Releases: aquasecurity/tracee
v0.15.0
Docker Image (x86_64 only)
docker pull docker.io/aquasec/tracee:0.15.0
Docker Images (per architecture)
docker pull docker.io/aquasec/tracee:x86_64-0.15.0
docker pull docker.io/aquasec/tracee:aarch64-0.15.0
What's Changed
- workflow: add cosign to release snapshot by @josedonizetti in #3102
- workflow: add cosign to release snapshot by @josedonizetti in #3104
- workflow: ignore cosign prompt by @josedonizetti in #3105
- workflow: sign aquasec/tracee:x86_64-dev by @josedonizetti in #3106
- k8s: enrichment enabled by default by @josedonizetti in #3096
- docs: remove classic-docs by @josedonizetti in #3099
- workflow: sign release images by @josedonizetti in #3107
- refactor: add broadcast printer by @josedonizetti in #3090
- k8s: remove postee denpedency by @josedonizetti in #3089
- policies: fix args filtering by @josedonizetti in #3115
- tracee: add ready callback by @josedonizetti in #3117
- Add k8s configmap by @josedonizetti in #3091
- fix: file_modification not triggered in newer kernels by @roikol in #3127
- docs: fix mkdocs by @josedonizetti in #3131
- k8s: add readiness probe by @josedonizetti in #3128
- refactor: move PolicyFile to policy pkg by @josedonizetti in #3125
- k8s: add default signatures policy by @josedonizetti in #3130
- k8s: fix helm installation by @josedonizetti in #3134
- k8s: fix k8s installation docs by @josedonizetti in #3139
- k8s: add helm test workflow by @josedonizetti in #3138
- types: add DataSource type for signatures by @rafaeldtinoco in #3141
- 3026 rebased by @rafaeldtinoco in #3142
- ebpf: create function prototypes in all headers by @rafaeldtinoco in #3133
- policy: fix validation of args and retval by @josedonizetti in #3144
- logger: flags: add filter and filter-out by @geyslan in #3137
- docs: examples: place examples files by kind by @geyslan in #3146
- Add policy printer by @josedonizetti in #3126
- bpf attach raw tracepoint support (rebase of #3060) by @rafaeldtinoco in #3148
- Feature/capture read by @AlonZivony in #2356
- events: improve hidden_kernel_module by @OriGlassman in #3001
- types: add ContainerID field back by @NDStrahilevitz in #3155
- chore: restore old ContainerID field by @NDStrahilevitz in #3154
- bpf: fix int truncation in address holder by @geyslan in #3159
- docs: add data sources by @NDStrahilevitz in #3164
- ebpf: events: set policies for init events by @geyslan in #3162
- policy: add not-equal operator parsing by @geyslan in #3168
- printer: fix policy printer by @josedonizetti in #3149
- docs: update docs for bpf_attach event by @roikol in #3178
- docs: add read capture and new filters docs by @AlonZivony in #3157
- Fix docs by @josedonizetti in #3175
- policy: actions printers configured with -output by @josedonizetti in #3176
- events: fix hidden_kernel_module trigger time by @OriGlassman in #3189
- tracee: clean up untraced signatures by @NDStrahilevitz in #3193
- Revert "tracee: clean up untraced signatures" by @josedonizetti in #3194
- policy: fix output options by @josedonizetti in #3192
- tracee: fix output configuration via configfile by @josedonizetti in #3187
- types: change Event fields by @geyslan in #3196
- ebpf: Pipeline and BPF Network policy matching by @geyslan in #3183
- ebpf: bitwise should_submit_net_event return by @geyslan in #3198
- Fix path check multiple pids by @josedonizetti in #3205
- k8s: bump release tag to 0.15.0 by @josedonizetti in #3204
- workflow: fix contents permissions by @josedonizetti in #3206
