v0.9.0

v0.9.0

It's never been better to run Tracee in Kubernetes! This release represents a significant jump in the value of running Tracee in user's Kubernetes environment. This is most notably because of the huge contribution of Aqua's research team, adding 20+ new signatures to tracee-rules. Users can enable these to instantly gain detection of common cloud native attacks without having to write a single policy.

We've also revamped our documentation to make installing, running, and understanding Tracee even more accessible to its users.

Thank you to all our external contributors who participated in this release by either contributing code, documentation, or opening issues!

New Signatures

In #2271/2259, 20+ new signatures were introduced. Signatures allow users of Tracee to apply policies for what kind of potentially malicious behaviors they want to be alerted of.

For example, the new proc_mem_access signature alerts on common attack patterns where one process attempts to read for the memory of another vulnerable process. Credentials and secrets can be obtained this way

Check out the Available Rules page on the documentation site for an explanation of all provided signatures you can use with Tracee.

New Events

To power some of these new signatures and add more possibilities for future ones, we've added two new events, the raw hooks that Tracee uses to gather insight. In particular they are kallsyms_lookup_name and bpf_attach. (#2255 and #2079)

Documentation

We've restructured documentation to be more accessible for users, as opposed to just developers. There's also a new quickstart guide for running Tracee in Kubernetes, the target use-case for it. Check out the documentation site here.

More Highlights

There are many fixes and code quality improvements to Tracee. This includes but isn't limited to new tests, standardizing of logging, fixing the way you can install Tracee with Helm, and upgrading to the latest version of libbpf.

Breaking Changes

• security_inode_unlink event's 'device' argument was renamed to 'dev' (#2175)

Docker images

• docker pull docker.io/aquasec/tracee:0.9.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.0 (compiles non CO-RE eBPF object on startup)

