow: raise timeout limit for debug shell jobs by @rafaeldtinoco in #3005
• feat: unmarshall trace types correctly by @roikol in #2996
• feat: use new types in signatures by @rafaeldtinoco in #3009
• fix: support null values in unmarshalling by @roikol in #3011
• types: update tracee to use latest types by @rafaeldtinoco in #3012
• fix multiple symbols prints bug by @AsafEitani in #3002
• Capabilities fixes by @rafaeldtinoco in #3006
• fix: kernel version comparison by @roikol in #3022
• fix: detect container id from cgroup in GitHub Action by @ShiraCohen33 in #3021
• events: fix missing capability hidden_kernel_module by @OriGlassman in #3014
• ebpf: non non-core. building files. by @rafaeldtinoco in #3015
• tracee: add engine field to tracee object by @NDStrahilevitz in #3024
• events: fix hidden_kernel_module derivation by @rafaeldtinoco in #3025
• Revive by @rafaeldtinoco in #3020
• Fix docs by @josedonizetti in #3010
• ebpf: adjust includes left behind by @rafaeldtinoco in #3028
• k8s: bump to 0.14.0 by @josedonizetti in #3030
• tracee one binary cli migration to cobra/viper by @geyslan in #3000
• libbpf + libbpfgo bump by @rafaeldtinoco in #3032
• workflow: fix mkdocs-dev workflow to ubuntu-latest by @rafaeldtinoco in #3034

New Contributors

• @ShiraCohen33 made their first contribution in #3021

Full Changelog: v0.13.1...v0.14.0

v0.13.1

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2989 ⚡️

Docker Images (x86_64 only)

• docker pull docker.io/aquasec/tracee:0.13.1
• docker pull docker.io/aquasec/tracee:0.13.1-full

Docker Images (per architecture)

• docker pull docker.io/aquasec/tracee:x86_64-0.13.1
• docker pull docker.io/aquasec/tracee:x86_64-0.13.1-full
• docker pull docker.io/aquasec/tracee:aarch64-0.13.1
• docker pull docker.io/aquasec/tracee:aarch64-0.13.1-full

The regular image is built with an embedded portable CO-RE eBPF object and BTFHub (for kernels not supporting BTF info). The full image is built with an embedded portable CO-RE eBPF object and it is capable of building a per kernel non CO-RE eBPF object.

What's Changed

• events: fix return value of process_execute_failed event by @OriGlassman in #2964
• Policies mntns issue and Segfault fix by @rafaeldtinoco in #2974
• docs: add bpf capture documentation by @yanivagman in #2976
• docs: fix logging documentation by @josedonizetti in #2977
• Fix mnt docs by @josedonizetti in #2978
• build(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.24+incompatible by @dependabot in #2979
• k8s: bump tag to 0.13.1 by @josedonizetti in #2983
• sig: engine: copy event before engine processing by @geyslan in #2984

Full Changelog: v0.13.0...v0.13.1

v0.13.0

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2963⚡️

Docker Images (x86_64 only)

• docker pull docker.io/aquasec/tracee:0.13.0
• docker pull docker.io/aquasec/tracee:0.13.0-full

Docker Images (per architecture)

• docker pull docker.io/aquasec/tracee:x86_64-0.13.0
• docker pull docker.io/aquasec/tracee:x86_64-0.13.0-full
• docker pull docker.io/aquasec/tracee:aarch64-0.13.0
• docker pull docker.io/aquasec/tracee:aarch64-0.13.0-full

The regular image is built with an embedded portable CO-RE eBPF object and BTFHub (for kernels not supporting BTF info). The full image is built with an embedded portable CO-RE eBPF object and it is capable of building a per kernel non CO-RE eBPF object.

