Releases: aquasecurity/tracee
v0.5.3
Release highlights and discussion
Changelog
8c944cf tracee-ebpf: add container id to context
6129122 feat: Tracee Profiler Mode (#725)
1e0aba5 clarify license (#760)
5cc1e8c fix gob type declaration (#753)
09ef628 Optimize save_path_to_str_buf in tracee.bpf.c (#758)
9312e26 tracee-ebpf: fix bpf compilation error
c158069 tracee-ebpf: ignore kernel config check when init fails
f87e71f Update Prerequisites Link in READMe (#744)
58a120a tracee-ebpf: add security_bpf{,_map} events (#617) (#739)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.3docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.3
v0.5.2
Release highlights and discussion
Changelog
2fb9a7e tracee-ebpf: commit_creds: submit more credentials
6e1c370 add detection for writing into /etc/ld.so.preload (#733)
9387554 switch to libbpf v0.4 (#738)
83a869d fix: remove libbpfgo from this repo (#734)
9453072 libbpfgo: Add map iterator support (#728)
da4124a tracee-ebpf: close gracefully on error (#729)
242d721 libbpfgo: Check for ERR_PTR return values (#709)
94f33d0 work with new form of security_socket_connect
1960f31 libbpfgo: Add support for AttachPerfEvent
74b3c48 dont set essential events to network lsm hooks
6fb4c8a set network syscall events as essential events for their corresponding lsm hooks
b24f18c use kernel pid instead of tgid to avoid race condition between threads
2154848 set default sockfd to -1
d75a61f remove event_id from sockfd_map key, use tgid alone instead
32191ee fix sockfd_map comment
fcd8478 added sockfd arg to network lsm hooks
dccdd84 Add security_sb_mount lsm hook
38b402d tracee kubernetes deployment yamls (#680)
210d85b Add tracee video hub link in README (#714)
0344838 add manual parameter to docs workflow (#712)
25eb688 libbpfgo: Add AttachLSM() method
2bf844d Network lsm hooks (#697)
a6f33c3 Load kernel config into bpf hashmap (#670)
71b8876 Run libbpfgo self tests on self hosted github action runner (#693)
93809da add manual trigger to docs workflow
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.2docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.2
v0.5.1
Release highlights and discussion
Changelog
521b52b add build in docker to tracee-rules
24daa0e small typo fixed
8db13ca Fix minimum requirements link
d606972 fix: add check for empty bytes being written by file write channel fileWrChannel (#696)
2317a86 fix: trace-ebpf flag output (#632)
feb1677 feat: add testing envrionment matrix that includes self hosted runner (#692)
c3da07d Merge pull request #688 from grantseltzer/upgrade-libbpfgo-fix
e25ba71 Merge pull request #687 from yanivagman/fix_build
71d4c83 Fix build with libbpfgo
510aae7 integrate and document gotemplate
7b3c71b Merge pull request #682 from krol3/issue-681-dockerignore
ff03f7b Merge pull request #649 from eyakubovich/fix-chan-map-race
5052cb8 Merge pull request #678 from grantseltzer/upgrade-libbpf-v0.3
f37f3d3 feat: docker ignore for tracee
29b216c Merge pull request #672 from yanivagman/fix_type_mismatch
8d26642 Merge pull request #679 from yanivagman/fix_docs_link
4ef3eba fix documentation link in readme
96bdca8 improve docs
f11eced fix error handling
103ddbd tracee-ebpf: Fix type mismatch of event arguments
d1a0c00 fix: update libbpfgo go module to fix build for tracee-ebpf
c67295f fix: upgrade libbpfgo dependency to latest
3970f7f fix: upgrade libbpf dependency to v0.3 release
095336c Merge pull request #656 from eyakubovich/add-map-setters
7ace63b Add Resize() and GetMaxEntries() to BPFMap
7862e0e Merge pull request #645 from grantseltzer/feature-check-package
4f5af96 fix json output template
5c76627 add a quick video intro (#660)
2d62a69 fix: add some tests, fix error string
69b576e Merge pull request #657 from aquasecurity/docs-small-fixes