Full Changelog

7954dc6 - docs: add overview to docs, contributing sections (#2275) (Jose Donizetti)
dcbcb9d - docs: stop creating docs for patch versions (#2274) (Jose Donizetti)
10b97e8 - signatures: add TRC-108 to the export list so it is installed (Rafael David Tinoco)
5271aef - signatures: do not install rego signatures by default (Rafael David Tinoco)
ecd378b - kerneltest: test new golang sigs instead of rego ones (Rafael David Tinoco)
bb5bb07 - signature: use socket_dup event instead of dup(s) syscalls in stdio_over_socket.go (RoiKol)
6a0f8a3 - signatures: use helpers to get addr argument details (RoiKol)
2694bdf - signatures: serialize TRC IDs (RoiKol)
5add098 - signature: use sched_process_exec instead of execve in kubernetes_api_connection.go sig (RoiKol)
3fc7d0e - signature: add syscall_table_hooking.go sig (RoiKol)
a5e955a - signature: add proc_fops_hooking.go sig (RoiKol)
08e363e - signature: add kubernetes_certificate_theft_attempt.go sig (RoiKol)
40fc0cd - signature: add kernel_module_loading.go sig (RoiKol)
0046569 - signature: add k8s_service_account_token.go sig (RoiKol)
36e5808 - signature: add illegitimate_shell.go sig (RoiKol)
305c7b4 - signature: add fileless_execution.go sig (RoiKol)
b5c88c3 - signature: add dynamic_code_loading.go sig (RoiKol)
904ace4 - signature: add disk_mount.go sig (RoiKol)
4e7fd14 - signature: add process_vm_write_code_injection.go sig (RoiKol)
cc469cb - signature: add ptrace_code_injection.go sig (RoiKol)
cd26823 - signature: add anti_debugging_ptraceme.go sig (RoiKol)
071bdfc - signature: add hidden_file_created.go sig (RoiKol)
d84122c - signature: add proc_mem_access.go sig (RoiKol)
b1013aa - signature: add proc_kcore_read.go sig (RoiKol)
2125a85 - signature: add core_pattern_modification.go sig (RoiKol)
a63f0b2 - signature: add rcd_modification.go sig (RoiKol)
f120665 - signature: add cgroup_release_agent_modification.go sig (RoiKol)
cc897ab - signature: add system_request_key_config_modification.go sig (RoiKol)
64356d7 - signature: add sched_debug_recon.go sig (RoiKol)
5150eb5 - signature: add sudoers_modification.go sig (RoiKol)
80f1aaa - signature: add default_loader_modification.go sig (RoiKol)
ab1f7b1 - signature: add cgroup_notify_on_release_modification.go sig (RoiKol)
7a48cea - signature: add ld_preload.go sig (RoiKol)
6885524 - signature: add scheduled_task_modification.go sig (RoiKol)
c173d22 - signature: add docker_abuse.go sig (RoiKol)
5b029ff - signature: add proc_mem_code_injection.go sig (RoiKol)
7b8b964 - signature: add dropped_executable.go sig (RoiKol)
f78982b - signature: add aslr_inspection.go sig (RoiKol)
4e9750a - Update tracee tags in deployments (#2256) (grantseltzer)
1376dfa - docs: restructuring documentation (#2265) (Jose Donizetti)
abf218b - docs: update RELEASING.md to publish helm (#2270) (Jose Donizetti)
cb1d0f3 - k8s: make postee optional (#2268) (Jose Donizetti)
53e1bbc - k8s: add kind to helm publishing for testing (#2263) (Jose Donizetti)
6242a21 - rules: migrate log calls to new logger (#2224) (Shubham Palriwala)
784df91 - events: add kallsyms_lookup_name event (RoiKol)
fe7cbbb - events: add bpf_attach event (#2079) (roikol)
3e24071 - Upgrade libbpfgo to v0.4.3-libbpf-1.0.1 and (#2220) (grantseltzer)
2f49db4 - integration: fix integration tests (#2250) (Rafael David Tinoco)
