Releases: aquasecurity/tracee
v0.7.0
v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)
What's Changed
Features
- BTFHub Support (#1226)
- Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
sched_process_forkevent now includes pid of both processes (#1280)- New Hidden Inode event (#1187)
- New capabilities package (#1256)
- Many new documentation files and improvements
- New process context map (#1300)
- Support for libbpf/libbpfgo 0.7
- Container lifecycle events (#1397)
- Container ID filtering (#1426)
- Sorting of events by timestamp (#1103)
- New decoder package (#1405)
- Introducing packages for linux distros (#1403, #1479)
- Prometheus support (#1404)
- New net_packet event (#1469)
- New security_path_symlink event (#1490)
- Expanded kconfig to BPF code (#1512)
- New
existing_containersevent (#1519) - eBPF events caching option (#1527)
Fixes
- Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
- Remove false positives for memfd executables (#1207)
- Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
- Corrected incorrect PPID in ebpf events (#1244)
- Fix non-systemd docker runtime support (#1319)
- Fix
tracee-rules --list-eventsoutput to remove duplicates and sort (#1327) - eBPF non-core will not be built during tracee-ebpf execution (#1273)
- Proper handling of errors when BPF object can't be loaded (#1349)
- Reordering variables on the stack (#1281)
- Refactoring of events map (#1293)
- Update to go 1.17 (#1084)
- Stats for lost events are printed to stderr (#1387)
- Fixed missing security lockdown sysfs file (#1402)
- Improved testing (#1282, #1410, #1411, #1416)
- Fix for inequality filter in tracee-ebpf (#1419)
- Fixed pcap packet data (#1500)
New Contributors
- @chriskaliX made their first contribution in #1296
- @vincent-pli made their first contribution in #1327
- @liamg made their first contribution in #1360
- @Akasurde made their first contribution in #1427
- @Phat3 made their first contribution in #1480
- @OriGlassman made their first contribution in #1490
- @kaitoii11 made their first contribution in #1567
- @YuviGold made their first contribution in #1570
Full Changelog: v0.6.5...v0.7.0
Contributors
Assets 4
v0.7.0-rc-2
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-2 (compiles non CO-RE eBPF object on startup)
v0.7.0-rc-1
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0-rc-1 (embedded eBPF CO-RE obj with BTFHUB support)docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-1 (compiles non CO-RE eBPF object on startup)
v0.6.5
Changelog
2bdb16e fix help on output flags (#1205)
8f7c296 add type of stdin in sched_process_exec (#1214)
e1352f8 get file types from inode struct instead of file_operations (#1213)
83155b2 tracee-ebpf: fix pid 0 with CO-RE
9ab89fa chore: install docker in the Vagrant vm (#1197)
d9cfba2 tracee-ebpf: turn CO-RE v4.18 and beyond compatible
e22f05b tracee-ebpf: comments for co-re type flavors
fd5a64b tracee-ebpf: fix kernfs_node CORE access in RHEL8
d2a942d wait for tracee-ebpf to load
15deef4 support writing to existing files
3354b32 move readiness file out of library to main
6f3ceee docs: Re-add section for MacOS (#1194)
7e2186f add ctime to security_file_open and fix variable type (#1167)
060b554 Checking /proc/sys/kernel/ftrace_enabled (#1152)
7f9c2dc fix reading sockaddr_in struct
7a6c1af tracee-ebpf: keep deleted containers
bbc98ed tracee-ebpf: reformat fixes
1b52e96 tracee-ebpf: reformat suggestions for better readability
0c87b72 tracee-ebpf: remove unneeded asm_inline clang mitigation
7474fcc Upgrade dependencies (#1176)
ea58aba tracee-ebpf: rename co-re headers
e9b0ed6 Fix linux headers broken link in readme
74ad130 tracee-ebpf: single vmlinux header file for CO-RE