Full Changelog: v0.14.2...v0.15.0
v0.14.2
Docker Image (x86_64 only)
docker pull docker.io/aquasec/tracee:0.14.2
Docker Images (per architecture)
docker pull docker.io/aquasec/tracee:x86_64-0.14.2
docker pull docker.io/aquasec/tracee:aarch64-0.14.2
What's Changed
- release: fix arm64 release file by @rafaeldtinoco in #3084
- release: fix arm64 releasing workflow by @rafaeldtinoco in #3085
- build(deps): bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible by @dependabot in #3094
- btfhub: fix tracee container image with btfhub by @rafaeldtinoco in #3095
- btfhub: extract embedded BTF file correctly by @rafaeldtinoco in #3097
- Fix logger by @josedonizetti in #3092
Full Changelog: v0.14.1...v0.14.2
v0.14.1
Docker Image (x86_64 only)
docker pull docker.io/aquasec/tracee:0.14.1
Docker Images (per architecture)
docker pull docker.io/aquasec/tracee:x86_64-0.14.1
docker pull docker.io/aquasec/tracee:aarch64-0.14.1
What's Changed (Bug Fix Release)
- feat: support running tracee from pid ns by @roikol in #3037
- libbpfgo: trim suffix newline from libbpf message by @geyslan in #3038
- cli: don't sort flags in help/usage messages by @yanivagman in #3042
- cmd: log only after tracee.Run() by @geyslan in #3048
- ebpf: use new libbpf syscall macros by @yanivagman in #3040
- workflow: move workflows to aqua infrastructure by @rafaeldtinoco in #3056
- tracee: move metrics register to tracee by @NDStrahilevitz in #3049
- cmd: cobra: fix parsing for multiple values by @geyslan in #3058
- add pid to memory capture and change the timestamp to epoch or relative by @AsafEitani in #3047
- v0.14.1 dependencies updates (security, ...) and an urfave quick fix by @rafaeldtinoco in #3067
- fix deadlocks triggered by cancelled ctx by @geyslan in #3059
- change mem_prot_alert alert from W+E to W by @AsafEitani in #3073
- change mem_prot_alert to detect W to E instead W+E to E. by @AsafEitani in #3062
- make print_mem_dump reprint on kernel module load by @AsafEitani in #3072
- fix for kernels v6.3 and mitigation for tracee.pid in tests by @rafaeldtinoco in #3076
- remove pid file on exit by @geyslan in #3075
- Bump libbpfgo to v0.4.8.1-libbpf-1.2.0 by @geyslan in #3080
- fix: correct list of bpf helpers by @roikol in #3064
- tracee: warn only if pidfile removal fails by @rafaeldtinoco in #3081
Full Changelog: v0.14.0...v0.14.1
v0.14.0
⚡️ Release notes: https://github.com/aquasecurity/tracee/discussions/3041 ⚡️
Docker Image (x86_64 only)
docker pull docker.io/aquasec/tracee:0.14.0
Docker Images (per architecture)
docker pull docker.io/aquasec/tracee:x86_64-0.14.0
docker pull docker.io/aquasec/tracee:aarch64-0.14.0
What's Changed
- fix: strip v from docker images tags by @josedonizetti in #2985
- temporary: adjust github image tags for latest releases by @rafaeldtinoco in #2986
- temporary: typo fix for arm64 release tag by @rafaeldtinoco in #2987
- temporary: remove temporary workflow that fixed docker tags by @rafaeldtinoco in #2988
- performance: introduce automated performance dashboard with pyroscope by @rafaeldtinoco in #2968
- logger: refactor logger configuration by @NDStrahilevitz in #2971
- feat: support unmarshalling trace types by @roikol in #2937
- chore: bump postee to 2.9.0 by @josedonizetti in #2981
- capabilities: drop capabilities by default by @rafaeldtinoco in #2924
- fix: add file to error message when parsing yaml by @josedonizetti in #2995
- consume remaining events after ctx is done by @geyslan in #2969
- docs: remove tracee-action metion by @josedonizetti in #2997
