v0.8.1

v0.8.1

This release is smaller than v0.8.0 which is an intended trend towards more frequent smaller releases.
It contains many fixes and some impactful new features.

Docker images

• docker pull docker.io/aquasec/tracee:0.8.1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.1 (compiles non CO-RE eBPF object on startup)

Highlights

Breaking Changes

• There should be no breaking changes

Fixes

• Fixed a lot of errors being surfaced via loading symbols (#2037)
• Tracee container won't duplicate probing of linux proc capabilities (#2056 thanks @cdelzotti!)
• Added perf_event_paranoid dependent capability support (#2033 thanks @cdelzotti!)
• Recomissioned disabled integration tests (#2017)
• Converted manually run eBPF programs to use uprobes instead of ioctls (#2031)
• many more... see full changelog

New Features

• New package for initializing a tracee-ebpf object (#2006)
• New symbols_loaded event to monitor shared object exported symbols (#2014)
• Added ELF interpreter ctime to sched_process_exec event (#1977)

Full Changelog

8d6da1b - pkg/events/derive: prevent spam errors with symbols_loaded (#2037) (Alon Zivony)
546aa65 - retain context of triggering event to the triggered event (#2049) (AsafEitani)
57bda50 - fix: fix hooked_seq_ops argument type and register in gob (#2058) (AsafEitani)
5bdaedc - delete minor unreachable code caused by t.FailNow (#2057) (Abirdcfly)
42f5074 - builder: Remove cap probing for trace subcommand (#2056) (cdelzotti)
30f2078 - refactor: add TODO comments for a future refactoring PR (AsafEitani)
a1dcca7 - fix: satisfy verifier on kernel 5.4 (AsafEitani)
1f67247 - events: combine hooked_seq_ops event output to one event (AsafEitani)
4105fe7 - bpf: refactor save_u64_arr_to_buf (AsafEitani)
803b6b4 - probes: create new uprobe hooks for needed uprobe triggers (AsafEitani)
1ad5f60 - docs: fix symbols_loaded event doc (#2054) (Alon Zivony)
67941b6 - derive: fix libs whitelist of symbols_loaded (#2048) (Alon Zivony)
9b31c56 - Add perf_event_paranoid capability support (#2033) (cdelzotti)
362a6f2 - tracee-bench: prometheus.sh to be executed from any origin (Rafael David Tinoco)
8782c17 - tracee-bench: adjust makefile targets (Rafael David Tinoco)
f4a8ec5 - tracee-bench: tool to track performance information (#1985) (Nadav Strahilevitz)
f35e039 - pkg/ebpf: fix container started flag value (#2044) (Alon Zivony)
f4baab6 - pkg/ebpf: add container_started event flag (#2032) (Alon Zivony)
e785ea9 - types: add context flags with container flag to event (#2041) (Alon Zivony)
db8fc2b - fix broken link for prerequest in ReadMe file (#2040) (Mor Weinberger)
c7c717c - recomission integration tests (#2017) (Nadav Strahilevitz)
fcdb1d6 - pkg/ebpf: change authentication symbol for kallsyms (#2035) (Alon Zivony)
fdc4e7f - ebpf: add event to monitor SOs exported symbols (#2014) (Alon Zivony)
09f73af - fix: typo fix in comment (p1nant0m)
cb56c6a - kerneltest: improve error handling and stderr output (Rafael David Tinoco)
db8d7f5 - Revert "pkg/ebpf: add container_started event flag (#1984)" (Rafael David Tinoco)
97b0363 - Revert "types: add context flags with container flag to event (#2007)" (Rafael David Tinoco)
d2d0061 - fix: verifier error on arm due to register reuse (#2024) (AsafEitani)
1371089 - tests: disable fail-fast on pr workflow (#2021) (Nadav Strahilevitz)
d6de9ef - pkg/ebpf: add container_started event flag (#1984) (Alon Zivony)
45d2bad - tests: use kerneltest.sh instead of distro-tester logic (Rafael David Tinoco)
d1a9b99 - tests: remove distro-tester after replaced by kerneltest.sh (Rafael David Tinoco)
2339d3e - types: add context flags with container flag to event (#2007) (Alon Zivony)
82d5f2b - pkg/utils/shared_objects: load dynamic symbols (Alon Zivony)
b02939c - pkg/containers: resolve host absolute container path (Alon Zivony)
d5320ed - tracee-ebpf: export initialization logic (#2006) (Nadav Strahilevitz)
d7552d6 - tests: remove core and non-core tests temporarily (Rafael David Tinoco)
2cdb276 - containers: containers_map set by package initialization (#1998) (Rafael David Tinoco)
cd0db36 - ubuntu: impish is EOL, move things to jammy (LTS) (#2004) (Rafael David Tinoco)
1cd5e6d - events_enrich: do not try to close nil channel (#2000) (Rafael David Tinoco)
9639325 - tracee: split new between new and init (#1997) (Nadav Strahilevitz)
da72927 - pipeline: fix container lifecycle events (Yaniv Agman)
1286f6f - ebpf: don't submit exit events unless required (Yaniv Agman)
0b29052 - filters: package cleanup and streamlining (#1995) (Nadav Strahilevitz)
aaf3bd9 - flags: file renames and add tests (#1993) (Nadav Strahilevitz)
5153bbc - pkg/ebpf: add interpreter ctime (#1977) (Alon Zivony)
dc946f7 - filters: separate into new package (#1992) (Nadav Strahilevitz)
8ee9e0a - ebpf: simplify filters logic (Yaniv Agman)
277d305 - containers: add Close function for cleanup (#1982) (Nadav Strahilevitz)
226d50c - fix: update kallsyms only when hooked events are selected (#1983) (AsafEitani)
35b39b5 - feat(deps): Upgrade Postee Helm chart version (#1924) (simar7)
41077b3 - k8s: fix tracee version to latest release v0.8.0 (#1975) (Rafael David Tinoco)
8f8b515 - ebpf: fix old pid_ns resolution (#1972) (#1973) (Song Chen)