3bedc4f tracee-ebpf: remove unused VM_LINUX_H from Makefile
c1ff3f6 tracee-ebpf: clean up unused task_struct fields
c5c96c3 tracee-ebpf: get rid of BPF_NO_PRESERVE_ACCESS_INDEX ifdefs
2c2b008 tracee-ebpf: fix CO-RE sk_protocol access in 5.6 kernels
5e9ead9 vmlinux: introduce vmlinux-flavored.h to contain flavored types
d23987b tracee-ebpf: CO-RE shouldn't rely in LINUX_VERSION_CODE
a2703cf vmlinux: unify x86_64 and arm64 vmlinux CO-RE header files
0b4c9a3 vmlinux.h: remove full vmlinux.h files
439943c vmlinux: create vmlinux-core.h for arm64 builds
2a5eceb vmlinux: introduce vmlinux-core for x86_64
c82f547 makefile: fix ordering of -Wno-* flags
dbbd970 fix: use alpine:3.15 as base image to build tracee (#1173)
a38f518 docs: use mkdocs macros plugin to specify version of tracee release artifacts (#1164)
e9a2527 docs: update mkdocs version dependency (#1168)
729fe32 docs: add git_semver variable to mkdocs (#1166)
0893a08 fix: install the tini package in the tracee:slim container image (#1162)
9962191 refactor: tests for Go signatures (#1128)
c75bd90 docs: fix formatting on eBPF Compilation page (#1163)
1cb78ec docs: add cgroupns=host docker option
ea71755 tracee-ebpf: filter containers using cgroup id
5198ee0 fix wrong type assertion (#1153)
d421bb9 tracee-ebpf: use cgroup id for container id resolution (#1130)
90ed35e tracee-ebpf: don't parse pointers when parse-arguments is chosen
11915a6 tracee-ebpf: introduce MemProtAlert type in external package
a22531c add READ_USER (#1147)
7df0e9b fix: using exec-hash instead of exec-info (#1144)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.5docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.5
v0.6.4
Changelog
f4788a5 tracee-ebpf: fix events sent in parallel to raw_sys_exit event
71f8ff2 use plain addr argument (#1141)
df364f3 add user namespace to slim_cred struct (#1137)
cd63e86 adding ctime to sched-process-exec event. Resolves: #1075
611c200 Update Readme.md (#1078)
dc6f3af Add option for raw arguments from various event flags (#1123)
95aa7af tracee.bpf: fix READ_KERN incompat ptr type discards
6d90e79 tracee-ebpf: fix arm64 build
74a14b5 test: even params formatter (#1100)
c999952 docs: fix formatting on prerequisites page (#1126)
a67b8cc init_module capture (#1122)
0fb7fca deploy: update postee manifest with tolerations and resource limits (#1060)
4389a4a add socket_dup (#1064)
25990c6 add security_kernel_post_read_file and capture kernel modules (#1080)
7b98707 add more process names to allowlist (#1118)
7ab6bf6 add cgroup release_agent modification signature (#1116)
cd216b8 removing '--security-alerts' flag. Resolves: #1106
409becc Only remove a process from the process tree filter map if it's a tgid (#1079)
340d04f tracee-ebpf: CO-RE: add GET_FIELD_ADDR macro
09476a0 tracee-ebpf: read exec arguments without a loop
f943d7f feat: Refactor clang version check and fix a panic (#1097)
cf3b4cc feat: Add tests for checkRequiredCapabilities() (#1088)
b029d07 Fix tracee-ebpf compilation on RHEL-likes (#1052)
020949d feat: Update tracee-rules base image to golang:1.17-buster (#1082)
aa6fa83 Add more tests for prepareCapture (#1087)
719d6ae tracee-ebpf: fix verifier issue on kernel 4.19
f878b19 Revert "tracee-ebpf: fix switch_task_ns verifier issue"
a8bca3e tracee-ebpf: use syscall_data_map to detect syscall
dee2e5e tracee-ebpf: fix switch_task_ns verifier issue
766ec87 tracee-ebpf: simplify syscall data saving
7e671f2 tracee-ebpf: fix commit_creds verifier issue
0b0ac4f Add etcd to exempted process list
cc7f8f0 fix type of security_kernel_read_file event
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.4docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.4
