Releases: aquasecurity/tracee
v0.0.3
Changelog
6df40c6 Fix double printing of first arg
4795a63 Fix print indentation
077916a Update readme file to include host pid when running from docker
adab925 fix context parsing
040463a improve table output
9c9e4b7 update readme example
3fdcbbb comma separate args in table
9983e23 retstore tid to table
dba88af widen pid column
100834d improve table output
7d9c8d1 Fix capture exec for containers
425ecb7 Save host and container pids in host mode
1f5dd76 add host pids to context
b93fff5 Add clone flags
54b1b34 Save writes to /dev/null by pid
b100a20 improve output of args
3137927 Don't print raw_syscall if event exists
2d4ba36 Remove essentialEvents map and simplify code
7805c5e Change event print location in table output
46d9ccc Handle events in a pipeline
4245623 Remove global EventNameToID map
701547d Code refactoring
f29810f Optimize string array buffer layout
6a80860 Optimize string array buffer layout
a591013 Support tracing by pid
35105ce Decouple event data extraction from event parsing
0f5236d Use event id constants for performance
50a7e17 Add argument names
378263e Fix error counter always 0
568afc5 Fix broken raw syscalls feature
7c257ce Beautify table print
888c0e7 Fix getsockname error on null string
dce995d fix capture exec for non-filesystem files
Docker images
docker pull docker.io/aquasec/tracee:0.0.3docker pull docker.io/aquasec/tracee:latest
v0.0.2
Changelog
a87a69e remove python version
398138d fix mem alert when not capturing
ebb5563 Add exclude event flag
6c63231 Remove PrintSyscall func
0dbb1ef Fix chmod invalid file
f1a66bd Append file write if written file type is char, socket or fifo
de74185 change socket address output format
726059c Remove unix socket leading zero in json output
267dae5 Fix unix socket name when there are leading zeros
7c4b242 fix json tags spelling
32051f8 Update readme to include capture flag
e2b935b Update readme to include file and binary capture
dbacd6e Change consts to use go naming conventions
4cc05ea Change mmap_alert and mprotect_alert to one mem_prot_alert
951fbb2 Support multiple probes for one event
7818daa Use alert struct and save alert payload using timestamp
ef4c92e validate capture options
8e79924 don't capture same exec twice
58ead5d Add mmap and mprotect security alerts and data extraction
4074a94 Add chosen events map
bbe5fe4 Fix "memory leaks" in bin_args_map and args_map
87a4a78 fix test for ptrace printing
a523eae fix file capture when dependent event is missing
b10961f Fix write error when buffer and chunk are equal in size
9602d12 allow granular selection of capture-files
6c3fc99 fix ptrace flags print
8114f9c Remove EventsIDToName map
6a6f918 auto build essentialEvens map
165a971 print all raw_syscall names
3e72e64 Add event configuration map
309aab7 fix lost event counter
2cb8a20 print errors to a dedicated file
b27aca3 fix raw_syscall printing if syscall is not known to tracee
ffa8183 capture executed files
395e9da add hook to process events and use it to show raw_syscall name
17c619d refactor stats collection and printing
2abdacb fix map update issue with old kernels
5fb424a Change save_args key to be unique
e2b0a8a decouple internal and external types
90988aa Add tail call event handler
db158f1 Use generic method to send binary data
da567dd add output gob output format
c3af6f3 Support file-write filters up to 64 chars
bad16bc Add Tracee logo
498265d cleanup file event handling code
17a08ad decouple should_trace and init_context
280ad5d Handle buffers more efficiently
e8eca12 parameterize stdout in tracee package
c9b0e91 simplify tracee config
9f17b17 remove args brackets
758145d don't show raw_syscalls by default
0bcf7a8 change printed time resolution from seconds to microseconds
ff413c4 Check for privileges
2a74671 read file buffer with struct
e84324c move should_trace to a function
45516c7 remove get_config wrapper functions
c8982e4 Change vfs_write flags
c448b3e Port vfs_write to go
05cfc5a Add configuration flags for vfs_write
89e3b64 Correlate vfs_write with execve and open with dev_id and inode_nr
7ca4b05 Support vfs_write filters
184610d Change output path to include mnt ns id
55917d5 Use tail calls to send vfs writes
c77a643 Support multiple chunks in file send
a41baa1 Add vfs_write event and file writes extraction
5d28b9d remove redundant casting
61d273f Use full submission buffer size
d278132 Remove type argument from save_str_to_buf
39bb47e Save path using helper function
75cb776 Remove R_PATH type and handle as regular string
d20cf0d fix make build dependencies
799ed4f add support for tracepoints and implement raw_syscalls tracepoint (#89)