What's Changed

• workflow: turn github node jobs paralell by @rafaeldtinoco in #2805
• docs: small fixes by @yanivagman in #2811
• standardize error/log first letter by @geyslan in #2812
• cleanup: order import blocks by @geyslan in #2815
• docs: fix readme links by @yanivagman in #2816
• [ARM64 TESTS] workflow: add arm64 runners and tests by @rafaeldtinoco in #2817
• builder: add goimports to tracee-make docker imgs by @geyslan in #2828
• workflow: add alma linux as rhel clone to the PR workflow by @rafaeldtinoco in #2831
• Workflow paths by @rafaeldtinoco in #2833
• docs: fix readme docs links by @josedonizetti in #2837
• events: fix signature event name by @josedonizetti in #2839
• chore: go mod tidy by @josedonizetti in #2843
• workflow: pr: reenable TRC-103 by @geyslan in #2840
• workflow: pr: enable tests in arm64 and rhel_arm64 by @geyslan in #2844
• workflow: test other tools builds as well by @rafaeldtinoco in #2848
• maintenance: build: enable arm64 container images, fix building by @rafaeldtinoco in #2849
• workflow: update AMI IDs for 30GB images by @rafaeldtinoco in #2850
• workflow: change release AMI IDs to latest by @rafaeldtinoco in #2851
• chore: fix deprecated nodejs warning for github action by @rafaeldtinoco in #2856
• go: update runc from 1.1.2 to 1.1.4 due to security by @rafaeldtinoco in #2857
• workflow: login to docker.io before docker pulls by @rafaeldtinoco in #2859
• go: fix security issue CVE-2022-1996 by @rafaeldtinoco in #2861
• workflow: fix release-snapshot with dev-full tag by @rafaeldtinoco in #2862
• feat: add PTRACE_POKEDATA to ptrace_code_injection by @roikol in #2846
• workflow: fix: github login action not working by @rafaeldtinoco in #2865
• chore: enable btfhub after arm64 changes by @rafaeldtinoco in #2867
• workflow: change release AMI IDs to latest (#2851) by @rafaeldtinoco in #2869
• feat: add inotify_find_inode event by @roikol in #2794
• errfmt: introduce new package for error formatting by @geyslan in #2842
• workflow: update AMI IDs by @rafaeldtinoco in #2872
• workflow: add PRs labeler by @rafaeldtinoco in #2875
• workflow: updates to the workflow by @rafaeldtinoco in #2877
• workflow: snapshot labels for jenkins are too long by @rafaeldtinoco in #2878
• types: add SignatureContext type for init by @NDStrahilevitz in #2880
• Logger in signatures by @NDStrahilevitz in #2864
• types: matchedScopes -> matchedPolicies by @geyslan in #2881
• rename scopes related to policies by @geyslan in #2845
• make go routines shutdown gracefully by @geyslan in #2784
• ebpf: remove params_type_map and use events_map instead by @yanivagman in #2825
• workflow: re-enable v4.19 and add arm64 version by @rafaeldtinoco in #2879
• workflow: add amzn2 5.10 kernel AMIs to tests by @rafaeldtinoco in #2885
• ebpf: remove bin_args_map by @yanivagman in #2813
• tests: disable cache for integration tests by @geyslan in #2884
• workflow: add gke 5.4, 5.10 and 5.15 kernel AMIs to tests by @rafaeldtinoco in #2886
• check relevant error returns by @geyslan in #2818
• fix: base event filters by @yanivagman in #2897
• fix: fix old_path arg of security_inode_rename by @roikol in #2895
• add bpf byte code capture by @AsafEitani in #2874
• feat: add helpers list to bpf_attach by @roikol in #2855
• ebpf: align execve enter and exit timestamps by @yanivagman in #2853
• workflow: pr: enable tests in all archs by @geyslan in #2863
• workflow: pr: enable TRC-104 test in RHEL ARM64 by @geyslan in #2910
• fix: use correct type for bpf helpers by @roikol in #2912
• feat: use libbpfgo helpers to parse bpf helpers by @roikol in #2905
• libbpf bump by @geyslan in #2911
• Revert "libbpf: bump to v1.1.0 (#2911)" by @rafaeldtinoco in #2917
• refactor: move log-file to be under --log by @josedonizetti in #2909
• skip arg filtering for PrintMemDump by @geyslan in #2914
• Policies by @josedonizetti in #2892
• types: add container and kubernetes context fields by @NDStrahilevitz in #2921
• Enrich image digest by @NDStrahilevitz in #2760
• add syscall support for print_mem_dump by @AsafEitani in #2903
• types: event policy name by @geyslan in #2922
• containers: parse ContainerID by inner cgroup by @NDStrahilevitz in #2925
• policy: enrich matched event with policy name by @geyslan in #2923
• Policy number CLI removal by @geyslan in #2919
• Feature/improve symbols loaded performance by @AlonZivony in #2891
• tests: re-enable integration for policies by @geyslan in #2927
• events: add process_execute_failed event by @OriGlassman in #2858
• events: prevent symbols map cache corruption by @AlonZivony in #2930
• chore: add tracee logos by @itaysk in #2931
• build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 by @dependabot in #2932
• policies: fix container scope by @josedonizetti in #2938
• Add hidden linux kernel module event by @OriGlassman in #2714
• docs: add policies reference documentation by @josedonizetti in #2936
• docs: update docs to reflect new binary by @geyslan in #2939
• improve policies overview by @yanivagman in #2947
• Fix policy docs newline by @yanivagman in #2948
• k8s: bump version by @rafaeldtinoco in #2949
• chore: release minor fixes by @rafaeldtinoco in #2951
• release: makefile change to sign all images by @rafaeldtinoco in #2952
• release: crane is buggy, remove until fixed by @rafaeldtinoco in #2953
• makefile: remove cosign leftover and fix release makefile by @rafaeldtinoco in #2955
• workflows: make release like the snapshot logic by @rafaeldtinoco in #2958
• release: fix relea...

