Skip to content

enrichment

NAME

tracee --enrichment - Configure enrichment for container events and other enrichment options

SYNOPSIS

tracee --enrichment [container|container.cgroupfs.path=path|container.cgroupfs.force|container.docker.socket=socket_path|container.containerd.socket=socket_path|container.crio.socket=socket_path|container.podman.socket=socket_path|fd-paths|environment|executable-hash|executable-hash.mode=mode|user-stack|decoded-data] [--enrichment ...]

DESCRIPTION

The --enrichment flag allows you to configure enrichment options for container events and other enrichment features.

Flags

  • container: Enable container enrichment with default settings. When enabled, Tracee will enrich container events with container information.

  • container.cgroupfs.path=path: Enable container enrichment and configure the path to the cgroupfs where container cgroups are created. This is used as a hint for auto-detection. Note: Using this option automatically enables container, so you don't need to also specify --enrichment container. Example: 

    --enrichment container.cgroupfs.path=/sys/fs/cgroup

  • container.cgroupfs.force: Force the usage of the provided mountpoint path, skipping auto-detection. Note: This option requires container.cgroupfs.path to be set. It cannot be used alone. Example: 

    --enrichment container.cgroupfs.path=/sys/fs/cgroup --enrichment container.cgroupfs.force

  • container.docker.socket=socket_path: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the Docker socket. Note: Using this option automatically enables container, so you don't need to also specify --enrichment container. Example: 

    --enrichment container.docker.socket=/var/run/docker.sock

  • container.containerd.socket=socket_path: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the Containerd socket. Note: Using this option automatically enables container, so you don't need to also specify --enrichment container. Example: 

    --enrichment container.containerd.socket=/var/run/containerd/containerd.sock

  • container.crio.socket=socket_path: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the CRI-O socket. Note: Using this option automatically enables container, so you don't need to also specify --enrichment container. Example: 

    --enrichment container.crio.socket=/var/run/crio/crio.sock

  • container.podman.socket=socket_path: Enable container enrichment and configure container runtime sockets for enrichment. Configure the path to the Podman socket. Note: Using this option automatically enables container, so you don't need to also specify --enrichment container. Example: 

    --enrichment container.podman.socket=/var/run/podman/podman.sock

Supported container runtimes for socket configuration: - CRI-O (crio, cri-o) - Containerd (containerd) - Docker (docker) - Podman (podman)

  • fd-paths: Enable fd-paths. When enabled, Tracee will resolve file descriptor arguments to show associated file paths instead of just the descriptor number. This enriches file descriptors with file path translation. May cause pipeline slowdowns. Example: 

    --enrichment fd-paths

  • decoded-data: Enable decoded-data. When enabled, Tracee will decode event arguments into human-readable strings instead of raw machine-readable values. This converts numeric flags, permissions, syscall types, and other raw values into readable format (e.g., O_RDONLY instead of 0, PROT_READ instead of 1). Recommended for interactive use and readability, but may add processing overhead that impacts performance on high-volume event streams. Example: 

    --enrichment decoded-data

  • environment: Enable environment. When enabled, Tracee will include execution environment variables in process execution events (particularly useful for execve events). Example: 

    --enrichment environment

  • executable-hash: Enable executable-hash with default settings. When enabled, Tracee will compute hash values for executed binaries.

  • executable-hash.mode=mode: Enable executable-hash and configure the mode for executable-hash. Note: Using this option automatically enables executable-hash, so you don't need to also specify --enrichment executable-hash. Example: 

    --enrichment executable-hash.mode=sha256

  • user-stack Enable user-stack. Presence of the flag enables it, absence disables it. Example: 

    --enrichment user-stack

EXAMPLES

  1. Enable container enrichment: 

    --enrichment container

  2. Configure Docker socket: 

    --enrichment container.docker.socket=/var/run/docker.sock
    Note: container.docker.socket automatically enables container, so --enrichment container is not needed.

  3. Set the cgroupfs path: 

    --enrichment container.cgroupfs.path=/sys/fs/cgroup
    Note: container.cgroupfs.path automatically enables container, so --enrichment container is not needed.

  4. Combine multiple flags: 

    --enrichment container.docker.socket=/var/run/docker.sock --enrichment container.cgroupfs.path=/sys/fs/cgroup
    Note: Since container.docker.socket and container.cgroupfs.path automatically enable container, you don't need --enrichment container.

  5. Enable fd-paths, environment, and executable-hash: 

    --enrichment fd-paths --enrichment environment --enrichment executable-hash

  6. Enable executable-hash with custom mode: 

    --enrichment executable-hash.mode=sha256
    Note: executable-hash.mode automatically enables executable-hash, so --enrichment executable-hash is not needed.

Please refer to the documentation for more information on container events enrichment.