23597a0 Fix eventsChannels race
1092871 fix: broken links
8482773 fix: match document headers with navigation links
56ede7f fix: clarify local rules directory, add libbpf to dependencies
f68cea7 fix: move architecture diagram and images into docs directory, update usage accordingly
2e288fd fix: small typos and table formatting
50a6940 refactor: Remove falcosidekick specific code and reuse templating (#653)
e868978 feat: Add high level overview to Readme (#650)
6acdf8c feat: add constants to use for kernel configuration options
996cbd2 revamp documentation
7ce5943 feat: add tests for proc gz config
cf01331 fix: libbpfgo module files
6474790 Merge pull request #638 from eyakubovich/fix-perf-buffer-stop
5e8cd40 feat: add functions to helper package for checking the kernel config options
ba273ac types.Finding interface update (#646)
e1263ed fix mkdocs generation (#644)
96a39dc Use Go templates for stdout (#630)
77cf435 Fix PerfBuffer shutdown
8b8045b add mkdocs documentation (#633)
42edaaf Group of small fixes (#643)
97d27e0 Merge pull request #629 from jan0ski/main
7bac7f5 feat: Add support for wildcard event suffixes
f8df7da Merge pull request #625 from krol3/labels-docker
d0d2670 fix relative link to quickstart-with-docker (#635)
1a31966 Merge pull request #631 from grantseltzer/use-helpers-package-in-tracee-ebpf
443994b Merge pull request #603 from grantseltzer/selftest-actions
5f4ab2d remove falcosidekick from container
656da9c Remove old helper functions from tracee-ebpf and update usage to new helpers package
25bfb2d fix: update imported gomodules so libbpfgo includes the newly added helper package
f66f7be Merge pull request #493 from mtcherni95/tracee-issue-485
8934c28 fix: copy argument parsing functions from traee-ebpf into libbpfgo
9753401 fix: move and document the signature helpers (#601)
284bb15 Add basic integration test framework (#606)
2e0edb2 Fix "make clean"
7492580 Adding labels Docker
ec34648 feat: Print loaded rules info at runtime
518d407 fix tracee-ebpf dockerfile for go 1.16
b995873 Merge pull request #620 from eyakubovich/fix-ringbuf-stop
09b2b47 Fix RingBuffer shutdown
1fd89c3 Merge pull request #616 from icarus-sparry/better_help
2aa71c7 Better help message for missing libbpf
cb4589f feat: add libbpfgo selftests to github actions
436c11d Merge pull request #598 from grantseltzer/improve-selftest
559ff36 improve readme with triggering a sig
f1f3c72 Remove debugfs mount
c22f59c feat: Use //go:embed to bundle artifacts (#596)
6b6a8d6 Adding version string to --list output (#602)
a6ceb2e feat: Add signature versioning (#597)
6486492 add tests for entrypoint
9c6d248 Webhook message formatting using go templates (#582)
8ab0254 fix: self test for ringbuffer should verify the integrity of the data sent from kernel space
228c6d3 tracee-ebpf: add magic_write event
0c581d0 tracee-ebpf: move capture write filter to tail
cc2a749 tracee-ebpf: add bytes argument type
9a25d02 Merge pull request #591 from grantseltzer/blocking-stop-channel-write
5ba8472 feat: Bump up to go1.16 (#589)
8d3c3d5 Merge pull request #483 from aquasecurity/gs/ringbuf-libbpfgo
809794b tracee-ebpf: remove validator workarounds
828f39e tracee-ebpf: fix docker builder (#587)
6eb7608 fix: rb.stopped should be set in the Stop method
42839aa feat: add support for ringbuffers in libbpfgo
d286732 feat: Add OPA tests to Github Actions (#535)
5dc1352 feat: Better formatted output for detected events. (#573)
28fbc66 feat: Add IDs to Signature Metadata. (#567)
05b0d91 tracee-ebpf: Fix readme for docker quickstart (#568)
097ce27 Added information how to run Tracee on Docker Mac
59312a1 tracee-ebpf: update minimal kernel version to 4.18
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.1
v0.5.0
Release highlights and discussion
Changelog
2001ffe fix dynamic code loading sig
e5f25a7 fix release
24ea252 fix docker image contains glibc artifacts
1b9c59f fix release to fetch submodules
6c2b2e5 fix dependency resolution in tracee-rules
0575cb7 Revert "fix release as monorepo"
ef7e96a update import paths after restructure
f1f841d remove code injection sig from go
b4501be Fix stdio over socket (#552)
a7c47e9 fix release as monorepo
a750666 tracee-ebpf: add switch_task_ns event
c92b5c5 fix match for non af_inet sockets
5b2a740 Add signatures (#528)
3fcee47 update entrypoint to use security-alerts
6ea5773 tracee-ebpf: Add commit_creds event
4bd2e3c fix make release didn't build slim image
c34c10f fix: trace-ebpf: Fix typo in clang option (#526)
f0604fb Merge pull request #525 from grantseltzer/list-flag-output-fix
b1bf684 fix: Move example sigs into own dir and exclude from build. (#523)
fc53430 add tracee container
4255857 fix makefile
6d632e3 add option to make bpf from root
f474f44 Merge pull request #518 from grantseltzer/input-source-unit-tests
2e827a3 Fix: rename signatures and add spacing to printing of them with --list flag
a5e8040 start of unit tests for input source setup functions
f41c794 fix webhook panic when server returns error
b54cfda Merge pull request #500 from grantseltzer/gs/print-help-tracee-rules
dbc56af Update readme, fix default logic
8645c0a Update tracee-rules/input.go
86c0958 fix: Address a few typos
4d43dc1 rename tracee input parsing functions
eb8f7db rename help error
48bd0d3 Remove more references to EOT, set default values for tracee input (gob from stdin)
696053a Close on EOF, not on EOT
b2756e5 remove the eof/eot option
311e423 adress feedback about help being displayed
effd1f6 Remove old flags
9829d2b add minimal unit tests
8cc046f add invalid input checks
0e5c733 Refactor flags in tracee-rules
3590ef0 feat: Add tests for core engine functionality (#477)
8e4e7b3 Merge pull request #510 from aquasecurity/remove-eot-tracee-ebpf
0e61c18 Update contributing guidelines (aka team agreements)
9deb2ce Remove the notion of an EOT event signalling end of transmision
da310b0 refactor: tracee-rules use types from tracee-ebpf
775ac46 rename tracee execuable to tracee-ebpf
17d840f feat: add root level Makefile for release
5ac1db4 feat: mostlyclean target
b04facc fix: improve makefile targets
a95d52d fix: don't send context when building builder
062c7b1 fix: docker builder file creation and cleanup
d931f21 fix: make in docker without git
02900d9 fix: make in docker ignoring target
d28d4cc feat: convert anti_debugging sig to rego
5905ce4 feat: add rego tests
febd3de lint: Address a few idiomatic Go improvements (#427)
4fdcba8 Merge pull request #449 from aquasecurity/traceprint
dd1dbb1 Add tracee-rules pr workflow
a3d5748 Fix tracee-rules build
c43b1c3 Restructure repo as monorepo (#459)
5779705 fix: allow reading from stdin
5fc24f0 docs: add tracee-rules readme
bb3d227 fix sigs building
e6b431e fix regosig numeral handling
86c815c rego optimizations
07aa51f add support for rego signatures
9a8c836 simplify finding data
4025eff add code injection signature
de77008 add anti debugging signature and sigs tests infra
e12b1ce improve signature error handling
56fa897 tracee-rules rewrite
8841bc0 Rule engine initial commit
1d879fc write errors to stderr, and close file
4d721af feat: add TracePrint to libbpfgo
a87426a fix: default output format
fbdf5a6 fix: written files index relative to out dir
871c1db Add pin, unpin and setpin for maps in libbpfgo (#437)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.5.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.5.0
v0.4.0
Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/441
Changelog
da6a281 fix release workflow for github actions