ae12514 - refactor: improve help handling (#2241) (Jose Donizetti)
bd48dd2 - Fix helm publishing (#2247) (Jose Donizetti)
88791a7 - k8s: fix helm publishing (#2245) (Jose Donizetti)
9a1f8c9 - refactor: remove debug flag from pkg/server (#2239) (Jose Donizetti)
f44a435 - uprobe: fix uprobe trigger triggered from multiple tracee instances (#2230) (AsafEitani)
9965fd9 - tests: add filters tests and benchmarks (Nadav Strahilevitz)
9e8ba73 - filters: refactor to allow multiple parses (Nadav Strahilevitz)
05bf6f5 - filters: add error files (Nadav Strahilevitz)
4f8684a - filters: add Min and Max methods (Nadav Strahilevitz)
1529dbe - filters: move enabling logic to methods (Nadav Strahilevitz)
cb56c15 - filters: encapsulate min, max, args and ret logic (Nadav Strahilevitz)
6697e68 - filters: split into bpf filters (Nadav Strahilevitz)
98666e1 - filters: add filter constructors (Nadav Strahilevitz)
5dbc539 - filters: reuse StringFilter in ArgFilter (Nadav Strahilevitz)
c75230e - flags: remove tests (Nadav Strahilevitz)
bb611da - events: add GetID helper (Nadav Strahilevitz)
81eb1b3 - filters: add prefix and suffix sets (Nadav Strahilevitz)
f363f1c - pkg/ebpf: fix bug in support for arg types (#2228) (Alon Zivony)
dd41bad - pkg/ebpf+events: created new event for sigaction (Alon Zivony)
4a918e2 - pkg/ebpf: fix get_node_addr macro (Alon Zivony)
024d5b4 - events: include 32bit syscalls in syscall event range (#2218) (Nadav Strahilevitz)
5c2aabe - container enrichment: skip enriched events (#2214) (Nadav Strahilevitz)
a929e9d - metrics: add events filtered stat (#2212) (Nadav Strahilevitz)
c29685c - kerneltest: fix test name variable (#2213) (Rafael David Tinoco)
ec9bcd1 - logger: change API function names (#2208) (Geyslan Gregório)
968152e - log: introduce logger package (#2110) (Geyslan Gregório)
1efc149 - docs: fix symbols_loaded typos (Nadav Strahilevitz)
3989bc3 - events: move symbols_loaded to userspace event ids (Nadav Strahilevitz)
23666f8 - pkg/ebpf: quick fix for args_map memory leak (Alon Zivony)
374e729 - tracee.bpf.c: fix submit of shared_object_loaded (Nadav Strahilevitz)
bfdd481 - README: Fix typo (Margarita Manterola)
306275d - types/trace: support arbitrary pointers in json (#2182) (Alon Zivony)
bc58ca8 - Test: Add Unit tests for params under event parsing (#2199) (Shubham Palriwala)
264056c - refactor: clean up tracee-rules/main.go (#2194) (Jose Donizetti)
b567f6b - fix: change k8s version to 0.8.3 (#2195) (Jose Donizetti)
c0ffcc6 - Test_getTailCalls: fix intermittent failure (#2192) (Nadav Strahilevitz)
cedb4c3 - README: fix indention of "docker run" blocks (#2193) (Nils Hanke)
fefeb08 - pprof: move to server package (#2180) (Jose Donizetti)
c0d24c7 - docs: small fixes (Yaniv Agman)
4f2d828 - bpf-nocore: remove compilation warnings and unused variables (#2179) (Rafael David Tinoco)
ccfb903 - deprecation: adjust deprecation warnings (Rafael David Tinoco)
a8a3668 - parse_args: fix {get,set}sockopt new parse option (Rafael David Tinoco)
9cd4e86 - capabilities: fix usage of kernel version interface (grantseltzer)
4848140 - libbpf: bump to v1.0.0 (Rafael David Tinoco)
ca6e82f - libbpfgo: bump to v0.4.0-libbpf-1.0.0-8-g14c6bc9 (Rafael David Tinoco)
8468f89 - events: rename security_inode_unlink device arg (#2175) (AsafEitani)