v0.8.0

v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

• Helm Chart still pointing to v0.7.0 release (fix it manually please) #1975

Breaking Changes

New Features

• Container event enrichment with data from multiple runtimes #1809 #1886
• New Helm chart for installing tracee with postee #1812
• Tracee-rules signatures can now be written in CEL #1766
• The sched_process_exec event now has the binary file's inode mode information #1889
• The security_file_open event now has syscall pathname #1841
• The sched_process_exec event now has an interp field #1831
• Events now contain thread start time #1849
• Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
• Started documenting events under docs/events #1808
• Created a new derived package for a new type of 'derived' events #1822
• Install instructions for nixos #1827 - Thanks @06kellyjac!
• New grafana dashboard for tracee metrics #1605 #1610
• Unrequired linux capabilities are dropped on startup #1508
• New signature for syscall hooking detection
• Capture of icmp network traffic #1362

New eBPF Events

• device_add #1690
• net_packet, dns_query, dns_response #1515
• hooked_proc_fops for /proc file operation detection #1718
• hidden_sockets #1730
• set_task_comm indicating process name change #1811
• security_socket_setsockopt (LSM hook) #1859
• dns events over tcp #1807
• do_init_module #1708
• security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
• device_add #1690

Fixes

• Tracee will no longer crash when tracing symbols present in kernel modules #1882
• Removed false positive for TRC-11 signature #1878
• Filtering for hooked_seq_ops event now works as expected #1860
• Kallsyms are updated when kernel modules are loaded

Full Changelog:

v0.8.0-rc-2

Docker images

• docker pull docker.io/aquasec/tracee:0.8.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.0-rc-2 (compiles non CO-RE eBPF object on startup)

v0.8.0-rc-1

v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:v0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

Breaking Changes

New Features

• Container event enrichment with data from multiple runtimes #1809 #1886
• New Helm chart for installing tracee with postee #1812
• Tracee-rules signatures can now be written in CEL #1766
• The sched_process_exec event now has the binary file's inode mode information #1889
• The security_file_open event now has syscall pathname #1841
• The sched_process_exec event now has an interp field #1831
• Events now contain thread start time #1849
• Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
• Started documenting events under docs/events #1808
• Created a new derived package for a new type of 'derived' events #1822
• Install instructions for nixos #1827 - Thanks @06kellyjac!
• New grafana dashboard for tracee metrics #1605 #1610
• Unrequired linux capabilities are dropped on startuip #1508
• New signature for syscall hooking detection
• Capture of icmp network traffic #1362

New eBPF Events

• device_add #1690
• net_packet, dns_query, dns_response #1515
• hooked_proc_fops for /proc file operation detection #1718
• hidden_sockets #1730
• set_task_comm indicating process name change #1811
• security_socket_setsockopt (LSM hook) #1859
• dns events over tcp #1807
• do_init_module #1708
• security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
• device_add #1690

Fixes

• Tracee will no longer crash when tracing symbols present in kernel modules #1882
• Removed false positive for TRC-11 signature #1878
• Filtering for hooked_seq_ops event now works as expected #1860
• Kallsyms are updated when kernel modules are loaded

Full Changelog:

v0.7.0

v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!

