README
¶
Tracee: Runtime Security and Forensics using eBPF
Tracee is a runtime security and forensics tool for Linux based cloud deployments. It uses eBPF to trace the host OS and applications at runtime, and analyzes collected events in order to detect suspicious behavioral patterns. It can be run as a daemon-set in your kubernetes environment, but is flexible to be run for many purposes on any Linux based hosts. It can be delivered via Helm, as a docker container, or as a small set of static binaries.
The goal of Tracee is to serve as an easy to use and effective solution for learning when cloud native attacks occur in your environment. By leveraging Aqua's advanced security research, performant eBPF based detection, and cloud native first approach Tracee makes runtime detection accesible, powerful, and effective.
Watch a quick video demo of Tracee:
Check out the Tracee video hub for more videos.
Documentation
The full documentation of Tracee is available at https://aquasecurity.github.io/tracee/dev. You can use the version selector on top to view documentation for a specific version of Tracee.
Quickstart (Kubernetes)
Tracee is designed to monitor hosts in kubernetes clusters. To see this in action check out the quickstart here.
Quickstart (docker)
To get a closer feel for what tracee accomplishes, you can run tracee on your local machine. Follow along to the quickstart here
Execute docker container with the word trace as an initial argument, and
tracee-ebpf will be executed, instead of the full tracee detection engine.
docker run \
--name tracee --rm -it \
--pid=host --cgroupns=host --privileged \
-v /etc/os-release:/etc/os-release-host:ro \
-e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
aquasec/tracee:latest \
trace
Components
Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository:
- Tracee-eBPF - Linux Tracing and Forensics using eBPF
- Tracee-Rules - Runtime Security Detection Engine
Tracee is an Aqua Security open source project. Learn about our open source work and portfolio Here. Join the community, and talk to us about any matter in GitHub Discussion or Slack.
Documentation
¶
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
api
module
|
|
|
cmd
|
|
|
libbpfgo
module
|
|
|
pkg
|
|
|
bufferdecoder
Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.
|
Package bufferdecoder implements simple translation between byte sequences and the user-defined structs. |
|
events
Invoked tracee-ebpf events from user mode This utility can prove itself useful to generate information needed by signatures that is not provided by normal events in the kernel.
|
Invoked tracee-ebpf events from user mode This utility can prove itself useful to generate information needed by signatures that is not provided by normal events in the kernel. |
|
events/queue
package queue defines the interface and and implementation of a queue for events storage.
|
package queue defines the interface and and implementation of a queue for events storage. |
|
events/sorting
Package sorting is responsible for sorting incoming events from the BPF programs chronologically.
|
Package sorting is responsible for sorting incoming events from the BPF programs chronologically. |
|
signatures
|
|
|
tests
|
|
|
tracee-ebpf
module
|
|
|
external
Module
|
|
|
test/gob
Module
|
|
|
tracee-rules
module
|
|
|
types
module
|