v0.8.0-rc-1
Pre-release
Pre-release
github-actions
released this
03 Jul 20:34
·
1889 commits
to main
since this release
v0.8.0
Docker Images
docker pull docker.io/aquasec/tracee:v0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.8.0 (compiles non CO-RE eBPF object on startup)
Highlights
Breaking Changes
New Features
- Container event enrichment with data from multiple runtimes #1809 #1886
- New Helm chart for installing tracee with postee #1812
- Tracee-rules signatures can now be written in CEL #1766
- The
sched_process_exec
event now has the binary file's inode mode information #1889 - The
security_file_open
event now has syscall pathname #1841 - The
sched_process_exec
event now has aninterp
field #1831 - Events now contain thread start time #1849
- Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
- Started documenting events under
docs/events
#1808 - Created a new
derived
package for a new type of 'derived' events #1822 - Install instructions for nixos #1827 - Thanks @06kellyjac!
- New grafana dashboard for tracee metrics #1605 #1610
- Unrequired linux capabilities are dropped on startuip #1508
- New signature for syscall hooking detection
- Capture of icmp network traffic #1362
New eBPF Events
device_add
#1690net_packet
,dns_query
,dns_response
#1515hooked_proc_fops
for /proc file operation detection #1718hidden_sockets
#1730set_task_comm
indicating process name change #1811security_socket_setsockopt
(LSM hook) #1859- dns events over tcp #1807
do_init_module
#1708security_mmap_file
,security_file_mprotect
,shared_object_loaded
based onsecurity_mmap_file
(LSM hook) #1631device_add
#1690
Fixes
- Tracee will no longer crash when tracing symbols present in kernel modules #1882
- Removed false positive for TRC-11 signature #1878
- Filtering for
hooked_seq_ops
event now works as expected #1860 - Kallsyms are updated when kernel modules are loaded
Full Changelog: