Releases: aquasecurity/tracee
v0.8.1
v0.8.1
This release is smaller than v0.8.0 which is an intended trend towards more frequent smaller releases.
It contains many fixes and some impactful new features.
Docker images
docker pull docker.io/aquasec/tracee:0.8.1 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.1 (compiles non CO-RE eBPF object on startup)
Highlights
Breaking Changes
- There should be no breaking changes
Fixes
- Fixed a lot of errors being surfaced via loading symbols (#2037)
- Tracee container won't duplicate probing of linux proc capabilities (#2056 thanks @cdelzotti!)
- Added perf_event_paranoid dependent capability support (#2033 thanks @cdelzotti!)
- Recomissioned disabled integration tests (#2017)
- Converted manually run eBPF programs to use uprobes instead of ioctls (#2031)
- many more... see full changelog
New Features
- New package for initializing a tracee-ebpf object (#2006)
- New
symbols_loaded
event to monitor shared object exported symbols (#2014) - Added ELF interpreter ctime to
sched_process_exec
event (#1977)
Full Changelog
8d6da1b - pkg/events/derive: prevent spam errors with symbols_loaded (#2037) (Alon Zivony)
546aa65 - retain context of triggering event to the triggered event (#2049) (AsafEitani)
57bda50 - fix: fix hooked_seq_ops argument type and register in gob (#2058) (AsafEitani)
5bdaedc - delete minor unreachable code caused by t.FailNow (#2057) (Abirdcfly)
42f5074 - builder: Remove cap probing for trace subcommand (#2056) (cdelzotti)
30f2078 - refactor: add TODO comments for a future refactoring PR (AsafEitani)
a1dcca7 - fix: satisfy verifier on kernel 5.4 (AsafEitani)
1f67247 - events: combine hooked_seq_ops event output to one event (AsafEitani)
4105fe7 - bpf: refactor save_u64_arr_to_buf (AsafEitani)
803b6b4 - probes: create new uprobe hooks for needed uprobe triggers (AsafEitani)
1ad5f60 - docs: fix symbols_loaded
event doc (#2054) (Alon Zivony)
67941b6 - derive: fix libs whitelist of symbols_loaded (#2048) (Alon Zivony)
9b31c56 - Add perf_event_paranoid capability support (#2033) (cdelzotti)
362a6f2 - tracee-bench: prometheus.sh to be executed from any origin (Rafael David Tinoco)
8782c17 - tracee-bench: adjust makefile targets (Rafael David Tinoco)
f4a8ec5 - tracee-bench: tool to track performance information (#1985) (Nadav Strahilevitz)
f35e039 - pkg/ebpf: fix container started flag value (#2044) (Alon Zivony)
f4baab6 - pkg/ebpf: add container_started event flag (#2032) (Alon Zivony)
e785ea9 - types: add context flags with container flag to event (#2041) (Alon Zivony)
db8fc2b - fix broken link for prerequest in ReadMe file (#2040) (Mor Weinberger)
c7c717c - recomission integration tests (#2017) (Nadav Strahilevitz)
fcdb1d6 - pkg/ebpf: change authentication symbol for kallsyms (#2035) (Alon Zivony)
fdc4e7f - ebpf: add event to monitor SOs exported symbols (#2014) (Alon Zivony)
09f73af - fix: typo fix in comment (p1nant0m)
cb56c6a - kerneltest: improve error handling and stderr output (Rafael David Tinoco)
db8d7f5 - Revert "pkg/ebpf: add container_started event flag (#1984)" (Rafael David Tinoco)
97b0363 - Revert "types: add context flags with container flag to event (#2007)" (Rafael David Tinoco)
d2d0061 - fix: verifier error on arm due to register reuse (#2024) (AsafEitani)
1371089 - tests: disable fail-fast on pr workflow (#2021) (Nadav Strahilevitz)
d6de9ef - pkg/ebpf: add container_started event flag (#1984) (Alon Zivony)
45d2bad - tests: use kerneltest.sh instead of distro-tester logic (Rafael David Tinoco)
d1a9b99 - tests: remove distro-tester after replaced by kerneltest.sh (Rafael David Tinoco)
2339d3e - types: add context flags with container flag to event (#2007) (Alon Zivony)
82d5f2b - pkg/utils/shared_objects: load dynamic symbols (Alon Zivony)
b02939c - pkg/containers: resolve host absolute container path (Alon Zivony)
d5320ed - tracee-ebpf: export initialization logic (#2006) (Nadav Strahilevitz)
d7552d6 - tests: remove core and non-core tests temporarily (Rafael David Tinoco)
2cdb276 - containers: containers_map set by package initialization (#1998) (Rafael David Tinoco)
