Getting Started with Tracing¶
Note
This entire section is about running tracee-ebpf only, without piping events to tracee-rules.
In some cases, you might want to leverage Tracee event collection capabilities only, without involving the detection engine. You may, or may not, choose to capture artifacts while tracing.
This might be useful for:
- debugging
- troubleshooting
- analysing executions
- security research
- education
In this case you can use Tracee's eBPF collector component (tracee-ebpf), which will start dumping raw data directly into standard output.
Watch a quick video demo of Tracee's eBPF tracing capabilities
Using Tracee-eBPF¶
Before you proceed, make sure you follow the prerequisites.
$ docker run \
--name tracee --rm -it \
--pid=host --cgroupns=host --privileged \
-v /etc/os-release:/etc/os-release-host:ro \
-e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
-e TRACEE_EBPF_ONLY=1 \
aquasec/tracee:0.8.2
Here, we are running the aquasec/tracee
container, but with the
TRACEE_EBPF_ONLY=1
environment variable set, which will start just a raw
trace (Tracee-eBPF), without the detection engine tracee-rules. Here's a
sample output of running with no additional arguments:
TIME(s) UID COMM PID TID RET EVENT ARGS
176751.746515 1000 zsh 14726 14726 0 execve pathname: /usr/bin/ls, argv: [ls]
176751.746772 1000 zsh 14726 14726 0 security_bprm_check pathname: /usr/bin/ls, dev: 8388610, inode: 777
176751.747044 1000 ls 14726 14726 -2 access pathname: /etc/ld.so.preload, mode: R_OK
176751.747077 1000 ls 14726 14726 0 security_file_open pathname: /etc/ld.so.cache, flags: O_RDONLY|O_LARGEFILE, dev: 8388610, inode: 533737
...
Note
There are 2 ways to enable tracing only:
1. To export a TRACEE_EBPF_ONLY=1 env variable to docker.
2. To provide a trace
1st argument to docker container.
Each line is a single event collected by Tracee-eBPF, with the following information:
- TIME
event time relative to system boot time in seconds - UID
real user id of the calling process (in host userns) - COMM
name of the calling process - PID
pid of the calling process - TID
tid of the calling thread - RET
value returned by the function - EVENT
identifies the event (e.g. syscall name) - ARGS
list of arguments given to the function
Note
Use the --help
flag to see a full description of available options. Some
flags have specific help sections that can be accessed by passing help
to
the flag, for example --output help
. This section covers some of the more
common options.
Check the existing output options for other output options. Check the existing output format for other output formats.
Follow getting tracee in order to get tracee-ebpf.