- Important Network Fixes for Tracee by @rafaeldtinoco in #2982
- Enable a Debug Shell for Test Runners by @rafaeldtinoco in #2999
- workflow: raise timeout limit for debug shell jobs by @rafaeldtinoco in #3005
- feat: unmarshall trace types correctly by @roikol in #2996
- feat: use new types in signatures by @rafaeldtinoco in #3009
- fix: support null values in unmarshalling by @roikol in #3011
- types: update tracee to use latest types by @rafaeldtinoco in #3012
- fix multiple symbols prints bug by @AsafEitani in #3002
- Capabilities fixes by @rafaeldtinoco in #3006
- fix: kernel version comparison by @roikol in #3022
- fix: detect container id from cgroup in GitHub Action by @ShiraCohen33 in #3021
- events: fix missing capability hidden_kernel_module by @OriGlassman in #3014
- ebpf: non non-core. building files. by @rafaeldtinoco in #3015
- tracee: add engine field to tracee object by @NDStrahilevitz in #3024
- events: fix hidden_kernel_module derivation by @rafaeldtinoco in #3025
- Revive by @rafaeldtinoco in #3020
- Fix docs by @josedonizetti in #3010
- ebpf: adjust includes left behind by @rafaeldtinoco in #3028
- k8s: bump to 0.14.0 by @josedonizetti in #3030
- tracee one binary cli migration to cobra/viper by @geyslan in #3000
- libbpf + libbpfgo bump by @rafaeldtinoco in #3032
- workflow: fix mkdocs-dev workflow to ubuntu-latest by @rafaeldtinoco in #3034
New Contributors
- @ShiraCohen33 made their first contribution in #3021
Full Changelog: v0.13.1...v0.14.0
v0.13.1
⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2989 ⚡️
Docker Images (x86_64 only)
docker pull docker.io/aquasec/tracee:0.13.1
docker pull docker.io/aquasec/tracee:0.13.1-full
Docker Images (per architecture)
docker pull docker.io/aquasec/tracee:x86_64-0.13.1
docker pull docker.io/aquasec/tracee:x86_64-0.13.1-full
docker pull docker.io/aquasec/tracee:aarch64-0.13.1
docker pull docker.io/aquasec/tracee:aarch64-0.13.1-full
The regular image is built with an embedded portable CO-RE eBPF object and BTFHub (for kernels not supporting BTF info). The full image is built with an embedded portable CO-RE eBPF object and it is capable of building a per kernel non CO-RE eBPF object.
What's Changed
- events: fix return value of process_execute_failed event by @OriGlassman in #2964
- Policies mntns issue and Segfault fix by @rafaeldtinoco in #2974
- docs: add bpf capture documentation by @yanivagman in #2976
- docs: fix logging documentation by @josedonizetti in #2977
- Fix mnt docs by @josedonizetti in #2978
- build(deps): bump github.com/docker/docker from 20.10.21+incompatible to 20.10.24+incompatible by @dependabot in #2979
- k8s: bump tag to 0.13.1 by @josedonizetti in #2983
- sig: engine: copy event before engine processing by @geyslan in #2984
Full Changelog: v0.13.0...v0.13.1
v0.13.0
⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2963⚡️
Docker Images (x86_64 only)
docker pull docker.io/aquasec/tracee:0.13.0
docker pull docker.io/aquasec/tracee:0.13.0-full
Docker Images (per architecture)
docker pull docker.io/aquasec/tracee:x86_64-0.13.0
docker pull docker.io/aquasec/tracee:x86_64-0.13.0-full
docker pull docker.io/aquasec/tracee:aarch64-0.13.0
docker pull docker.io/aquasec/tracee:aarch64-0.13.0-full
The regular image is built with an embedded portable CO-RE eBPF object and BTFHub (for kernels not supporting BTF info). The full image is built with an embedded portable CO-RE eBPF object and it is capable of building a per kernel non CO-RE eBPF object.