cd0db36 - ubuntu: impish is EOL, move things to jammy (LTS) (#2004) (Rafael David Tinoco)
1cd5e6d - events_enrich: do not try to close nil channel (#2000) (Rafael David Tinoco)
9639325 - tracee: split new between new and init (#1997) (Nadav Strahilevitz)
da72927 - pipeline: fix container lifecycle events (Yaniv Agman)
1286f6f - ebpf: don't submit exit events unless required (Yaniv Agman)
0b29052 - filters: package cleanup and streamlining (#1995) (Nadav Strahilevitz)
aaf3bd9 - flags: file renames and add tests (#1993) (Nadav Strahilevitz)
5153bbc - pkg/ebpf: add interpreter ctime (#1977) (Alon Zivony)
dc946f7 - filters: separate into new package (#1992) (Nadav Strahilevitz)
8ee9e0a - ebpf: simplify filters logic (Yaniv Agman)
277d305 - containers: add Close function for cleanup (#1982) (Nadav Strahilevitz)
226d50c - fix: update kallsyms only when hooked events are selected (#1983) (AsafEitani)
35b39b5 - feat(deps): Upgrade Postee Helm chart version (#1924) (simar7)
41077b3 - k8s: fix tracee version to latest release v0.8.0 (#1975) (Rafael David Tinoco)
8f8b515 - ebpf: fix old pid_ns resolution (#1972) (#1973) (Song Chen)
v0.8.0
v0.8.0
Docker Images
docker pull docker.io/aquasec/tracee:0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.0 (compiles non CO-RE eBPF object on startup)
Highlights
- Helm Chart still pointing to v0.7.0 release (fix it manually please) #1975
Breaking Changes
New Features
- Container event enrichment with data from multiple runtimes #1809 #1886
- New Helm chart for installing tracee with postee #1812
- Tracee-rules signatures can now be written in CEL #1766
- The
sched_process_exec
event now has the binary file's inode mode information #1889 - The
security_file_open
event now has syscall pathname #1841 - The
sched_process_exec
event now has aninterp
field #1831 - Events now contain thread start time #1849
- Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
- Started documenting events under
docs/events
#1808 - Created a new
derived
package for a new type of 'derived' events #1822 - Install instructions for nixos #1827 - Thanks @06kellyjac!
- New grafana dashboard for tracee metrics #1605 #1610
- Unrequired linux capabilities are dropped on startup #1508
- New signature for syscall hooking detection
- Capture of icmp network traffic #1362
New eBPF Events
device_add
#1690net_packet
,dns_query
,dns_response
#1515hooked_proc_fops
for /proc file operation detection #1718hidden_sockets
#1730set_task_comm
indicating process name change #1811security_socket_setsockopt
(LSM hook) #1859- dns events over tcp #1807
do_init_module
#1708security_mmap_file
,security_file_mprotect
,shared_object_loaded
based onsecurity_mmap_file
(LSM hook) #1631device_add
#1690
Fixes
- Tracee will no longer crash when tracing symbols present in kernel modules #1882
- Removed false positive for TRC-11 signature #1878
- Filtering for
hooked_seq_ops
event now works as expected #1860 - Kallsyms are updated when kernel modules are loaded
Full Changelog:
v0.8.0-rc-2
Docker images
docker pull docker.io/aquasec/tracee:0.8.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.0-rc-2 (compiles non CO-RE eBPF object on startup)
v0.8.0-rc-1
v0.8.0
Docker Images
docker pull docker.io/aquasec/tracee:v0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.8.0 (compiles non CO-RE eBPF object on startup)
Highlights
Breaking Changes
New Features
- Container event enrichment with data from multiple runtimes #1809 #1886
- New Helm chart for installing tracee with postee #1812
- Tracee-rules signatures can now be written in CEL #1766
- The
sched_process_exec
event now has the binary file's inode mode information #1889 - The
security_file_open
event now has syscall pathname #1841 - The
sched_process_exec
event now has aninterp
field #1831 - Events now contain thread start time #1849
- Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
- Started documenting events under
docs/events
#1808 - Created a new
derived
package for a new type of 'derived' events #1822 - Install instructions for nixos #1827 - Thanks @06kellyjac!