2d5d1cc refactor events map
55b6cc6 update gobpf to include memory leak fix
68b2ce8 add youtube demo to readme
Docker images
docker pull docker.io/aquasec/tracee:0.0.2docker pull docker.io/aquasec/tracee:latest
v0.0.1
Changelog
5dc755f work around gobpf memory leak
2187ecb add makefile target to build docker image
a207a16 add make target to build using docker
5179077 fix dockerfile
e42865f update readme with release
5294f4c save_context
0fcfd26 add release procedure using goreleaser (#75)
e21954c fix events flag in python
2efa61d fix dockerfile
1a6a69c rename events-to-trace flag to event (#73)
2684f1c update readme (#72)
5687bce build distributable binary (#71)
c06e936 update readme (#70)
6697bea update dockerfile to go
613717d handle lost events and support configurable buffer size
2d6e437 fix list command to show recent additions
dd0cedc add chown chmod and pkey_mprotect syscalls
541ae53 fix missing threads in system mode
35202dc fix makefile
9eb9f29 fix json arguments formatting to match python version
d770f33 fix comment
e366065 superficial tests for readArgFromBuff function
b9bd744 fix socket type print
67a3ac1 fix POINTER_T parsing and printing
c0b87ea fix open flags printing
6bc4686 support security_file_open lsm hook
dff978e show stats in table epilogue
b6ea608 update readme about go
189a6e7 add bprm_check event (#54)
4b9bad2 print prctl ptrace options in go
1ae06bc print sockaddr common families in go (#52)
6b2ce47 Add lsm bprm_check hook to get exec absolute path (#46)
fd8a89b implement show-exec-env in go
7278173 fix event validation
56bd72e Rewrite Python code in Go (#47)
08d5a9a Add prctl option and ptrace request enums
aee95da Add sockaddr struct fields for unix, inet, inet6 sockets
05372ab Handle failed read to buffer
8fddef9 Add optional exec-env flag to show env in execve
431eaae performance: get buffer once
58f76e7 fix missing flags
61f172f avoid fork handler code duplication
4fa4d54 Show syscall name in internal kprobes
85afe0b save container mode
04a921c update readme
58b19d9 events: add setXid syscalls
9369869 fix failed tests
6db7ef7 readme: update optional arguments
6d1effc Add config map and verify configuration
649b19f catch keyboard interrupt
4defbd5 Remove container prefix from files
3aa5c75 mount debugfs before starting
6121f73 add dockerfile
39c28ae Generic event handling in userspace
8afaa4a performance: improve performance and reduce lost events
ff9aa14 set submission array size according real cpu number
631c9f1 Merge pull request #26 from yanivagman/execve_known_issue
bdd847a Readme: update execve known issue status
5b6bffc Merge pull request #23 from yanivagman/add_event_list
7b2ce5b Add event list and update readme
e0f5549 workaround PT_REGS_PARM macros bug in new kernels
0762844 Support new kernels
8d2a31c events: add mount, umount, unlink, unlinkat syscalls
0630258 Merge pull request #12 from aquasecurity/fix_missing_stat_syscalls
4ffb880 readme: add omitted title
fbdd2e7 Add system tracing mode
2e296cf fix: stat syscalls are ignored
79c4159 Correct name in NOTICE file
f3c0e5a Merge pull request #10 from aquasecurity/add_container_id_from_uts_ns_rebased
c80ee7a Add container id by using UTS namespace node name
69f490d Merge pull request #8 from aquasecurity/event-filter
31f1a58 fix: kprobe for do_exit is essential
49132fc feat: filter events to trace
c691511 Start tracee without -v for stdout output
a069238 tracee_test: Add tests for get_sockaddr_from_buf and move offsets on init
ea9b0ec tracee_test: Add test cases for open_flags_to_str
d7bcba9 tracee_test: Add test cases for open_flags_to_str
efc2f14 tracee_test: Add tests for execveat_flags_to_str
d0f474f tracee: Apply more pep-8 fixes
95aff98 tracee: cleanup imports
630a71c .git: update gitignore
a8c2f1d tracee: Move helper methods out of EventMonitor class
ad6401f tracee: init tests and a new makefile
03f18e7 Merge pull request #4 from aquasecurity/readme
5fd4547 update readme file
e1050f8 Update readme files
9f22b49 remove execve redundant structs
2e33567 Change kernel-userspace communication buffer
9871c7a add creat syscall and fix open incorrect flags bug
220d5ed expand syscall enum for all syscalls
af9abf3 add getdents(64) syscalls
50c939e add symlink(at) syscalls
2fdcfd7 add prctl, ptrace, process_vm_read(write)v, (f)init_module, delete_module syscalls
279aabf suport python 2 json
ba4f4ac Add authors info
1fe3310 Add kernel version & usage to README
90440ef Create NOTICE
aa5bb68 Create LICENSE
3cf9917 Container tracing using eBPF
b30fc5c Initial commit
Docker images
docker pull docker.io/aquasec/tracee:0.0.1docker pull docker.io/aquasec/tracee:latest