What's Changed
- workflow: turn github node jobs paralell by @rafaeldtinoco in #2805
- docs: small fixes by @yanivagman in #2811
- standardize error/log first letter by @geyslan in #2812
- cleanup: order import blocks by @geyslan in #2815
- docs: fix readme links by @yanivagman in #2816
- [ARM64 TESTS] workflow: add arm64 runners and tests by @rafaeldtinoco in #2817
- builder: add goimports to tracee-make docker imgs by @geyslan in #2828
- workflow: add alma linux as rhel clone to the PR workflow by @rafaeldtinoco in #2831
- Workflow paths by @rafaeldtinoco in #2833
- docs: fix readme docs links by @josedonizetti in #2837
- events: fix signature event name by @josedonizetti in #2839
- chore: go mod tidy by @josedonizetti in #2843
- workflow: pr: reenable TRC-103 by @geyslan in #2840
- workflow: pr: enable tests in arm64 and rhel_arm64 by @geyslan in #2844
- workflow: test other tools builds as well by @rafaeldtinoco in #2848
- maintenance: build: enable arm64 container images, fix building by @rafaeldtinoco in #2849
- workflow: update AMI IDs for 30GB images by @rafaeldtinoco in #2850
- workflow: change release AMI IDs to latest by @rafaeldtinoco in #2851
- chore: fix deprecated nodejs warning for github action by @rafaeldtinoco in #2856
- go: update runc from 1.1.2 to 1.1.4 due to security by @rafaeldtinoco in #2857
- workflow: login to docker.io before docker pulls by @rafaeldtinoco in #2859
- go: fix security issue CVE-2022-1996 by @rafaeldtinoco in #2861
- workflow: fix release-snapshot with dev-full tag by @rafaeldtinoco in #2862
- feat: add PTRACE_POKEDATA to ptrace_code_injection by @roikol in #2846
- workflow: fix: github login action not working by @rafaeldtinoco in #2865
- chore: enable btfhub after arm64 changes by @rafaeldtinoco in #2867
- workflow: change release AMI IDs to latest (#2851) by @rafaeldtinoco in #2869
- feat: add inotify_find_inode event by @roikol in #2794
- errfmt: introduce new package for error formatting by @geyslan in #2842
- workflow: update AMI IDs by @rafaeldtinoco in #2872
- workflow: add PRs labeler by @rafaeldtinoco in #2875
- workflow: updates to the workflow by @rafaeldtinoco in #2877
- workflow: snapshot labels for jenkins are too long by @rafaeldtinoco in #2878
- types: add SignatureContext type for init by @NDStrahilevitz in #2880
- Logger in signatures by @NDStrahilevitz in #2864
- types: matchedScopes -> matchedPolicies by @geyslan in #2881
- rename scopes related to policies by @geyslan in #2845
- make go routines shutdown gracefully by @geyslan in #2784
- ebpf: remove params_type_map and use events_map instead by @yanivagman in #2825
- workflow: re-enable v4.19 and add arm64 version by @rafaeldtinoco in #2879
- workflow: add amzn2 5.10 kernel AMIs to tests by @rafaeldtinoco in #2885
- ebpf: remove bin_args_map by @yanivagman in #2813
- tests: disable cache for integration tests by @geyslan in #2884
- workflow: add gke 5.4, 5.10 and 5.15 kernel AMIs to tests by @rafaeldtinoco in #2886
- check relevant error returns by @geyslan in #2818
- fix: base event filters by @yanivagman in #2897
- fix: fix old_path arg of security_inode_rename by @roikol in #2895
- add bpf byte code capture by @AsafEitani in #2874
- feat: add helpers list to bpf_attach by @roikol in #2855
- ebpf: align execve enter and exit timestamps by @yanivagman in #2853
- workflow: pr: enable tests in all archs by @geyslan in #2863
- workflow: pr: enable TRC-104 test in RHEL ARM64 by @geyslan in #2910
- fix: use correct type for bpf helpers by @roikol in #2912
- feat: use libbpfgo helpers to parse bpf helpers by @roikol in #2905
- libbpf bump by @geyslan in #2911
- Revert "libbpf: bump to v1.1.0 (#2911)" by @rafaeldtinoco in #2917
- refactor: move log-file to be under --log by @josedonizetti in #2909