- New grafana dashboard for tracee metrics #1605 #1610
- Unrequired linux capabilities are dropped on startuip #1508
- New signature for syscall hooking detection
- Capture of icmp network traffic #1362
New eBPF Events
device_add
#1690net_packet
,dns_query
,dns_response
#1515hooked_proc_fops
for /proc file operation detection #1718hidden_sockets
#1730set_task_comm
indicating process name change #1811security_socket_setsockopt
(LSM hook) #1859- dns events over tcp #1807
do_init_module
#1708security_mmap_file
,security_file_mprotect
,shared_object_loaded
based onsecurity_mmap_file
(LSM hook) #1631device_add
#1690
Fixes
- Tracee will no longer crash when tracing symbols present in kernel modules #1882
- Removed false positive for TRC-11 signature #1878
- Filtering for
hooked_seq_ops
event now works as expected #1860 - Kallsyms are updated when kernel modules are loaded
Full Changelog:
v0.7.0
v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)
What's Changed
Features
- BTFHub Support (#1226)
- Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
sched_process_fork
event now includes pid of both processes (#1280)- New Hidden Inode event (#1187)
- New capabilities package (#1256)
- Many new documentation files and improvements
- New process context map (#1300)
- Support for libbpf/libbpfgo 0.7
- Container lifecycle events (#1397)
- Container ID filtering (#1426)
- Sorting of events by timestamp (#1103)
- New decoder package (#1405)
- Introducing packages for linux distros (#1403, #1479)
- Prometheus support (#1404)
- New net_packet event (#1469)
- New security_path_symlink event (#1490)
- Expanded kconfig to BPF code (#1512)
- New
existing_containers
event (#1519) - eBPF events caching option (#1527)
Fixes
- Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
- Remove false positives for memfd executables (#1207)
- Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
- Corrected incorrect PPID in ebpf events (#1244)
- Fix non-systemd docker runtime support (#1319)
- Fix
tracee-rules --list-events
output to remove duplicates and sort (#1327) - eBPF non-core will not be built during tracee-ebpf execution (#1273)
- Proper handling of errors when BPF object can't be loaded (#1349)
- Reordering variables on the stack (#1281)
- Refactoring of events map (#1293)
- Update to go 1.17 (#1084)
- Stats for lost events are printed to stderr (#1387)
- Fixed missing security lockdown sysfs file (#1402)
- Improved testing (#1282, #1410, #1411, #1416)
- Fix for inequality filter in tracee-ebpf (#1419)
- Fixed pcap packet data (#1500)
New Contributors
- @chriskaliX made their first contribution in #1296
- @vincent-pli made their first contribution in #1327
- @liamg made their first contribution in #1360
- @Akasurde made their first contribution in #1427
- @Phat3 made their first contribution in #1480
- @OriGlassman made their first contribution in #1490
- @kaitoii11 made their first contribution in #1567
- @YuviGold made their first contribution in #1570
Full Changelog: v0.6.5...v0.7.0
v0.7.0-rc-2
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0-rc-2 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-2 (compiles non CO-RE eBPF object on startup)
v0.7.0-rc-1
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0-rc-1 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-v0.7.0-rc-1 (compiles non CO-RE eBPF object on startup)
v0.6.5
Changelog
2bdb16e fix help on output flags (#1205)
8f7c296 add type of stdin in sched_process_exec (#1214)
e1352f8 get file types from inode struct instead of file_operations (#1213)
83155b2 tracee-ebpf: fix pid 0 with CO-RE
9ab89fa chore: install docker in the Vagrant vm (#1197)
d9cfba2 tracee-ebpf: turn CO-RE v4.18 and beyond compatible
e22f05b tracee-ebpf: comments for co-re type flavors
fd5a64b tracee-ebpf: fix kernfs_node CORE access in RHEL8
d2a942d wait for tracee-ebpf to load
15deef4 support writing to existing files
3354b32 move readiness file out of library to main
6f3ceee docs: Re-add section for MacOS (#1194)
7e2186f add ctime to security_file_open and fix variable type (#1167)
060b554 Checking /proc/sys/kernel/ftrace_enabled (#1152)
7f9c2dc fix reading sockaddr_in struct
7a6c1af tracee-ebpf: keep deleted containers
bbc98ed tracee-ebpf: reformat fixes
1b52e96 tracee-ebpf: reformat suggestions for better readability
0c87b72 tracee-ebpf: remove unneeded asm_inline clang mitigation
