Tracee v0.17.0 Released! #3353
geyslan
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
🚨 Breaking changes 🔨
Tracee policies were changed to be compatible with kubernetes CRDs. The new format will allow users to have the same policy as a file, and later as a Kubernetes' resource.
eg:
defaultActions
field is no longer mandatory, and it now only supports the actionprint
.Tracee's policies used to allow a policy to have actions like
log
,webhook
andfluentd
. But this was creating a very complex configuration, for a feature not used. Now policies still supportdefaultActions
, but the only action it supports isprint
, where to print is configured as you start tracee on the command line, or the configuration file.Eg, to send the events on the sample policy above to an webhook, we can start tracee with:
🚀 What's new? 🚀
📩 Filter flag removal and split 🔔
In this release, we've made significant enhancements to event filtering CLI.
New Flags for Enhanced Filtering
--scope
to precisely capture events within specified scopes, such as 'comm', 'binary', 'pid', 'uid', 'mntns', 'pidns', 'uts', 'tree', 'follow', and 'container'.--events
to define specific events and apply userland filters like 'args', 'retval', and 'context' to tailor filtering according to your needs.Simplified Event Sets
set
option has been also removed. Instead, use--events
to define sets of events to be captured. For example, use--events fs
to capture filesystem-related events.🦄 Misc 💐
🔨 Fixes 👷
Beta Was this translation helpful? Give feedback.
All reactions