v0.6.3
Changelog
7a46f53 feat: Add list-events flag for listing events (#1071)
4262182 chore: adding to mkdocs missing links (#1070)
203a91f tracee-ebpf: simplify code
e942ffa tracee-ebpf: save correct argnum automatically
8ce15c8 tracee-ebpf: use event_data for buffer offset
79c28b2 fix missing decleration
48654aa fix sockaddr struct overflow and change error message
a9f774b Parse the version from module tags (#1062)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.3docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.3
v0.6.2
Changelog
6b927a6 Revert: Disable WASM target (#1057)
c45a719 Add documentation for undocumented output options (#1056)
e6ecb4e Document new tracee-rules signatures (#1055)
97ac6ec Tracee end-to-end tests (#1033)
32c3e1c add postee in kubernetes install
9ffecdb tracee-ebpf: init event data once
fac8552 add footer to readme (#1050)
2276d7a Individual module git tags (#1034)
4382fd8 Add execution information flags to tracee-ebpf (#1041)
7e32ea7 chore(deploy): Add tolerations to K8s deployment descriptor (#1040)
72972b0 Improve error message of being unable to find kernel headers (#1046)
fccbca3 add bunch of k8s related signatures (#1031)
c8b18f5 fix(tracee-rules): Ignore order of elements in engine_test.go (#1042)
396ed0e tracee-ebpf: add exit code to sched_process_exit
968b07f tracee-ebpf: always delete from maps on exit
bbc6c44 tracee-ebpf: update exec maps in sched_process_exec
90eebe9 tracee-ebpf: remove save_args_from_regs
939e418 tracee-ebpf: init context once
97f87c1 tracee-ebpf: add support for unix socket in security_socket_* funcs
a23f325 tracee-ebpf: simplify saving to buf (#1016)
e55abba improve kubernetes docs (#1028)
e9c0165 tracee-rules: Upgrade external package dependency (#1024)
f010325 tracee-rules: Bump up github.com/open-policy-agent/opa from v0.32.0 to v0.32.1 (#1025)
86de9c5 Set TINI_SUBREAPER env variable in dockerfile (#1021)
07969fa tracee-rules: Remove duplicated code for testing Rego signatures (#1020)
91dc323 tracee-ebpf: remove events pipeline (#1018)
71f266e chore: Add Vagrantfile to easily get started with tracee (#1017)
08cab83 tracee-ebpf: don't send argument type
1629071 tracee-rules: Allow compiling and evaluating all Rego signatures at once (#1015)
d685991 tracee-ebpf: show pathname on execve failed event
43581a4 Created new set of events IDs for user-mode events (#1013)
832d64a parse security_bpf cmd arg
41020e5 tracee-rules(test): rewrite tests for RegoSignature (#1007)
c3f9b36 tracee-ebpf: use argument index instead of tags
de793fe update docs
8856e75 Fix misspelled warning messages
d17a715 kconfig: only show non-fatal errors if debug flag is set
9d0792f libbpfgo: bump to 64a32fa because of helpers/kernel_config
11f1614 tracee/consts: CUSTOM_OPTION_START rename
6052623 docs/tracee-ebpf/override-os-needed-files: os files overrides
d285528 tracee: deal with possible kconfig option index error
8fee4eb add argument 'type' to security_kernel_read_file event (#998)
4904506 tracee-ebpf: move filters logic to a new file
b721b7d Fixed inconsistency in processes containerID value between startup and runtime
0ada16e tracee-ebpf: add sched_switch event
11e8451 Check os-release file for rhel or centos string (#1001)
cd26d25 Fix readlink with relative softlinks
b608d60 feat: Add flag for Rego Target runtime (#980)
dcc153e change install/prerequisites relative path (#997)
65238c4 tracee-rules: add flag for partial evaluation (#979)
b475949 feat: Add flag for prepared events (#984)
ce65764 Add replace directive back (#992)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.2docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.2