v0.8.3

v0.8.3

This is a very small release mostly triggered by a security update to OPA.

Breaking changes

There should be no breaking changes.

Highlights

Fixes/Security Updates

• Bump OPA dependency from v0.42.0 to v0.44.0 (#2172)
• Fixed security_file_open event dependencies (#2166)

Improvements

• New /healthz endpoint for both tracee-ebpf and tracee-rules (#2116)
• security_inode_unlink event has been enriched with more arguments (#2136)
• You can now specify env DEBUG=1 while building to include DWARF symbols (#2164)

Docker images

• docker pull docker.io/aquasec/tracee:0.8.3 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.3 (compiles non CO-RE eBPF object on startup)

Full Changelog

792b510 - security: bump OPA from 0.42.0 to 0.44.0 (#2172) (Rafael David Tinoco)
5b91c25 - events_derived: merge into existing files (Nadav Strahilevitz)
f1ebce6 - events/derive: simplify files (Nadav Strahilevitz)
a573fe2 - tracee: debug mode: only enable net probes if needed (Rafael David Tinoco)
0321b78 - docs/installing: add 'tracee-system' namespace to the manual installation (#2167) (Vitor Duque)
e53c5c0 - net_events: remove current net debugging mechanism (Rafael David Tinoco)
42d9a2c - tracee.bpf.c: move license and kernel version to the top (Rafael David Tinoco)
048daa8 - pkg/ebpf: enrich security_inode_unlink (#2136) (Alon Zivony)
7a82831 - events: add execve and execveat to security_file_open syscalls (#2166) (Nadav Strahilevitz)
63cead8 - feat: add healthz endpoint (#2116) (Jose Donizetti)
c83ac80 - Makefile: add DEBUG flag to enable symbols (#2164) (Geyslan Gregório)
999e44f - k8s: fix tracee version to latest release v0.8.2 (#2162) (Jose Donizetti)

v0.8.2

v0.8.2

This release continues the trend of more frequent smaller releases. It contains mostly bug fixes and performance optimizations.