v0.12.0

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2803 ⚡️

Docker images

• docker pull docker.io/aquasec/tracee:0.12.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.12.0 (compiles non CO-RE eBPF object on startup)

commit log

• refactor: simplify output flags by @josedonizetti in #2700
• chore: generate k8s statics by @josedonizetti in #2703
• tracee: fix filters by @josedonizetti in #2720
• flags: remove cache-events from output help by @josedonizetti in #2729
• swap uint and containers equality order by @geyslan in #2726
• types: upgrade go-yaml by @josedonizetti in #2719
• dep: update githuhub.com/aquasecrity/tracee/types by @josedonizetti in #2730
• ebpf: add prog_override_return arg to bpf_attach by @roikol in #2560
• build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 by @dependabot in #2732
• filterscopes: create a filterscopes pkg by @rafaeldtinoco in #2738
• log when not a container cgroup instead of err by @geyslan in #2737
• pkg/ebpf: add derived events for ld SO symbols collision (rebase) by @rafaeldtinoco in #2740
• sign container images with cosign by @developer-guy in #2607
• chore: bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #2741
• trace: add hidden kernel module struct by @OriGlassman in #2742
• adjust recently merged symbols_collision event and better document it by @rafaeldtinoco in #2743
• refactor: rules renamed to signatures by @josedonizetti in #2715
• logger: set libbpfgo logger callback by @geyslan in #2663
• events: print seconds of timespec by @roikol in #2712
• ebpf: save_args_to_submit_buf minor format change by @rafaeldtinoco in #2755
• types: add event metadata by @josedonizetti in #2752
• events: add vfs_utimes event by @roikol in #2690
• Provide Fluent Forward output option by @patrick-stephens in #2155
• chore (tests): add e2e instrumentation tests by @roikol in #2764
• Refactor output forward flag by @josedonizetti in #2766
• feat: add do_truncate event by @roikol in #2749
• Add signature event metadata by @josedonizetti in #2753
• tracee: fix args on signatures events by @josedonizetti in #2713
• tests: fix integration pkg race conditions by @geyslan in #2768
• test: fix flaky TestFindingToEvent by @josedonizetti in #2774
• workflow: move runners to jenkins by @rafaeldtinoco in #2776
• errors: improve error output by @rafaeldtinoco in #2773
• flags: cli: docs: rename trace flag to filter by @geyslan in #2767
• libbpfgo: set libbpfgo callbacks by @geyslan in #2761
• signatures: load sigs as default events by @josedonizetti in #2779
• tracee: make it the default binary by @josedonizetti in #2777
• Add multiple printers by @josedonizetti in #2746
• Add file modification event by @roikol in #2780
• Add webhook printer by @josedonizetti in #2782
• k8s: remove flag everythingIsAnEvent from helm by @josedonizetti in #2785
• Improve building docs by @rafaeldtinoco in #2787
• printer: block instead of drop events for broadcast by @josedonizetti in #2789
• k8s: fix templates to use unified binary by @josedonizetti in #2786
• k8s: bump version by @josedonizetti in #2791
• k8s: remove falcosidekiq yaml by @josedonizetti in #2795
• documentation: add syscall events markdown files from ChatGPT by @rafaeldtinoco in #2792
• gptdocs: add option to generate docs for a list of events by @rafaeldtinoco in #2800
• sets: default set can't have network events v419 by @rafaeldtinoco in #2771
• adding promtail tutorial by @AnaisUrlichs in #2781
• docs: restructure #2788 by @AnaisUrlichs in #2797
• docs: update output docs by @itaysk in #2802

