Before moving on, make sure to give us a star at the GitHub Project if you liked it. That is important for us. Thank you!
Tracee: Runtime Security and Forensics using eBPF¶
Tracee is a Runtime Security and forensics tool for Linux. It uses Linux eBPF technology to trace your system and applications at runtime, and analyzes collected events in order to detect suspicious behavioral patterns. It is usually delivered as a docker container, but there are other ways you can use it (even create your own customized tracee container).
Watch a quick video demo of Tracee:
Check out the Tracee video hub for more videos.
Before you proceed, make sure you follow the [prerequiresites].
- Running tracee:v0.8.0
$ docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ aquasec/tracee:0.8.0
- Running tracee:full
$ docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ -v /usr/src:/usr/src:ro \ -v /lib/modules:/lib/modules:ro \ -v /tmp/tracee:/tmp/tracee:rw \ aquasec/tracee:full-0.8.0
The default (latest) image is lightweight and portable. It is supposed to support different kernel versions without having to build source code. If the host kernel does not support BTF then you may use the full container image. The full container will compile an eBPF object during startup, if you do not have one already cached in
You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info.
Tracee supports enriching events with additional data from running containers. In order to enable this capability please look here.
These docker commands run Tracee with default settings and start reporting detections to standard output. In order to simulate a suspicious behavior, you can simply run:
$ strace ls
in another terminal. This will trigger the Anti-Debugging signature, which is loaded by default, and you will get a warning:
INFO: probing tracee-ebpf capabilities... INFO: starting tracee-ebpf... INFO: starting tracee-rules... Loaded 14 signature(s): [TRC-1 TRC-13 TRC-2 TRC-14 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7] Serving metrics endpoint at :3366 Serving metrics endpoint at :4466 *** Detection *** Time: 2022-03-25T08:04:22Z Signature ID: TRC-2 Signature: Anti-Debugging Data: map Command: strace Hostname: ubuntu-impish
In some cases, you might want to leverage Tracee's eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging, troubleshooting, analysising, researching OR education.
Execute docker container with the word
trace as an initial argument, and
tracee-ebpf will be executed, instead of the full tracee detection engine.
$ docker run \ --name tracee --rm -it \ --pid=host --cgroupns=host --privileged \ -v /etc/os-release:/etc/os-release-host:ro \ -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \ aquasec/tracee:0.8.0 trace
See documentation or add the
--help flag for more.
Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository:
- Tracee-eBPF - Linux Tracing and Forensics using eBPF
- Tracee-Rules - Runtime Security Detection Engine