- skip arg filtering for PrintMemDump by @geyslan in #2914
- Policies by @josedonizetti in #2892
- types: add container and kubernetes context fields by @NDStrahilevitz in #2921
- Enrich image digest by @NDStrahilevitz in #2760
- add syscall support for print_mem_dump by @AsafEitani in #2903
- types: event policy name by @geyslan in #2922
- containers: parse ContainerID by inner cgroup by @NDStrahilevitz in #2925
- policy: enrich matched event with policy name by @geyslan in #2923
- Policy number CLI removal by @geyslan in #2919
- Feature/improve symbols loaded performance by @AlonZivony in #2891
- tests: re-enable integration for policies by @geyslan in #2927
- events: add process_execute_failed event by @OriGlassman in #2858
- events: prevent symbols map cache corruption by @AlonZivony in #2930
- chore: add tracee logos by @itaysk in #2931
- build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 by @dependabot in #2932
- policies: fix container scope by @josedonizetti in #2938
- Add hidden linux kernel module event by @OriGlassman in #2714
- docs: add policies reference documentation by @josedonizetti in #2936
- docs: update docs to reflect new binary by @geyslan in #2939
- improve policies overview by @yanivagman in #2947
- Fix policy docs newline by @yanivagman in #2948
- k8s: bump version by @rafaeldtinoco in #2949
- chore: release minor fixes by @rafaeldtinoco in #2951
- release: makefile change to sign all images by @rafaeldtinoco in #2952
- release: crane is buggy, remove until fixed by @rafaeldtinoco in #2953
- makefile: remove cosign leftover and fix release makefile by @rafaeldtinoco in #2955
- workflows: make release like the snapshot logic by @rafaeldtinoco in #2958
- release: fix relea...
v0.12.0
⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2803 ⚡️
Docker images
docker pull docker.io/aquasec/tracee:0.12.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.12.0 (compiles non CO-RE eBPF object on startup)
commit log
- refactor: simplify output flags by @josedonizetti in #2700
- chore: generate k8s statics by @josedonizetti in #2703
- tracee: fix filters by @josedonizetti in #2720
- flags: remove cache-events from output help by @josedonizetti in #2729
- swap uint and containers equality order by @geyslan in #2726
- types: upgrade go-yaml by @josedonizetti in #2719
- dep: update githuhub.com/aquasecrity/tracee/types by @josedonizetti in #2730
- ebpf: add prog_override_return arg to bpf_attach by @roikol in #2560
- build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 by @dependabot in #2732
- filterscopes: create a filterscopes pkg by @rafaeldtinoco in #2738
- log when not a container cgroup instead of err by @geyslan in #2737
- pkg/ebpf: add derived events for ld SO symbols collision (rebase) by @rafaeldtinoco in #2740
- sign container images with cosign by @developer-guy in #2607
- chore: bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #2741
- trace: add hidden kernel module struct by @OriGlassman in #2742
- adjust recently merged symbols_collision event and better document it by @rafaeldtinoco in #2743
- refactor: rules renamed to signatures by @josedonizetti in #2715
- logger: set libbpfgo logger callback by @geyslan in #2663
- events: print seconds of timespec by @roikol in #2712
- ebpf: save_args_to_submit_buf minor format change by @rafaeldtinoco in #2755
- types: add event metadata by @josedonizetti in #2752
- events: add vfs_utimes event by @roikol in #2690
- Provide Fluent Forward output option by @patrick-stephens in #2155
- chore (tests): add e2e instrumentation tests by @roikol in #2764
- Refactor output forward flag by @josedonizetti in #2766
- feat: add do_truncate event by @roikol in #2749
- Add signature event metadata by @josedonizetti in #2753