New Contributors

• @developer-guy made their first contribution in #2607
• @patrick-stephens made their first contribution in #2155

Full Changelog: v0.11.1...v0.12.0

v0.11.1

v0.11.1 highlights and discussion

Docker images

• docker pull docker.io/aquasec/tracee:0.11.1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.11.1 (compiles non CO-RE eBPF object on startup)

v0.11.0

v0.11.0 highlights and discussion

Docker images

• docker pull docker.io/aquasec/tracee:0.11.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.11.0 (compiles non CO-RE eBPF object on startup)

v0.10.0

Release highlights and summary

👉 https://github.com/aquasecurity/tracee/discussions/2503

Full Changelog

• k8s: update tags to 0.9.3 by @josedonizetti in #2329
• doc: move kallsyms_lookup_name event doc to new doc path by @AlonZivony in #2333
• [MAINT] btfhub: adjust ol7 path after btfhub change by @rafaeldtinoco in #2341
• k8s: fix postee dependency by @josedonizetti in #2342
• docs: add tag to kubect apply by @josedonizetti in #2343
• pkg/ebpf: add syscalls arguments to security_file_mprotect by @AlonZivony in #2335
• feature: add stdin path to sched_process_exec by @roikol in #2216
• pkg/ebpf: fix multi use of string buf in seched_process_exec by @AlonZivony in #2345
• refactor: probes: move diff probe types to own files by @rafaeldtinoco in #2349
• refactor: pkg/cgroup and pkg/containers initial structure by @rafaeldtinoco in #2350
• [FEAT] Args syscall filter by @NDStrahilevitz in #2251
• [FIX] events_enrich: fix missing container_remove event by @NDStrahilevitz in #2357
• [FEAT] logger: debug output enrichment by @geyslan in #2254
• builder: increase alpine version to fix golang dependency by @rafaeldtinoco in #2373
• [REFACTOR] Cgroup Interface (cgroupv1 and cgroupv2 initialization) by @rafaeldtinoco in #2233
• pkg/ebpf: add arguments and doc to mem_prot_alert by @AlonZivony in #2339
• Feature/event context filter by @NDStrahilevitz in #2229
• pkg/ebpf: cancel event with missing symbols dependency by @AlonZivony in #2370
• pkg/ebpf: process existing mount ns upon initialization by @AlonZivony in #2283
• Fix capabilities initialization by @rafaeldtinoco in #2380
• pkg/events: add API to derive multiple events from single function by @AlonZivony in #2384
• pkg/procinfo: procfs errors are too frequent by @rafaeldtinoco in #2394
• [MAINT] workflows/pr: add kinetic60 and focal419 by @rafaeldtinoco in #2399
• pkg/ebpf/tracee: fix capabilities for procfs reads by @rafaeldtinoco in #2406
• types: add network protocol events types by @rafaeldtinoco in #2378
• types: add EventName to SignatureMetadata by @josedonizetti in #2408
• pkg/ebpf: change fork thread start time to be since epoch by @AlonZivony in #2387
• tracee-rules: extract getSignatures by @josedonizetti in #2413
• tracee-ebpf: extract logic into pkg/cmd by @josedonizetti in #2416
• [FEATURE] New network code with tests by @rafaeldtinoco in #2200
• tracee: add new binary by @josedonizetti in #2418
• pkg/utils/proc: log errors as debug only by @rafaeldtinoco in #2426
• tracee: make some perf buffers optional by @NDStrahilevitz in #2423
• pkg/counter: change Counter type by @geyslan in #2427
