Skip to content
main
Switch branches/tags
Code

Latest commit

libbpfgo recently added 2 needed fixes:

commit 5e89006 ("libbpfgo: use perf_buffer__new new API and fix style")
and commit 5d2336e ("kprobe: remove legacy kprobes and unneeded
includes").

Together they fix a panic happening in main branch:

    $ sudo ./dist/tracee-ebpf
    TIME             UID    COMM             PID     TID...
    fatal error: unexpected signal during runtime execution
    [signal SIGSEGV: segmentation violation code=0x2 addr=...

whenever libbpf executes perf_buffer__new() using the old, and
deprecated, prototype. This change makes sure that libbpfgo will always
call perf_buffer__new() using the new prototype.

Fix: #1383
00fc10d

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Sep 19, 2019

Tracee Logo

GitHub release (latest by date) Go Report Card License docker Scheduled Signatures Test

Tracee: Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns. It is delivered as a Docker image that monitors the OS and detects suspicious behavior based on a pre-defined set of behavioral patterns.

Watch a quick video demo of Tracee:

Check out the Tracee video hub for more.

Documentation

The full documentation of Tracee is available at https://aquasecurity.github.io/tracee/latest. You can use the version selector on top to view documentation for a specific version of Tracee.

Quickstart

Before you proceed, make sure you follow the minimum requirements for running Tracee.

If running on BTF enabled kernel:

docker run --name tracee --rm --pid=host --cgroupns=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest

Note: Running with BTF requires access to the kernel configuration file. Depending on the linux distribution it can be in either /proc/config.gz (which docker mounts by default) or /boot/config-$(uname -r) (which must be mounted explicitly).

If running on BTF disabled kernel:

docker run --name tracee --rm --pid=host --cgroupns=host --privileged -v /tmp/tracee:/tmp/tracee -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -it aquasec/tracee:latest

Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info.

This will run Tracee with default settings and start reporting detections to standard output.
In order to simulate a suspicious behavior, you can run strace ls in another terminal, which will trigger the "Anti-Debugging" signature, which is loaded by default.

Trace

In some cases, you might want to leverage Tracee's eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging/troubleshooting/analysis/research/education. In this case you can run Tracee with the trace sub-command, which will start dumping raw data directly into standard output. There are many configurations and options available so you can control exactly what is being collected and how. see the Documentation or add the --help flag for more.

Components

Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository:


Tracee is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Contact us about any matter by opening a GitHub Discussion here.