Skip to content

Architecture

Tracee Architecture Overview

Architecture

Overview

  1. Kernel eBPF programs GENERATE Tracee Events to Userland:

    1. Tracepoints
    2. Probes
    3. Traffic Control Hooks
  2. Userland events are COLLECTED and ENRICHED with more information:

    1. Kernel Events (Syscalls, Tracepoints, Kprobes)
    2. OS Events (Running Containers, ...)
    3. Derived (from other) Events
    4. Network Events
  3. DETECT patterns based on existing signatures:

    1. OPA/Rego signatures
    2. Golang signatures
  4. Let other tools to CONSUME detection events:

    1. Filters
    2. Postee
  5. ENFORCE

    1. Work in Progress

Tracee Pipeline Concept

Tracee Pipeline

Pipeline

  1. Multiple CPUs constantly generate events from the eBPF programs running inside the kernel (inside an eBPF VM).

  2. The eBPF programs are executed whenever the kernel (or network) hooks they're attached to are triggered.

  3. eBPF programs decide whether they should submit the events to tracee or not, based on given filters.

  4. Those events are sent to libbpfgo through a [shared memory ring buffer] mechanism (called perfbuffer).

  5. libbpfgo sends collected events to tracee through golang channels.

  6. tracee parses received events and does multiple things:

    1. parse events for argument type conversions if requested
    2. enriches the events that need enrichment (containers, network, processes)
    3. capture artifacts from collected events into external files
  7. tracee writes events to tracee-rules through a mechanism called printer.

  8. tracee-rules receives events and evaluate them using either golang or rego signatures.

    1. Golang signatures are faster and do pretty much anything the language allows. They might connect (or have cached) external data sources to evaluate events, for example.
  9. Detections are spit out from tracee-rules if evaluations are positive.

This mechanism is what we call the tracee pipeline: to receive events from the kernel into userland (tracee), then to parse and enrich those events and to submit them to tracee-rules for it to evaluate them looking for detection patterns described as signatures.