Highlights

Breaking Changes

There should be no breaking changes

Fixes

• Optimizations to syscall enter/exit hooks (#2080)
• Optimizations with likely/unlikely macros (#2131)
• Lowered the threshold to drop CAP_SYS_ADMIN for better consistency on various distributions (#2078)
• Resolved arm64 compilation problems (#2103)
• Use /proc/self/exe instead of Go os.Executable to resolve runtime errors (#2103)
• Add requirement of CAP_SYS_PTRACE to the capture_exec event (#1932)
• Remove symbols loaded errors that should be warnings (#2129)
• Added LIBBPFGO_OSRELEASE_FILE to falco sidekick k8s deployment (#2142)
• Resolved an issue with applying the context from triggering events (#2090)
• Style fixes (#2112)
• Updated postee in helm charts (#2111)
• Resolved an issue where a nil pointer dereference occurred when net interface wasn't specified (#2066)

New Features

• New ability to bypass dropping of capabilities via --caps allow-failed-drop and --caps cancel-drop` options (#2008)
• Daily tests workflow and bad (#2064)

Thanks for your valuable contributions @cdelzotti!

Docker images

• docker pull docker.io/aquasec/tracee:0.8.2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.2 (compiles non CO-RE eBPF object on startup)

Full Changelog

1bca152 - docs/tracing: fix typo (#2149) (P1nant0m)
afa6347 - deprecation: adjust deprecation warnings (Rafael David Tinoco)
9001dbc - capabilities: fix usage of kernel version interface (grantseltzer)
fdacd94 - parse_args: fix {get,set}sockopt new parse option (grantseltzer)
eb1fe11 - libbpfgo: update to latest (1.0.0+) (Rafael David Tinoco)
911d01b - libbpf: upgrade to v1.0.0 (grantseltzer)
1c8fef2 - docs/building: fix typo (grantseltzer)
d7ff24e - makefile: remove clang-tidy as checker (Rafael David Tinoco)
49e75bc - makefile: get rid of dist/tracee.bpf bundle (Rafael David Tinoco)
d1c360e - ebpf: add get_task_syscall_id helper (#2134) (Nadav Strahilevitz)
9e39079 - bug: add LIBBPFGO_OSRELEASE_FILE to falcosidekick (#2142) (Jose Donizetti)
8f1b398 - pkg/events/derive: silence symbols loaded errors (#2129) (Alon Zivony)
66ee9a7 - tracee.bpf.c: optimize with unlikely (#2131) (Nadav Strahilevitz)
fef3871 - tracee.bpf.c: optimize sys_enter and sys_exit (#2080) (Nadav Strahilevitz)
a038cc7 - refactor: remove not used return argument (Jose Donizetti)
913c2a7 - uprobes: adjust calling convention for uprobe handlers (Rafael David Tinoco)
2c041f6 - uprobes: open /proc/self/exe instead of os.Executable() (Rafael David Tinoco)
ba22939 - arm64: move comment for better indentation (Rafael David Tinoco)
0aa26f4 - tracee: do not tailcall undefined syscalls (Rafael David Tinoco)
2bc7519 - arm_kprobe: change hook point to satisfy arm64 missing symbol (Rafael David Tinoco)
cbd102b - tracee.bpf.c: fix arm64 compilation problems (Rafael David Tinoco)
509dc06 - events: change addr arguments to type pointer (#2128) (roikol)
b6dcf11 - pkg/ebpf: open files in output dir using FD (Alon Zivony)
da38117 - pkg/events: add missing capabilities to capture exec (Alon Zivony)
997cc37 - cmd/tracee-ebpf: divide capabilities dropping to stages (Alon Zivony)
c2bfd11 - containers/runtime: move autodiscover to package (#2081) (Nadav Strahilevitz)
c20afb4 - refactor: style fixes (#2112) (Jose Donizetti)
c631deb - feat(deps): Bump up Postee Helm chart version. (#2111) (simar7)
2af18f3 - README: remove badge for removed workflow (Rafael David Tinoco)
ea5fcc8 - workflows: remove redundant test being done to each PR (#2106) (Rafael David Tinoco)
5ebdfe7 - k8s: fix tracee version to latest release v0.8.1 (#2099) (Jose Donizetti)
bedba05 - k8s: fix kustomization.yaml (#2101) (Jose Donizetti)
edcaf81 - trigger: fix context apply (#2090) (Nadav Strahilevitz)
d4ad612 - tracee-tester: spin-off tracee-tester related files (#2091) (Rafael David Tinoco)
a2fd2c4 - trigger: move event triggering logic out of derive (#2069) (Nadav Strahilevitz)
5f765aa - enrich: add queue cleaner goroutine (#2084) (Nadav Strahilevitz)
f396d91 - events: add security_inode_rename event (#2045) (Rafael David Tinoco)
7097533 - ebpf: parse events fd arguments to filenames (Geyslan Gregório)
df76fa1 - ebpf: standardize and reorder syscall names (Geyslan Gregório)
eef81b1 - tracee-ebpf: remove bufs_off map (#1866) (Yaniv Agman)
f679919 - Lowering the thresold to drop CAP_SYS_ADMIN (#2078) (cdelzotti)
5a5762e - cmd/tracee-ebpf: add capabilities dropping bypasses (#2008) (Alon Zivony)
3f8f409 - Add daily tests workflow and respective badge (#2064) (G Gregório)
3f78d22 - parse_args: fix cases where arg type didn't change (#2072) (Nadav Strahilevitz)
0cc6166 - fix: capture net filter nil pointer error (#2067) (cdelzotti)
32748d6 - docs/integrating: fix docker run command (#2065) (Calvin Xiao)

v0.8.1

v0.8.1

This release is smaller than v0.8.0 which is an intended trend towards more frequent smaller releases.
It contains many fixes and some impactful new features.

Docker images

• docker pull docker.io/aquasec/tracee:0.8.1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.1 (compiles non CO-RE eBPF object on startup)

Highlights

Breaking Changes

• There should be no breaking changes

Fixes

• Fixed a lot of errors being surfaced via loading symbols (#2037)
• Tracee container won't duplicate probing of linux proc capabilities (#2056 thanks @cdelzotti!)
• Added perf_event_paranoid dependent capability support (#2033 thanks @cdelzotti!)
• Recomissioned disabled integration tests (#2017)
• Converted manually run eBPF programs to use uprobes instead of ioctls (#2031)
• many more... see full changelog

New Features

• New package for initializing a tracee-ebpf object (#2006)
• New symbols_loaded event to monitor shared object exported symbols (#2014)
• Added ELF interpreter ctime to sched_process_exec event (#1977)

Full Changelog

8d6da1b - pkg/events/derive: prevent spam errors with symbols_loaded (#2037) (Alon Zivony)
546aa65 - retain context of triggering event to the triggered event (#2049) (AsafEitani)
57bda50 - fix: fix hooked_seq_ops argument type and register in gob (#2058) (AsafEitani)
5bdaedc - delete minor unreachable code caused by t.FailNow (#2057) (Abirdcfly)
42f5074 - builder: Remove cap probing for trace subcommand (#2056) (cdelzotti)
30f2078 - refactor: add TODO comments for a future refactoring PR (AsafEitani)
a1dcca7 - fix: satisfy verifier on kernel 5.4 (AsafEitani)
1f67247 - events: combine hooked_seq_ops event output to one event (AsafEitani)
4105fe7 - bpf: refactor save_u64_arr_to_buf (AsafEitani)
803b6b4 - probes: create new uprobe hooks for needed uprobe triggers (AsafEitani)
1ad5f60 - docs: fix symbols_loaded event doc (#2054) (Alon Zivony)
67941b6 - derive: fix libs whitelist of symbols_loaded (#2048) (Alon Zivony)
9b31c56 - Add perf_event_paranoid capability support (#2033) (cdelzotti)
362a6f2 - tracee-bench: prometheus.sh to be executed from any origin (Rafael David Tinoco)
8782c17 - tracee-bench: adjust makefile targets (Rafael David Tinoco)
f4a8ec5 - tracee-bench: tool to track performance information (#1985) (Nadav Strahilevitz)
f35e039 - pkg/ebpf: fix container started flag value (#2044) (Alon Zivony)
f4baab6 - pkg/ebpf: add container_started event flag (#2032) (Alon Zivony)
e785ea9 - types: add context flags with container flag to event (#2041) (Alon Zivony)
db8fc2b - fix broken link for prerequest in ReadMe file (#2040) (Mor Weinberger)
c7c717c - recomission integration tests (#2017) (Nadav Strahilevitz)
fcdb1d6 - pkg/ebpf: change authentication symbol for kallsyms (#2035) (Alon Zivony)
fdc4e7f - ebpf: add event to monitor SOs exported symbols (#2014) (Alon Zivony)
09f73af - fix: typo fix in comment (p1nant0m)
cb56c6a - kerneltest: improve error handling and stderr output (Rafael David Tinoco)
db8d7f5 - Revert "pkg/ebpf: add container_started event flag (#1984)" (Rafael David Tinoco)
97b0363 - Revert "types: add context flags with container flag to event (#2007)" (Rafael David Tinoco)
d2d0061 - fix: verifier error on arm due to register reuse (#2024) (AsafEitani)
1371089 - tests: disable fail-fast on pr workflow (#2021) (Nadav Strahilevitz)
d6de9ef - pkg/ebpf: add container_started event flag (#1984) (Alon Zivony)
45d2bad - tests: use kerneltest.sh instead of distro-tester logic (Rafael David Tinoco)
d1a9b99 - tests: remove distro-tester after replaced by kerneltest.sh (Rafael David Tinoco)
2339d3e - types: add context flags with container flag to event (#2007) (Alon Zivony)
82d5f2b - pkg/utils/shared_objects: load dynamic symbols (Alon Zivony)
b02939c - pkg/containers: resolve host absolute container path (Alon Zivony)
d5320ed - tracee-ebpf: export initialization logic (#2006) (Nadav Strahilevitz)
d7552d6 - tests: remove core and non-core tests temporarily (Rafael David Tinoco)
2cdb276 - containers: containers_map set by package initialization (#1998) (Rafael David Tinoco)
cd0db36 - ubuntu: impish is EOL, move things to jammy (LTS) (#2004) (Rafael David Tinoco)
1cd5e6d - events_enrich: do not try to close nil channel (#2000) (Rafael David Tinoco)
9639325 - tracee: split new between new and init (#1997) (Nadav Strahilevitz)
da72927 - pipeline: fix container lifecycle events (Yaniv Agman)
1286f6f - ebpf: don't submit exit events unless required (Yaniv Agman)
0b29052 - filters: package cleanup and streamlining (#1995) (Nadav Strahilevitz)
aaf3bd9 - flags: file renames and add tests (#1993) (Nadav Strahilevitz)
5153bbc - pkg/ebpf: add interpreter ctime (#1977) (Alon Zivony)
dc946f7 - filters: separate into new package (#1992) (Nadav Strahilevitz)
8ee9e0a - ebpf: simplify filters logic (Yaniv Agman)
277d305 - containers: add Close function for cleanup (#1982) (Nadav Strahilevitz)
226d50c - fix: update kallsyms only when hooked events are selected (#1983) (AsafEitani)
35b39b5 - feat(deps): Upgrade Postee Helm chart version (#1924) (simar7)
41077b3 - k8s: fix tracee version to latest release v0.8.0 (#1975) (Rafael David Tinoco)
8f8b515 - ebpf: fix old pid_ns resolution (#1972) (#1973) (Song Chen)

v0.8.0

v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

• Helm Chart still pointing to v0.7.0 release (fix it manually please) #1975

Breaking Changes

New Features

• Container event enrichment with data from multiple runtimes #1809 #1886
• New Helm chart for installing tracee with postee #1812
• Tracee-rules signatures can now be written in CEL #1766
• The sched_process_exec event now has the binary file's inode mode information #1889
• The security_file_open event now has syscall pathname #1841
• The sched_process_exec event now has an interp field #1831
• Events now contain thread start time #1849
• Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
• Started documenting events under docs/events #1808
• Created a new derived package for a new type of 'derived' events #1822
• Install instructions for nixos #1827 - Thanks @06kellyjac!
• New grafana dashboard for tracee metrics #1605 #1610
• Unrequired linux capabilities are dropped on startup #1508
• New signature for syscall hooking detection
• Capture of icmp network traffic #1362

New eBPF Events

• device_add #1690
• net_packet, dns_query, dns_response #1515
• hooked_proc_fops for /proc file operation detection #1718
• hidden_sockets #1730
• set_task_comm indicating process name change #1811
• security_socket_setsockopt (LSM hook) #1859
• dns events over tcp #1807
• do_init_module #1708
• security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
• device_add #1690