c22b855 release with github action
60f353e remove redundant go setup steps
4f289b5 update readme
16f1688 refactor output flag
afa9b2d improve --capture help
7d2ce34 Add return value filter
3098430 Make '--capture clear-dir' safer
ee2d9bb Handle capture output dir in capture flag
534d012 Decouple and remove filter-file-write flag
062947d Add prefix operator to argument filters
b47bbc5 Remove trace flag and add new filters
1993577 Remove vfs_write(v) and ioctl from default set
d38fbef Added --stack-addresses flag to log stack addresses to JSON output
487d1e4 added 'DeleteKey' and 'GetValue' to 'libbpfgo'
409f21e Move pidns trace mode to filter flag
b486a25 Use filters instead of modes in bpf code
6b4fe81 Move follow trace mode to filter flag
4b3d318 Add EventID postfix to new syscall events to fit convention
3ac6a21 Add support for filtering an event by its argument
f44eb20 Supporting new syscalls from kernel version 5.7 - Resolves #372
7ce92f6 Fix bad param renaming
3c622e0 Fix comm and uts filters
e36e880 fix libbpf import
96ed00e Issue-398 add arguments to events
d387056 Add indexing of written files
b4f0a0a Support using filter prefix for common filters
1edeff8 Move event flags into filter flag
1bd03a9 Change trace modes and add container filter
f1968a7 refactor Event and params
ff0cb90 fix compat detection for older kernels
54d324f Add support for arm64 32bit compatibility mode
af0ea08 Fix ptrace request argument print
0536237 remove redundant var
ad3cb5d Fix event listing
21720af Simplify filters logic
ea5dca1 Move pid filter to filter flag
c3d5c4d signal end of transmission for gob output
84180be Support ARM64 architecture
bfcabb2 Set TRACEE_BPF_FILE to point to file instead of dir
68d6c71 Fix execve pointer errors
8ed6772 Fix pidns filter erroneously set to mntns
f32c50b Add process follow mode
22ffc4e rename master to main
5702252 Merge filters and set bit size
ef665e3 Rearrange bpf filtering code
11b251f Add UTS and COMM filters
88f5d6b Add mnt ns and pid ns filters
64a084a Simplify uid filtering code
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.4.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.4.0
v0.3.1
Changelog
d4b7008 Fix bpf compilation on redhat and centos with kernel 4.18
57e2178 Add the ability to specify filters (such as UID) using comparison operators (=, !=, >, <).
a92b1ef Use more informative error when making bpf object fails
800a079 Split kernel headers to source and build
79d625e Add security_inode_unlink event
5564d6e Print bpf cmd argument and make a default event
919c261 Add host only mode
741f107 Use alpine image instead of ubuntu
f302eaf Fix docker build on manjaro(arch) linux
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.3.1docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.3.1
v0.3.0
Release highlights and discussion: #331
Changelog
fff75d0 fix version for build in docker
5a7a7fc fix make libbpf headers
f1a239b fix make clean
e210c72 fix version detection for docker build
8d0ac30 fix version detection for release
dab487d fix version detection for release
b481f0d update readme for release
b837b6b fix kernel headers defaults in other distros
aa5ec50 make bpf obj file version dependent
e123fca refactor release script, include slim images in notes
87d70f9 update readme
318933e update readme
eb47b74 test for bpf build in ci
5b90fd5 fetch libbpf source from make if needed
52c397b fix building in docker without tools
86392ee fix release process and add slim image
ee46b6f fix typo
85c3379 docker builder in cwd
151b137 make docker targets real targets
ae2fd1a improve naming of tools and fix make bpf-docker
4a9734e optimize docker building
5faa7c1 improve building in docker
e4f502c require llvm 9
b4ddc99 Add a --filter flag which takes arguments of the form =,,...