- tracee: fix args on signatures events by @josedonizetti in #2713
- tests: fix integration pkg race conditions by @geyslan in #2768
- test: fix flaky TestFindingToEvent by @josedonizetti in #2774
- workflow: move runners to jenkins by @rafaeldtinoco in #2776
- errors: improve error output by @rafaeldtinoco in #2773
- flags: cli: docs: rename trace flag to filter by @geyslan in #2767
- libbpfgo: set libbpfgo callbacks by @geyslan in #2761
- signatures: load sigs as default events by @josedonizetti in #2779
- tracee: make it the default binary by @josedonizetti in #2777
- Add multiple printers by @josedonizetti in #2746
- Add file modification event by @roikol in #2780
- Add webhook printer by @josedonizetti in #2782
- k8s: remove flag everythingIsAnEvent from helm by @josedonizetti in #2785
- Improve building docs by @rafaeldtinoco in #2787
- printer: block instead of drop events for broadcast by @josedonizetti in #2789
- k8s: fix templates to use unified binary by @josedonizetti in #2786
- k8s: bump version by @josedonizetti in #2791
- k8s: remove falcosidekiq yaml by @josedonizetti in #2795
- documentation: add syscall events markdown files from ChatGPT by @rafaeldtinoco in #2792
- gptdocs: add option to generate docs for a list of events by @rafaeldtinoco in #2800
- sets: default set can't have network events v419 by @rafaeldtinoco in #2771
- adding promtail tutorial by @AnaisUrlichs in #2781
- docs: restructure #2788 by @AnaisUrlichs in #2797
- docs: update output docs by @itaysk in #2802
New Contributors
- @developer-guy made their first contribution in #2607
- @patrick-stephens made their first contribution in #2155
Full Changelog: v0.11.1...v0.12.0
v0.11.1
v0.11.1 highlights and discussion
Docker images
docker pull docker.io/aquasec/tracee:0.11.1 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.11.1 (compiles non CO-RE eBPF object on startup)
v0.11.0
v0.11.0 highlights and discussion
Docker images
docker pull docker.io/aquasec/tracee:0.11.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.11.0 (compiles non CO-RE eBPF object on startup)
v0.10.0
Release highlights and summary
👉 https://github.com/aquasecurity/tracee/discussions/2503
Full Changelog
- k8s: update tags to 0.9.3 by @josedonizetti in #2329
- doc: move kallsyms_lookup_name event doc to new doc path by @AlonZivony in #2333
- [MAINT] btfhub: adjust ol7 path after btfhub change by @rafaeldtinoco in #2341
- k8s: fix postee dependency by @josedonizetti in #2342
- docs: add tag to kubect apply by @josedonizetti in #2343
- pkg/ebpf: add syscalls arguments to security_file_mprotect by @AlonZivony in #2335
- feature: add stdin path to sched_process_exec by @roikol in #2216
- pkg/ebpf: fix multi use of string buf in seched_process_exec by @AlonZivony in #2345
- refactor: probes: move diff probe types to own files by @rafaeldtinoco in #2349
- refactor: pkg/cgroup and pkg/containers initial structure by @rafaeldtinoco in #2350
- [FEAT] Args syscall filter by @NDStrahilevitz in #2251
- [FIX] events_enrich: fix missing container_remove event by @NDStrahilevitz in #2357
- [FEAT] logger: debug output enrichment by @geyslan in #2254
- builder: increase alpine version to fix golang dependency by @rafaeldtinoco in #2373
- [REFACTOR] Cgroup Interface (cgroupv1 and cgroupv2 initialization) by @rafaeldtinoco in #2233
- pkg/ebpf: add arguments and doc to mem_prot_alert by @AlonZivony in #2339
- Feature/event context filter by @NDStrahilevitz in #2229
- pkg/ebpf: cancel event with missing symbols dependency by @AlonZivony in #2370
- pkg/ebpf: process existing mount ns upon initialization by @AlonZivony in #2283
- Fix capabilities initialization by @rafaeldtinoco in #2380
