Skip to content

Prerequisites for running Tracee

Tracee is heavily dependent on Linux and does not support any other operating system.

Kernel version

To run Tracee a modern longterm supported kernel is needed: 5.4, 5.10, 5.15, 5.18, 6.1, 6.2.

You can check kernel.org for current supported kernels.
In addition to upstream kernels, most distributions long-term supported kernels are supported as well, including CentOS8 4.18 kernel.

BTF

Tracee needs low-level type information about the running kernel. Most modern Linux distributions ship with the BTF feature that exposes this information.

To test if this feature is enabled in your environment, check if /sys/kernel/btf/vmlinux exists. If absent, you might need to upgrade to a newer OS version, or contact your OS provider.

Kernel symbols

Certain Tracee events require access to the Kernel Symbols Table, a feature present in many Linux distributions.

To test if this feature is enabled in your environment, check if /proc/kallsyms exists. If absent, contact your OS provider.

Alternatively, you can disable the following events which depends on kallsyms:

  • dirty_pipe_splice (detects dirty pipe vulnerability - CVE-2022-0847)
  • hooked_syscall (detects system call interception technique)
  • hidden_kernel_module (detects hidden kernel modules technique)
  • hooked_proc_fops (detects procfs file operations interception technique)
  • print_net_seq_ops (related hooked_seq_ops event)
  • hooked_seq_ops (detects network packets interception technique)
  • print_mem_dump (allows memory dumping from symbols to signatures can use)

For more information and help about kernel symbols, please see here.

OS information

Tracee will try to probe the running OS and kernel to detect available capabilities. For this, it needs access to some standard informative files:

  • For OS information please make sure the file /etc/os-release is available.
  • For Kernel information please make sure on of the files /boot/config-$(uname-r) OR /proc/config.gz is available.

For more information and help about OS info files, please see here.

Process capabilities

Tracee needs non-trivial capabilities to instrument the kernel. The easiest way is run Tracee as "privileged" or "root".

If you want to run Tracee with "least privileges", here are the required capabilities and justifications:

  • Manage eBPF maps limits (CAP_SYS_RESOURCE)
  • Load and Attach eBPF programs:
    • CAP_BPF+CAP_PERFMON for recent kernels (>=5.8) where the kernel perf paranoid value in /proc/sys/kernel/perf_event_paranoid is equal to 2 or less
    • or CAP_SYS_ADMIN otherwise
  • CAP_SYS_PTRACE (to collect information about processes)
  • CAP_NET_ADMIN (to use tc for packets capture)
  • CAP_SETPCAP (if given - used to reduce bounding set capabilities)
  • CAP_SYSLOG (to access kernel symbols through /proc/kallsyms)
  • On some environments (e.g. Ubuntu) CAP_IPC_LOCK might be required as well.
  • On cgroup v1 environments, CAP_SYS_ADMIN is recommended if running from a container in order to allow tracee to mount the cpuset cgroup controller.

For more information and help about process capabilities, please see here.

Processor architecture

Tracee supports x86 and arm64 processors.