99c36be update_logo
42e11de fix clang version detection
efa68ee tracee use libbpgo relatively
8d536db fix naming convention
9f5a305 add libbpfgo readme
5aaf230 make libbpfgo a module
d5be3a6 feat: add test to ci/cd workflow
2a9d54e Fix capture exec with empty string
a78a915 fix test target and add test-docker
1943eaa fix bundle path
4bd1c7b check minimum clang version (#310)
d8a55e7 Fix and enable tests again
9edac6b Add sched_process_exit event
f35a8f3 Add libbpf uapi headers - fix ubuntu16 compilation
aefd3cd Fix asm_inline for kernel > 5.4
fe77c7f Print uts name in container mode
46f1e2a force clang compiler
d075722 rewrite release process
2cccd1d Update readme with build comments
71c97f0 Don't make llvm-strip a dependency
13c4d1a fix makefile dependency
9e06a20 Fix lint and build errors
935540e Rename bpfwrap to libbpfgo
6cfa83d fix docker builds for libbpf
cc7f1ea Organize probe attach code
ffe7b63 Disable bpf program autoload if not required
3e7199e Reorganize initBPF function
6a379a2 add build-policy flag
8fb3fa5 use different dirs for output and install by default
b06c481 use tmp as default install path
fbf395a drop capabilities during compilation
3b80e0f bundle bpf source for compilation at runtime
6ea6fbf compile bpf obj on startup
765d4fa fix bpf src injection
8c4a1bb refactor bpf obj searching
a074b37 Update libbpf submodule
5109ae1 improve and organize build (#280)
1208adb add new module creation from buffer to bpfwrap
b17be81 Remove BCC from readme
a2e4359 Move from gobpf to bpfwrap (libbpf)
172655f Add bpfwrap - a thin libbpf wrapper
73d4b73 Add libbpf submoudle
2cac3ee Fix tests
49dee1e Fix lint errors
f1f43f8 fix ci trigger
d64607a Fix bad string size type
7a755e3 update go version to 1.15
d0fe845 updated to golang 1.15
4964f5c Output formatting via gotemplate (#256)
a3e991f feat: Add CI/CD Workflow (#259)
5d49921 fix memfd files not shown in vfs_write
bc84eae fix sockaddr_in parsing
0bb0dbe fix error printing line break
582a380 Created a new --trace flag to replace and enhance the --pid and --container flags
4f50e28 Revert "Created a new --trace flag to replace and enhance the --pid and --container flags"
120204f Created a new --trace flag to replace and enhance the --pid and --container flags
aec1ef6 Fix send bin chunk size
d58cd29 Fix broken kernel 4.14 support
e753945 Made the typo change as requested
91fcd92 Typo Corrected in README.md to sound more meaningfull
42cd0b7 change readiness file format
751f38d Various Grammatical and Spelling Changes (#246)
Docker images
docker pull docker.io/aquasec/tracee:latestdocker pull docker.io/aquasec/tracee:0.3.0docker pull docker.io/aquasec/tracee:slimdocker pull docker.io/aquasec/tracee:slim-0.3.0
v0.2.1
Changelog
8ce4688 Small typo fixes (#245)
e97ca4a add contribution guidelines (#242)
bd05ede chore(docs): Added badges in README.md file (#236)
a756211 Read kernel pointers with bpf_probe_read
214346a improve code portability and be generic
f4ad395 Don't monitor events generated by tracee
84c3a7a fix_32bit_before_4.17
Docker images
docker pull docker.io/aquasec/tracee:0.2.1docker pull docker.io/aquasec/tracee:latest
v0.2.0
v0.1.0
Changelog
b497d9d fix capture exec when sharing pidns (#208)
b5fb620 Use generic return for execve syscalls
31887af Simplify raw_syscalls logic and remove security_alerts workaround
bc2ee10 clear output dir (#222)
c40f64a Fix fork of traced processes not traced when clone event not chosen
d20395c signal readiness using a file in output dir (#218)
1fbce2e Fix decoding errors when save_args fails
389e596 Handle raw tracepoints fallback
aefee76 Enable support for all syscalls
915a1cc Handle events parameters types and names using parameters map
1adf1e4 Add events parameters map
29f5ee9 Add 32bit syscalls support
0e4adff Reduce syscalls handlers instructions size
8b17cf9 Use tracepoints instead of kprobes for syscalls
60b2e09 check null terminated string size
932a706 Add system calls sets
ddccf41 Update args macro to be more compact
425193e Use bigger buffer size
bdaa084 Update intro video in readme
c962d21 Add more syscalls
c2b7e4f Add events by sets
57fd98b Pretty print event list
0cebf01 Print raw syscalls only when event was not requested
da1e24b Update readme to reflect verbose output
Docker images
docker pull docker.io/aquasec/tracee:0.1.0docker pull docker.io/aquasec/tracee:latest