v0.6.1
Changelog
bcf7153 helpers/btfinfo: renamed to osinfo and improved, syncing (#981)
dfdb5d6 tracee-ebpf: move prepare_args() to argprinters file
e2f9f1b tracee-ebpf: add sched_process_exec to default set
b55da80 Use filepath.WalkDir() to scan for signatures (#901)
90b7530 fix json unmarshaling nil
f9b4394 tracee-rules: add GetSelectedEvents
aad4c95 tracee-ebpf: fix process tree disabled
9d588c9 Implement process tree filter (#927)
e438abe Feature/fetch system info (#945)
7910a97 feat: Bump OPA to v0.32.0 (#978)
d4cdac0 tracee: move MissingKernelConfigOptions to libbpfgo helper
1aac441 tracee-ebpf: update to latestl libbpfgo due to kconfig changes
dd77f56 tracee-ebpf: fix sched_process_fork arg names
dcb26c2 add mknod lsm hooks (#970)
c02ae01 tracee-ebpf: simplify events pipeline
f184b9e handle param type int[2] (#969)
a4bac29 tracee-ebpf: mitigate deadcode optimization issue for 5.4 and less
b4181ca tracee-ebpf: linting: spellcheck, empty chars & statements
3f412c5 tracee-ebpf: fix sched_process_exec argument types
0177dae tracee-ebpf: add capture profile documentation
7f98f9b fix incorrect cli flags in docs example
5c85d2a tracee-ebpf: don't send stats in done channel
c81d975 fix unmarshaling of string arrays
c261897 tracee-ebpf: fix build error after libbpfgo linting fixes
5cfba33 tracee-ebpf: move printer to main package
1514fb5 tracee-ebpf: fix network capture with latest libbpf
4584f75 tracee-ebpf: add static build support for portability
b0eba9e tracee-ebpf: use replace for the external package (#949)
a3c2d51 tracee-rules: update dependency Masterminds/sprig (#938)
b644fe8 tracee-rules: refactor non used code (#939)
61dfcd8 tracee-ebpf: add stats to external
fef7e8a tracee-ebpf: support network capture from multiple interfaces
c1ce717 tracee-ebpf: remove gob printer errEnc
5627299 tracee-ebpf: fix error printing to be always text
05daef9 tracee-ebpf: fix gob test (#941)
ce2b75e tracee-ebpf: restructure and split files
5a0eb2d tracee-ebpf: improve Containers object
5032dc4 tracee.go: initialize pid_to_cont_id_map during startup
e176bdc tracee: support external BTF files
7380f08 tracee-ebpf: update to libbpfgo with initial btfinfo
b700761 tracee-ebpf: Change libbpfgo map methods to new prototype
ed0f4a2 tracee-ebpf: update libbpf to sync with libbpfgo
25ffccd tracee-ebpf: update to libbpfgo v0.2.0-libbpf_0.4.0
5ae1610 tracee-ebpf: add syscall_nr to security_file_open
a3e048b tracee-ebpf: fix get syscall id from regs
3baa952 tracee-ebpf: fix regression - program too large in kernel 4.19
8a43404 tracee-rules: fix rego signature loading
cbc56c9 add flags support for make test (#879)
329154e tracee-ebpf: add --output ignore (#882)
4ad02de tracee-ebpf: print help for invalid arguments
2bae871 tracee-ebpf: remove '--capture all'
8462b71 tracee-ebpf: don't filter security_file_open for open/openat
9cd6bb5 tracee-ebpf: don't send zero-sized chunks
e277be2 tracee-ebpf: simplify save_xxx_to_buf logic
ceece80 tracee-rules: improve error logging
0770dc4 add close on fileread finish
ad2596a remove unneeded var
1bc09c3 change invoked_from_kernel detection method
fb605fe Fix CO:RE support for RHEL and RHEL derivatives
cb836e1 fix rule name partially cropped in error message (#867)
82a1289 tracee-ebpf: add support to custom rego helpers
147f6de tracee-ebpf: fix capabilities minimum requirements
9f917a1 tracee-ebpf: turn MAX_PATH_COMPONENTS down to 48 (#889)
282bcbd tracee-ebpf: fix help flag to print to stdout
26a9eb2 tracee: add tini tracee docker image (#883)
aee7e8f tracee-ebpf: add output validate test (#881)
76a932f tracee-rules: enable pprof endpoints (#860)
3bca7ea tracee-ebpf: improve argprinters test coverage (#877)