Docker images

• docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)

What's Changed

Features

• BTFHub Support (#1226)
• Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
• sched_process_fork event now includes pid of both processes (#1280)
• New Hidden Inode event (#1187)
• New capabilities package (#1256)
• Many new documentation files and improvements
• New process context map (#1300)
• Support for libbpf/libbpfgo 0.7
• Container lifecycle events (#1397)
• Container ID filtering (#1426)
• Sorting of events by timestamp (#1103)
• New decoder package (#1405)
• Introducing packages for linux distros (#1403, #1479)
• Prometheus support (#1404)
• New net_packet event (#1469)
• New security_path_symlink event (#1490)
• Expanded kconfig to BPF code (#1512)
• New existing_containers event (#1519)
• eBPF events caching option (#1527)

Fixes

• Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
• Remove false positives for memfd executables (#1207)
• Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
• Corrected incorrect PPID in ebpf events (#1244)
• Fix non-systemd docker runtime support (#1319)
• Fix tracee-rules --list-events output to remove duplicates and sort (#1327)
• eBPF non-core will not be built during tracee-ebpf execution (#1273)
• Proper handling of errors when BPF object can't be loaded (#1349)
• Reordering variables on the stack (#1281)
• Refactoring of events map (#1293)
• Update to go 1.17 (#1084)
• Stats for lost events are printed to stderr (#1387)
• Fixed missing security lockdown sysfs file (#1402)
• Improved testing (#1282, #1410, #1411, #1416)
• Fix for inequality filter in tracee-ebpf (#1419)
• Fixed pcap packet data (#1500)

New Contributors

• @chriskaliX made their first contribution in #1296
• @vincent-pli made their first contribution in #1327
• @liamg made their first contribution in #1360
• @Akasurde made their first contribution in #1427
• @Phat3 made their first contribution in #1480
• @OriGlassman made their first contribution in #1490
• @kaitoii11 made their first contribution in #1567
• @YuviGold made their first contribution in #1570

Full Changelog: v0.6.5...v0.7.0

v0.7.0-rc-2

Docker images

• docker pull docker.io/aquasec/tracee:v0.7.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-2 (compiles non CO-RE eBPF object on startup)

v0.7.0-rc-1

Docker images

• docker pull docker.io/aquasec/tracee:v0.7.0-rc-1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-1 (compiles non CO-RE eBPF object on startup)

v0.6.5

Changelog

2bdb16e fix help on output flags (#1205)
8f7c296 add type of stdin in sched_process_exec (#1214)
e1352f8 get file types from inode struct instead of file_operations (#1213)
83155b2 tracee-ebpf: fix pid 0 with CO-RE
9ab89fa chore: install docker in the Vagrant vm (#1197)
d9cfba2 tracee-ebpf: turn CO-RE v4.18 and beyond compatible
e22f05b tracee-ebpf: comments for co-re type flavors
fd5a64b tracee-ebpf: fix kernfs_node CORE access in RHEL8
d2a942d wait for tracee-ebpf to load
15deef4 support writing to existing files
3354b32 move readiness file out of library to main
6f3ceee docs: Re-add section for MacOS (#1194)
7e2186f add ctime to security_file_open and fix variable type (#1167)
060b554 Checking /proc/sys/kernel/ftrace_enabled (#1152)
7f9c2dc fix reading sockaddr_in struct
7a6c1af tracee-ebpf: keep deleted containers
bbc98ed tracee-ebpf: reformat fixes
1b52e96 tracee-ebpf: reformat suggestions for better readability
0c87b72 tracee-ebpf: remove unneeded asm_inline clang mitigation
7474fcc Upgrade dependencies (#1176)
ea58aba tracee-ebpf: rename co-re headers
e9b0ed6 Fix linux headers broken link in readme
74ad130 tracee-ebpf: single vmlinux header file for CO-RE
3bedc4f tracee-ebpf: remove unused VM_LINUX_H from Makefile
c1ff3f6 tracee-ebpf: clean up unused task_struct fields
c5c96c3 tracee-ebpf: get rid of BPF_NO_PRESERVE_ACCESS_INDEX ifdefs
2c2b008 tracee-ebpf: fix CO-RE sk_protocol access in 5.6 kernels
5e9ead9 vmlinux: introduce vmlinux-flavored.h to contain flavored types
d23987b tracee-ebpf: CO-RE shouldn't rely in LINUX_VERSION_CODE
a2703cf vmlinux: unify x86_64 and arm64 vmlinux CO-RE header files
0b4c9a3 vmlinux.h: remove full vmlinux.h files
439943c vmlinux: create vmlinux-core.h for arm64 builds
2a5eceb vmlinux: introduce vmlinux-core for x86_64
c82f547 makefile: fix ordering of -Wno-* flags
dbbd970 fix: use alpine:3.15 as base image to build tracee (#1173)
a38f518 docs: use mkdocs macros plugin to specify version of tracee release artifacts (#1164)
e9a2527 docs: update mkdocs version dependency (#1168)
729fe32 docs: add git_semver variable to mkdocs (#1166)
0893a08 fix: install the tini package in the tracee:slim container image (#1162)
9962191 refactor: tests for Go signatures (#1128)
c75bd90 docs: fix formatting on eBPF Compilation page (#1163)
1cb78ec docs: add cgroupns=host docker option
ea71755 tracee-ebpf: filter containers using cgroup id
5198ee0 fix wrong type assertion (#1153)
d421bb9 tracee-ebpf: use cgroup id for container id resolution (#1130)
90ed35e tracee-ebpf: don't parse pointers when parse-arguments is chosen
11915a6 tracee-ebpf: introduce MemProtAlert type in external package
a22531c add READ_USER (#1147)
7df0e9b fix: using exec-hash instead of exec-info (#1144)