Fixes

• Tracee will no longer crash when tracing symbols present in kernel modules #1882
• Removed false positive for TRC-11 signature #1878
• Filtering for hooked_seq_ops event now works as expected #1860
• Kallsyms are updated when kernel modules are loaded

Full Changelog:

v0.8.0-rc-2

Docker images

• docker pull docker.io/aquasec/tracee:0.8.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.0-rc-2 (compiles non CO-RE eBPF object on startup)

v0.8.0-rc-1

v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:v0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

Breaking Changes

New Features

• Container event enrichment with data from multiple runtimes #1809 #1886
• New Helm chart for installing tracee with postee #1812
• Tracee-rules signatures can now be written in CEL #1766
• The sched_process_exec event now has the binary file's inode mode information #1889
• The security_file_open event now has syscall pathname #1841
• The sched_process_exec event now has an interp field #1831
• Events now contain thread start time #1849
• Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
• Started documenting events under docs/events #1808
• Created a new derived package for a new type of 'derived' events #1822
• Install instructions for nixos #1827 - Thanks @06kellyjac!
• New grafana dashboard for tracee metrics #1605 #1610
• Unrequired linux capabilities are dropped on startuip #1508
• New signature for syscall hooking detection
• Capture of icmp network traffic #1362

New eBPF Events

• device_add #1690
• net_packet, dns_query, dns_response #1515
• hooked_proc_fops for /proc file operation detection #1718
• hidden_sockets #1730
• set_task_comm indicating process name change #1811
• security_socket_setsockopt (LSM hook) #1859
• dns events over tcp #1807
• do_init_module #1708
• security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
• device_add #1690

Fixes

• Tracee will no longer crash when tracing symbols present in kernel modules #1882
• Removed false positive for TRC-11 signature #1878
• Filtering for hooked_seq_ops event now works as expected #1860
• Kallsyms are updated when kernel modules are loaded

Full Changelog:

v0.7.0

v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!

Docker images

• docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)

What's Changed

Features

• BTFHub Support (#1226)
• Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
• sched_process_fork event now includes pid of both processes (#1280)
• New Hidden Inode event (#1187)
• New capabilities package (#1256)
• Many new documentation files and improvements
• New process context map (#1300)
• Support for libbpf/libbpfgo 0.7
• Container lifecycle events (#1397)
• Container ID filtering (#1426)
• Sorting of events by timestamp (#1103)
• New decoder package (#1405)
• Introducing packages for linux distros (#1403, #1479)
• Prometheus support (#1404)
• New net_packet event (#1469)
• New security_path_symlink event (#1490)
• Expanded kconfig to BPF code (#1512)
• New existing_containers event (#1519)
• eBPF events caching option (#1527)

Fixes

• Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
• Remove false positives for memfd executables (#1207)
• Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
• Corrected incorrect PPID in ebpf events (#1244)
• Fix non-systemd docker runtime support (#1319)
• Fix tracee-rules --list-events output to remove duplicates and sort (#1327)
• eBPF non-core will not be built during tracee-ebpf execution (#1273)
• Proper handling of errors when BPF object can't be loaded (#1349)
• Reordering variables on the stack (#1281)
• Refactoring of events map (#1293)
• Update to go 1.17 (#1084)
• Stats for lost events are printed to stderr (#1387)
• Fixed missing security lockdown sysfs file (#1402)
• Improved testing (#1282, #1410, #1411, #1416)
• Fix for inequality filter in tracee-ebpf (#1419)
• Fixed pcap packet data (#1500)

New Contributors

• @chriskaliX made their first contribution in #1296
• @vincent-pli made their first contribution in #1327
• @liamg made their first contribution in #1360
• @Akasurde made their first contribution in #1427
• @Phat3 made their first contribution in #1480
• @OriGlassman made their first contribution in #1490
• @kaitoii11 made their first contribution in #1567
• @YuviGold made their first contribution in #1570

Full Changelog: v0.6.5...v0.7.0

v0.7.0-rc-2

Docker images

• docker pull docker.io/aquasec/tracee:v0.7.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-2 (compiles non CO-RE eBPF object on startup)

v0.7.0-rc-1

Docker images

• docker pull docker.io/aquasec/tracee:v0.7.0-rc-1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-1 (compiles non CO-RE eBPF object on startup)