7474fcc Upgrade dependencies (#1176)
ea58aba tracee-ebpf: rename co-re headers
e9b0ed6 Fix linux headers broken link in readme
74ad130 tracee-ebpf: single vmlinux header file for CO-RE
3bedc4f tracee-ebpf: remove unused VM_LINUX_H from Makefile
c1ff3f6 tracee-ebpf: clean up unused task_struct fields
c5c96c3 tracee-ebpf: get rid of BPF_NO_PRESERVE_ACCESS_INDEX ifdefs
2c2b008 tracee-ebpf: fix CO-RE sk_protocol access in 5.6 kernels
5e9ead9 vmlinux: introduce vmlinux-flavored.h to contain flavored types
d23987b tracee-ebpf: CO-RE shouldn't rely in LINUX_VERSION_CODE
a2703cf vmlinux: unify x86_64 and arm64 vmlinux CO-RE header files
0b4c9a3 vmlinux.h: remove full vmlinux.h files
439943c vmlinux: create vmlinux-core.h for arm64 builds
2a5eceb vmlinux: introduce vmlinux-core for x86_64
c82f547 makefile: fix ordering of -Wno-* flags
dbbd970 fix: use alpine:3.15 as base image to build tracee (#1173)
a38f518 docs: use mkdocs macros plugin to specify version of tracee release artifacts (#1164)
e9a2527 docs: update mkdocs version dependency (#1168)
729fe32 docs: add git_semver variable to mkdocs (#1166)
0893a08 fix: install the tini package in the tracee:slim container image (#1162)
9962191 refactor: tests for Go signatures (#1128)
c75bd90 docs: fix formatting on eBPF Compilation page (#1163)
1cb78ec docs: add cgroupns=host docker option
ea71755 tracee-ebpf: filter containers using cgroup id
5198ee0 fix wrong type assertion (#1153)
d421bb9 tracee-ebpf: use cgroup id for container id resolution (#1130)
90ed35e tracee-ebpf: don't parse pointers when parse-arguments is chosen
11915a6 tracee-ebpf: introduce MemProtAlert type in external package
a22531c add READ_USER (#1147)
7df0e9b fix: using exec-hash instead of exec-info (#1144)
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.6.5
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.6.5
v0.6.4
Changelog
f4788a5 tracee-ebpf: fix events sent in parallel to raw_sys_exit event
71f8ff2 use plain addr argument (#1141)
df364f3 add user namespace to slim_cred struct (#1137)
cd63e86 adding ctime to sched-process-exec event. Resolves: #1075
611c200 Update Readme.md (#1078)
dc6f3af Add option for raw arguments from various event flags (#1123)
95aa7af tracee.bpf: fix READ_KERN incompat ptr type discards
6d90e79 tracee-ebpf: fix arm64 build
74a14b5 test: even params formatter (#1100)
c999952 docs: fix formatting on prerequisites page (#1126)
a67b8cc init_module capture (#1122)
0fb7fca deploy: update postee manifest with tolerations and resource limits (#1060)
4389a4a add socket_dup (#1064)
25990c6 add security_kernel_post_read_file and capture kernel modules (#1080)
7b98707 add more process names to allowlist (#1118)
7ab6bf6 add cgroup release_agent modification signature (#1116)
cd216b8 removing '--security-alerts' flag. Resolves: #1106
409becc Only remove a process from the process tree filter map if it's a tgid (#1079)
340d04f tracee-ebpf: CO-RE: add GET_FIELD_ADDR macro
09476a0 tracee-ebpf: read exec arguments without a loop
f943d7f feat: Refactor clang version check and fix a panic (#1097)
cf3b4cc feat: Add tests for checkRequiredCapabilities() (#1088)
b029d07 Fix tracee-ebpf compilation on RHEL-likes (#1052)
020949d feat: Update tracee-rules base image to golang:1.17-buster (#1082)
aa6fa83 Add more tests for prepareCapture (#1087)
719d6ae tracee-ebpf: fix verifier issue on kernel 4.19
f878b19 Revert "tracee-ebpf: fix switch_task_ns verifier issue"
a8bca3e tracee-ebpf: use syscall_data_map to detect syscall
dee2e5e tracee-ebpf: fix switch_task_ns verifier issue
766ec87 tracee-ebpf: simplify syscall data saving
7e671f2 tracee-ebpf: fix commit_creds verifier issue
0b0ac4f Add etcd to exempted process list
cc7f8f0 fix type of security_kernel_read_file event
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.6.4
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.6.4
v0.6.3
Changelog
7a46f53 feat: Add list-events flag for listing events (#1071)
4262182 chore: adding to mkdocs missing links (#1070)
203a91f tracee-ebpf: simplify code
e942ffa tracee-ebpf: save correct argnum automatically
8ce15c8 tracee-ebpf: use event_data for buffer offset
79c28b2 fix missing decleration
48654aa fix sockaddr struct overflow and change error message
a9f774b Parse the version from module tags (#1062)
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.6.3
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.6.3