Docker images

• docker pull docker.io/aquasec/tracee:latest
• docker pull docker.io/aquasec/tracee:0.6.5
• docker pull docker.io/aquasec/tracee:slim
• docker pull docker.io/aquasec/tracee:slim-0.6.5

v0.6.4

Changelog

f4788a5 tracee-ebpf: fix events sent in parallel to raw_sys_exit event
71f8ff2 use plain addr argument (#1141)
df364f3 add user namespace to slim_cred struct (#1137)
cd63e86 adding ctime to sched-process-exec event. Resolves: #1075
611c200 Update Readme.md (#1078)
dc6f3af Add option for raw arguments from various event flags (#1123)
95aa7af tracee.bpf: fix READ_KERN incompat ptr type discards
6d90e79 tracee-ebpf: fix arm64 build
74a14b5 test: even params formatter (#1100)
c999952 docs: fix formatting on prerequisites page (#1126)
a67b8cc init_module capture (#1122)
0fb7fca deploy: update postee manifest with tolerations and resource limits (#1060)
4389a4a add socket_dup (#1064)
25990c6 add security_kernel_post_read_file and capture kernel modules (#1080)
7b98707 add more process names to allowlist (#1118)
7ab6bf6 add cgroup release_agent modification signature (#1116)
cd216b8 removing '--security-alerts' flag. Resolves: #1106
409becc Only remove a process from the process tree filter map if it's a tgid (#1079)
340d04f tracee-ebpf: CO-RE: add GET_FIELD_ADDR macro
09476a0 tracee-ebpf: read exec arguments without a loop
f943d7f feat: Refactor clang version check and fix a panic (#1097)
cf3b4cc feat: Add tests for checkRequiredCapabilities() (#1088)
b029d07 Fix tracee-ebpf compilation on RHEL-likes (#1052)
020949d feat: Update tracee-rules base image to golang:1.17-buster (#1082)
aa6fa83 Add more tests for prepareCapture (#1087)
719d6ae tracee-ebpf: fix verifier issue on kernel 4.19
f878b19 Revert "tracee-ebpf: fix switch_task_ns verifier issue"
a8bca3e tracee-ebpf: use syscall_data_map to detect syscall
dee2e5e tracee-ebpf: fix switch_task_ns verifier issue
766ec87 tracee-ebpf: simplify syscall data saving
7e671f2 tracee-ebpf: fix commit_creds verifier issue
0b0ac4f Add etcd to exempted process list
cc7f8f0 fix type of security_kernel_read_file event

Docker images

• docker pull docker.io/aquasec/tracee:latest
• docker pull docker.io/aquasec/tracee:0.6.4
• docker pull docker.io/aquasec/tracee:slim
• docker pull docker.io/aquasec/tracee:slim-0.6.4

v0.6.3

Changelog

7a46f53 feat: Add list-events flag for listing events (#1071)
4262182 chore: adding to mkdocs missing links (#1070)
203a91f tracee-ebpf: simplify code
e942ffa tracee-ebpf: save correct argnum automatically
8ce15c8 tracee-ebpf: use event_data for buffer offset
79c28b2 fix missing decleration
48654aa fix sockaddr struct overflow and change error message
a9f774b Parse the version from module tags (#1062)

Docker images

• docker pull docker.io/aquasec/tracee:latest
• docker pull docker.io/aquasec/tracee:0.6.3
• docker pull docker.io/aquasec/tracee:slim
• docker pull docker.io/aquasec/tracee:slim-0.6.3