f641d42 tracee-rules: fix minimum requirements link
5ce9ff4 tracee-ebpf: refactor to avoid two strings.Split (#859)
4c99a2a Change quickstart one liner to just make note of mounting config
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.1
v0.6.0
Release highlights and discussion
Changelog
703a7a9 add security_kernel_read_file lsm hook (#869)
c40c82c Update docs to be more targeted at users, rather than developers (#870)
238cc6e Update docs to take into account CO:RE default (#868)
fa7feae use tcp_connect kprobe to get tcp handshake packets (#861)
6df0969 Feature/event origin signature filter (#856)
c27e914 add lsm hooks to event sets (#863)
4c78ac3 tracee-ebpf: security_sb_mount: send exact argnum
5c84d60 tracee-ebpf: add SIGTERM support (#858)
2d2845f tracee-rules: evaluate parsed input with OPA (#829)
de4f865 tracee-ebpf: extend magic_write bytes (#853)
8684eea tracee-ebpf: fix 4th syscall param value
7aa2964 tracee-ebpf: add inode and dev to magic_write event
6a58448 tracee-ebpf: update external module
bbe411a tracee-ebpf: update timestamp in external func ToUnstructured()
f17c1d1 tracee-ebpf: Adjust MAX_PATH_COMPONENTS limit for kernels >= 5.2
4d0b1c8 tracee-ebpf: add epoch timestamp
443955e feat: Add ToUnstructured method to Event (#830)
bb6be11 tracee-ebpf: fix core compilation warnings (#838)
2991701 Add embed directive to embed the compiled CORE bpf object into go binary (#818)
f5240ae tracee-ebpf: fix print of preamble and epilogue
6da6c9f tracee-ebpf: add capture network to docs
8c463c7 tracee-ebpf: add network debug events and context
6516b25 tracee-ebpf: capture network activity
3a25e74 tracee-ebpf: add args and env to sched_process_exec event
4276fba skip printing out if library mode
247ffc9 fix panic due to slice outbound
a291eae Replace external package with go module (#824)
59acd66 add external package as a module
b3b7346 tracee-ebpf: fix incomplete path (#812)
2df1177 fix go rules requirement
4575262 fix help message
faa5614 Update tracee logo (#809)
ad3b86b tracee-ebpf: record context timestamp at sys_enter
8d69f42 test: Describe benchmarks for tracee-rules
31f21b8 adding Close API to signature interface adding Load/UnloadSignature functions to tracee-rules Engine
1fbc090 tracee-ebpf: improve output flag help
b8937fd tracee-ebpf: fix container id issues
c827ae0 fix(benchmark): Unprotected global variable processMemFileRegexp in golang.codeInjection.Init()
ef95ded fix(benchmark): Use uniquely identifiable sigs in BenchmarkEngineWithNSignatures
5fc8a52 fix: Unsynchronized send and close operations on signature channels
f773f88 fix bugs that caused panic when tracee API used from third party app
662a668 test: Add wasm target to tracee-rules benchmarks (#790)
ae07c82 Adding exportable channel into Config struct. In this way a third party entity can read from the channel without any dependencies with the tracee printers.
ef8d4ee fix clean target
05c11bf test: Benchmark rules engine based on number of signatures (#792)
741e7bb fix broken link (#791)
acf1752 test: Benchmark tracee-rules (#785)
06851ee tracee-ebpf: fix compilation on ubuntu
4bf8ca6 Add initial CO:RE support (#759)
cca5fa9 fix error that caused bpf code not to be loaded
422e86e tracee-ebpf: fix instruction count on kernels < 5.2 (#779)
6166346 add sched_process_exec and fix
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.6.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.6.0
v0.5.4
Changelog
e68ecaa tracee-ebpf: move fork logic to sched_process_fork
9eb91fb tracee-ebpf: bump libbpfgo version
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.4docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.4