- pkg/events: add API to derive multiple events from single function by @AlonZivony in #2384
- pkg/procinfo: procfs errors are too frequent by @rafaeldtinoco in #2394
- [MAINT] workflows/pr: add kinetic60 and focal419 by @rafaeldtinoco in #2399
- pkg/ebpf/tracee: fix capabilities for procfs reads by @rafaeldtinoco in #2406
- types: add network protocol events types by @rafaeldtinoco in #2378
- types: add EventName to SignatureMetadata by @josedonizetti in #2408
- pkg/ebpf: change fork thread start time to be since epoch by @AlonZivony in #2387
- tracee-rules: extract getSignatures by @josedonizetti in #2413
- tracee-ebpf: extract logic into pkg/cmd by @josedonizetti in #2416
- [FEATURE] New network code with tests by @rafaeldtinoco in #2200
- tracee: add new binary by @josedonizetti in #2418
- pkg/utils/proc: log errors as debug only by @rafaeldtinoco in #2426
- tracee: make some perf buffers optional by @NDStrahilevitz in #2423
- pkg/counter: change Counter type by @geyslan in #2427
- signatures: add event name to golang sigs by @josedonizetti in #2412
- Embed test script and import environment variable by @grantseltzer in #2366
- [FEAT] Simple DNS events compatible with old ones by @rafaeldtinoco in #2425
- pkg/ebpf: reduce security_file_mprotect instructions by @AlonZivony in #2421
- printer: add container image to table printer by @NDStrahilevitz in #2232
- Streamline error logging by @NDStrahilevitz in #2403
- rules: refactor engine.New to receive sigs via Cfg by @josedonizetti in #2438
- Add AVD link from detection docs by @grantseltzer in #2326
- ebpf: fix process tree filter by @yanivagman in #2431
- rules: reenable dropped_executable by @josedonizetti in #2445
- Bugfix/rodata err 419 by @AlonZivony in #2447
- ebpf: fix error handling by @josedonizetti in #2354
- pkg/utils/sharedobjs: check open failure by @AlonZivony in #2450
- tracee: trim event name for table output by @josedonizetti in #2440
- derive: fix cgroupv1 hid false derives by @NDStrahilevitz in #2453
- rules: refactor signature name by @josedonizetti in #2455
- [FIX] network: do not run e2e-net-test for vanilla v4.19 by @rafaeldtinoco in #2456
- caps: log errors from caps Requested and cb func by @geyslan in #2459
- network: e2e-net-test v419 skip should return 0 by @rafaeldtinoco in #2461
- rules: add event name to rego signatures by @josedonizetti in #2457
- probes: fix lockup when nested raising privileges by @rafaeldtinoco in #2460
- build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12 by @dependabot in #2452
- Feature/reduce sched exec instruction by @AlonZivony in #2434
- events_pipeline: run filters for derived events by @rafaeldtinoco in #2463
- Bump libbpfgo to v0.4.5-libbpf-1.0.1 by @rafaeldtinoco in #2472
- Add rules to the pipeline by @josedonizetti in #2439
- tracee: add flag to install new tracee by @josedonizetti in #2473
- sorting: add race condition checks for queues usage by @AlonZivony in #2465
- Quick start update & adding commands to create docs previous to Makefile by @AnaisUrlichs in #2478
- tracee.bpf: arm64: fix var warning for bpf-nocore by @rafaeldtinoco in #2480
- events: remove unused dependency by @yanivagman in #2464
- pkg/events/parse: use generic function to parse args by @AlonZivony in #2482
- Arg filter fixes by @rafaeldtinoco in #2488
- docs: add network events documentation to mkdocs by @rafaeldtinoco in #2494
- [FEAT] builder: add custom-rules arg opt to entrypoint.sh by @geyslan in #2493
- [FEAT] log ebpf errors by @geyslan in #2352
- k8s: bump tag to 0.10.0 by @josedonizetti in #2496
- docs: add everything is an event tutorial by @josedonizetti in #2495
- Binary filter by @yanivagman in #2385
- docs: fix typo by @josedonizetti in #2501
- network: add port arg to protocols TCP and UDP by @rafaeldtinoco in #2502