• signatures: add event name to golang sigs by @josedonizetti in #2412
• Embed test script and import environment variable by @grantseltzer in #2366
• [FEAT] Simple DNS events compatible with old ones by @rafaeldtinoco in #2425
• pkg/ebpf: reduce security_file_mprotect instructions by @AlonZivony in #2421
• printer: add container image to table printer by @NDStrahilevitz in #2232
• Streamline error logging by @NDStrahilevitz in #2403
• rules: refactor engine.New to receive sigs via Cfg by @josedonizetti in #2438
• Add AVD link from detection docs by @grantseltzer in #2326
• ebpf: fix process tree filter by @yanivagman in #2431
• rules: reenable dropped_executable by @josedonizetti in #2445
• Bugfix/rodata err 419 by @AlonZivony in #2447
• ebpf: fix error handling by @josedonizetti in #2354
• pkg/utils/sharedobjs: check open failure by @AlonZivony in #2450
• tracee: trim event name for table output by @josedonizetti in #2440
• derive: fix cgroupv1 hid false derives by @NDStrahilevitz in #2453
• rules: refactor signature name by @josedonizetti in #2455
• [FIX] network: do not run e2e-net-test for vanilla v4.19 by @rafaeldtinoco in #2456
• caps: log errors from caps Requested and cb func by @geyslan in #2459
• network: e2e-net-test v419 skip should return 0 by @rafaeldtinoco in #2461
• rules: add event name to rego signatures by @josedonizetti in #2457
• probes: fix lockup when nested raising privileges by @rafaeldtinoco in #2460
• build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12 by @dependabot in #2452
• Feature/reduce sched exec instruction by @AlonZivony in #2434
• events_pipeline: run filters for derived events by @rafaeldtinoco in #2463
• Bump libbpfgo to v0.4.5-libbpf-1.0.1 by @rafaeldtinoco in #2472
• Add rules to the pipeline by @josedonizetti in #2439
• tracee: add flag to install new tracee by @josedonizetti in #2473
• sorting: add race condition checks for queues usage by @AlonZivony in #2465
• Quick start update & adding commands to create docs previous to Makefile by @AnaisUrlichs in #2478
• tracee.bpf: arm64: fix var warning for bpf-nocore by @rafaeldtinoco in #2480
• events: remove unused dependency by @yanivagman in #2464
• pkg/events/parse: use generic function to parse args by @AlonZivony in #2482
• Arg filter fixes by @rafaeldtinoco in #2488
• docs: add network events documentation to mkdocs by @rafaeldtinoco in #2494
• [FEAT] builder: add custom-rules arg opt to entrypoint.sh by @geyslan in #2493
• [FEAT] log ebpf errors by @geyslan in #2352
• k8s: bump tag to 0.10.0 by @josedonizetti in #2496
• docs: add everything is an event tutorial by @josedonizetti in #2495
• Binary filter by @yanivagman in #2385
• docs: fix typo by @josedonizetti in #2501
• network: add port arg to protocols TCP and UDP by @rafaeldtinoco in #2502

v0.9.3

v0.9.3

This version continues the trend within the v0.9.X series of Tracee versions, quickly fixing bugs and updating documentation in small and fast coming releases. We're happy that this trend makes Tracee a more reliable system to depend on for having a stable latest version.

See the full release notes and closed milestone issues for highlights.

