Skip to content

Home

Tracee Logo >

👋 Welcome to Tracee Documentation! To help you get around, please notice the different sections at the top global menu:

  • You are currently in the Getting Started section where you can find general information and help with first steps.
  • In the Tutorials section you can find step-by-step guides that help you accomplish specific tasks.
  • In the Docs section you can find the complete reference documentation for all of the different features and settings that Tracee has to offer.
  • In the Contributing section you can find technical developer documentation and contribution guidelines.

Before moving on, please consider giving us a GitHub star ⭐️. Thank you!

About Tracee

Tracee is a runtime security and observability tool that helps you understand how your system and applications behave using eBPF technology. It provides deep visibility into Linux systems by monitoring system calls, network activity, and file operations in real-time.

What Tracee Does

  • 🔍 System Monitoring: Tracks system calls, process execution, file operations, and network activity
  • 🛡️ Security Detection: Identifies suspicious behavior patterns and potential security threats
  • 📊 Observability: Provides detailed insights into application and system behavior
  • 🚨 Real-time Alerts: Generates events for immediate threat detection and response

Key Features

  • Zero Code Changes: Monitor existing applications without modification
  • Low Overhead: Minimal performance impact using efficient eBPF programs
  • Container Aware: Native support for containerized environments and Kubernetes
  • Flexible Policies: Customize what to monitor and how to respond to events
  • Rich Event Data: Detailed context including process lineage, file paths, and network connections

Use Cases

  • Security Monitoring: Detect malware, privilege escalation, and suspicious activity
  • Compliance: Monitor file access, data exfiltration, and system changes
  • Troubleshooting: Debug application issues and system behavior
  • Forensics: Investigate security incidents with detailed audit trails

Quickstart

To quickly try Tracee use one of the following snippets. For a more complete installation guide, check out the Installation section.
Tracee should run on most common Linux distributions and kernels. For compatibility information see the Prerequisites page. Mac users, please read this FAQ.

Using Docker

docker run --name tracee -it --rm \
  --pid=host --cgroupns=host --privileged \
  -v /etc/os-release:/etc/os-release-host:ro \
  -v /var/run:/var/run:ro \
  aquasec/tracee:latest

For a complete walkthrough please see the Docker getting started guide.

On Kubernetes

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install tracee aqua/tracee --namespace tracee --create-namespace

kubectl logs --follow --namespace tracee daemonset/tracee

For a complete walkthrough please see the Kubernetes getting started guide.

Next Steps

After trying the quickstart, here's how to dive deeper:

🎯 For Security Analysts

🛠️ For DevOps Engineers

👨‍💻 For Developers

Contributing

Join the community, and talk to us about any matter in the GitHub Discussions or Slack.
If you run into any trouble using Tracee or you would like to give us user feedback, please create an issue.

Find more information on contribution documentation.

More about Aqua Security

Tracee is an Aqua Security open source project.
Learn about our open source work and portfolio here.