Eolh is a security observability tool for Windows containers.
Currently Eolh is only tested on EKS.
See the documentation for details.
Eolh is heavily based on Tracee's code base (v0.16.0). Codes without our copyright notice are copyrighted by Aqua Security Software Ltd.
Tracee is licensed under the Apache License 2.0, so we provide the Tracee's license file and NOTICE file as LICENSE.tracee and NOTICE respectively.
The changes from Tracee are follows:
- Removed eBPF-related functionalities.
- Added ETW-related functionalities.
- Removed Linux-related functionalities.
- Added Windows-related functionalities.
- Simplified some functionalities.
Further details of the changes per files
- GitHub Workflows
- 3rdparty
- brand
- builder
- deploy
- docs
- examples
- packaging
- pyroscope
- signatures
- tests
- types
- .clang-format
- .clang-tidy
- .dockerignore
- .gitmodules
- .revive.toml
- Makefile
- RELEASING.md
- Vagrantfile
- embedded-ebpf.go
- embedded.go
- mkdocs.yml
- staticcheck.conf
- cmd/tracee/cmd/analyze.go
- cmd/tracee/cmd/list.go
- cmd/tracee-bench
- cmd/tracee-gptdocs
- cmd/tracee-rules
- pkg/bucketscache
- pkg/bufferdecoder
- pkg/capabilities
- pkg/cgroup
- pkg/cmd/cobra/helper.go
- pkg/cmd/cobra/helper_test.go
- pkg/cmd/flags/server
- pkg/cmd/flags/cache
- pkg/cmd/flags/capabilities.go
- pkg/cmd/flags/capture.go
- pkg/cmd/flags/config.go
- pkg/cmd/flags/containers.go
- pkg/cmd/flags/errors.go
- pkg/cmd/flags/filter.go
- pkg/cmd/flags/filter_map.go
- pkg/cmd/flags/filter_test.go
- pkg/cmd/flags/flags_test.go
- pkg/cmd/flags/help.go
- pkg/cmd/flags/logger.go
- pkg/cmd/flags/logger_test.go
- pkg/cmd/flags/policy.go
- pkg/cmd/flags/policy_test.go
- pkg/cmd/flags/rego.go
- pkg/cmd/flags/tracee_ebpf_output.go
- pkg/cmd/initialize
- pkg/cmd/printer/benchmarks
- pkg/cmd/printer/policy.go
- pkg/cmd/printer/printer_test.go
- pkg/cmd/urfave
- pkg/cmd/gptdocs.go
- pkg/cmd/tracee_test.go
- pkg/config
- pkg/containers/runtime/crio.go
- pkg/containers/runtime/docker.go
- pkg/containers/path_resolver.go
- pkg/containers/path_resolver_test.go
- pkg/counter
- pkg/ebpf/c
- pkg/ebpf/controlplane
- pkg/ebpf/initialization
- pkg/ebpf/probes
- pkg/ebpf/bpf_log.go
- pkg/ebpf/capture.go
- pkg/ebpf/events_enrich.go
- pkg/ebpf/finding_test.go
- pkg/ebpf/hidden_kernel_module.go
- pkg/ebpf/ksymbols.go
- pkg/ebpf/net_capture.go
- pkg/ebpf/tracee_test.go
- pkg/ebpf/errfmt
- pkg/events/derive
- pkg/events/parse
- pkg/events/queue
- pkg/events/sorting
- pkg/events/trigger
- pkg/events/amd64.go
- pkg/events/arm64.go
- pkg/events/events_test.go
- pkg/events/parse_args.go
- pkg/events/parse_args_test.go
- pkg/events/usermode.go
- pkg/filters
- pkg/metrics
- pkg/mount
- pkg/pcaps
- pkg/policy
- pkg/server
- pkg/signatures/benchmark
- pkg/signatures/celsig
- pkg/signatures/metrics
- pkg/signatures/rego
- pkg/signatures/regosig/testdata
- pkg/signatures/regosig/aio.go
- pkg/signatures/regosig/aio.rego
- pkg/signatures/regosig/aio_test.go
- pkg/signatures/regosig/common_test.go
- pkg/signatures/regosig/mapper.go
- pkg/signatures/regosig/mapper_test.go
- pkg/signatures/regosig/traceerego_test.go
- pkg/utils
- types/detect/detect_test.go
- types/trace/network_trace.go
- types/trace/network_trace_test.go
- types/trace/trace_test.go
- pkg/cmd/flags/etw.go
- ETW Provider Flags
- diff.patch
- A patch file for golang-etw
- Dockerfile
- Dockerfile for Eolh
- LICENSE
- Eolh's LICENSE
- Readme.md
- Renamed to README.md
- Changed to description of Eolh
- cmd/tracee/main.go
- Renamed to cmd/main.go and added error handling
- cmd/tracee/cmd/root.go
- Renamed to cmd/cmd/root.go
- Changed cli flags
- Changed so that
Executefunction returns an error
- cmd/tracee/cmd/version.go
- Renamed to cmd/cmd/version.go
- Changed so that the version command will print Eolh's version
- pkg/cmd/cobra/cobra.go
- Renamed to pkg/cmd/cobra/main.go
- Changed so that it provides
GetEolhRunnerfunction instead ofGetTraceeRunner
- pkg/cmd/flags/output.go
- Remove functions except output and printer flags
- pkg/cmd/flags/printer/broadcast.go
- Remove
Epilogue
- Remove
- pkg/cmd/flags/printer/printer.go
- Remove
Epilogue
- Remove
- pkg/cmd/tracee.go
- Renamed to pkg/cmd/main.go
- Changed
Runfunction for Eolh. - Removed functions not used by Eolh.
- pkg/containers/runtime/containerd.go
- Changed to use Windows named pipes for communication with containerd
- Changed to use session identifiers
- pkg/containers/runtime/runtime.go
- Removed crio and podman support
- pkg/containers/runtime/sockets.go
- Removed docker, crio and podman support
- Use a named pipe to communicate with containerd
- pkg/containers/containers.go and pkg/containers/datasource.go
- Merged into pkg/containers/main.go
- Removed cgroup-related and eBPF-related functions
- pkg/containers/service.go
- Added
Populatefunction
- Added
- pkg/ebpf/events_pipeline.go and pkg/epbf/events_processor.go
- Merged into pkg/etw/events_pipeline.go
- Removed some functions
- pkg/ebpf/finding.go
- Renamed to pkg/etw/main.go
- Removed some functions
- pkg/ebpf/signature_engine.go
- Renamed to pkg/etw/engine.go
- Removed the metrics-related process
- pkg/ebpf/tracee.go
- Renamed to pkg/etw/eolh.go
- Removed some functions
- Use ETW instead of eBPF
- pkg/events/events.go
- Removed all functions, constants and types except
IDandEvent
- Removed all functions, constants and types except
- pkg/logger/callerinfo.go
- Rename traceeIndex to eolhIndex
- pkg/signatures/regosig/traceerego.go
- Renamed to pkg/signatures/regosig/eolhrego.go
- Replace
tracee_*toeolh_*
- pkg/signatures/signature/signature.go
- Renamed to pkg/signatures/signature.go
- Removed the plugin system (because the plugin system dose not work on Windows)
- Removed some functions
- types/detect/detect.go
- Renamed to pkg/detect/main.go
- The import path was modified to match Eolh
- types/protocol/protocol.go
- Renamed to pkg/protocol/main.go
- Removed some functions
- types/trace/trace.go
- Renamed to pkg/trace/main.go
- Removed some functions
- .gitignore
- The subject item was updated to match Eolh.
- LICENSE
- Renamed to LICENSE.tracee
- go.mod
- Updated dependencies
- go.sum
- Updated dependencies