Docker images

• docker pull docker.io/aquasec/tracee:0.9.3 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.3 (compiles non CO-RE eBPF object on startup)

Full Changelog

b784993 - workflows: add stream8 back (#2327) (Rafael David Tinoco)
20daa29 - Documentation: Fix broken links, move deep dive section (#2322) (grantseltzer)
430c073 - ebpf: fix mem_prot_alert invalid args (#2324) (Yaniv Agman)
a37dcf6 - workflows: change pr to new runners (#2325) (Rafael David Tinoco)
ea11896 - Run integration test triggers in own PID (#2323) (grantseltzer)
380070e - flags: add a test for prepareEventsToTrace (Nadav Strahilevitz)
766f588 - events: add a "containers" set (Nadav Strahilevitz)
31d09d4 - filter: fix wildcard not working for events (Nadav Strahilevitz)
ca2a14e - bucketscache: add RWMutex (#2316) (Nadav Strahilevitz)
534b6a4 - types/trace: add u8 type support to UnmarshalJson (#2312) (Alon Zivony)
4ff5914 - tracee: remove invalid events from tailcalls (#2310) (Nadav Strahilevitz)
f51b41a - filters: flags: change mntns and pidns filter expressions (#2302) (Geyslan Gregório)
df6d661 - logger: move logger start to init functions (#2252) (Geyslan Gregório)

v0.9.2

v0.9.2

This is release contains fixes to regressions that were introduced in the last two releases. In particular we've disabled TRC-108, TRC-1022, default capabilities drop, move libbpf back to v1.0.1.

As this comes very soon after the prior two releases, take a look at v0.9.0's release notes to see recent highlights of tracee's improvements and added features!

Docker images

• docker pull docker.io/aquasec/tracee:0.9.2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.2 (compiles non CO-RE eBPF object on startup)

Full changelog

f7a0b78 - rules: disable TRC-1022 (#2304) (Jose Donizetti)
84fd91e - capabilities: do not drop caps by default (Rafael David Tinoco)
29b89f8 - golang: go mod tidy (Rafael David Tinoco)
70ea836 - libbpfgo: bump to v0.4.4-libbpf-1.0.1 (Rafael David Tinoco)
6a079a9 - libbpf: back to v1.0.1 (Rafael David Tinoco)
537fe6c - hooked_proc_fops: remove redundant struct check and handle null pointer (#2303) (AsafEitani)
b8ac9db - k8s: disable signature TRC-108 (#2297) (Jose Donizetti)
bbcc6a5 - k8s: update version to 0.9.2 (#2299) (Jose Donizetti)
ae722d7 - event fix: bpf_attach map key (#2295) (roikol)

v0.9.1

v0.9.1

This is a small release that only contains bug fixes, it is recommended to use over v0.9.0. As this comes two days after the prior release, take a look at v0.9.0's release notes to see highlights of its improvements and added features!

Docker images

• docker pull docker.io/aquasec/tracee:0.9.1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.1 (compiles non CO-RE eBPF object on startup)

Full Changelog

58399f0 - k8s: update image tag to latest (#2293) (Jose Donizetti)
0842226 - capabilities: do not drop privileges in tracee-ebpf by default (Rafael David Tinoco)
00c7bd2 - symbols_loaded: raise privileges when needed (Rafael David Tinoco)
9826640 - path_resolver: raise privileges when needed (Rafael David Tinoco)
7ef3541 - probes: add NET_ADMIN capability as required for tcProbes (Rafael David Tinoco)
73fb7eb - capabilities: make new capabilities a singleton (Rafael David Tinoco)
02804d8 - capabilities: raise caps for init_namespaces event (Yaniv Agman)
73273d2 - caps: raise privileges for cgroupv1 mount (#2290) (Rafael David Tinoco)
cbaeac2 - pkg/ebpf: fix symbols_loaded initialization crash (#2284) (Alon Zivony)
1bb7264 - capabilities: fix: raise caps ring for privileged operations (#2280) (Rafael David Tinoco)

Full Changelog: v0.9.0...v0.9.1