Skip to content
/ tracee Public
forked from aquasecurity/tracee

Container and system event tracing using eBPF

License

Apache-2.0 license
0 stars 392 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

roikol/tracee

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

682 Commits

.github/workflows

.github/workflows

 
 

deploy/kubernetes

deploy/kubernetes

 
 

docs

docs

 
 

tracee-ebpf

tracee-ebpf

 
 

tracee-rules

tracee-rules

 
 

.dockerignore

.dockerignore

 
 

.gitignore

.gitignore

 
 

.gitmodules

.gitmodules

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

NOTICE

NOTICE

 
 

Readme.md

Readme.md

 
 

entrypoint.sh

entrypoint.sh

 
 

entrypoint_test.bats

entrypoint_test.bats

 
 

mkdocs.yml

mkdocs.yml

 
 

Repository files navigation

Tracee Logo

GitHub release (latest by date) Go Report Card License docker

Tracee: Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns. It is delivered as a Docker image that monitors the OS and detects suspicious behavior based on a pre-defined set of behavioral patterns.

Watch a quick video demo of Tracee:

Check out the Tracee video hub for more.

Documentation

The full documentation of Tracee is available at https://aquasecurity.github.io/tracee/dev. You can use the version selector on top to view documentation for a specific version of Tracee.

Quickstart

Before you proceed, make sure you follow the minimum requirements for running Tracee.

If running on BTF enabled kernel:

docker run --name tracee --rm --privileged -it aquasec/tracee:latest

Note: _Running bpf requires access to the kernel configuration file. Depending on the linux distribution this can be in either /proc/config.gz (which docker mounts by default) or /boot/config-$(uname -r) (which must be mounted explicitly).

If running on BTF disabled kernel see here:

This will run Tracee with default settings and start reporting detections to standard output.
In order to simulate a suspicious behavior, you can run strace ls in another terminal, which will trigger the "Anti-Debugging" signature, which is loaded by default.

Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info.

Trace

In some cases, you might want to leverage Tracee's eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging/troubleshooting/analysis/research/education. In this case you can run Tracee with the trace sub-command, which will start dumping raw data directly into standard output. There are many configurations and options available so you can control exactly what is being collected and how. see the Documentation or add the --help flag for more.

Components

Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository:

About

Container and system event tracing using eBPF

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

No packages published

Languages

  • C 83.8%
  • Go 15.0%
  • Open Policy Agent 0.6%
  • Makefile 0.4%
  • Dockerfile 0.1%
  • Shell 0.1%