Tracee v0.12.0 released! #2803
itaysk
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
🚨 Breaking changes 🔨
Everything is an event & one binary
Recently we have introduced the first step towards Tracee's new architecture of one binary and "everything is an event". The previous release included a technical preview of it, and in this release we are ready to make it the default experience. This means there's no more
tracee-ebpf
/tracee-rules
binaries, just onetracee
binary, and that one binary emits everything as events, including syscalls, signature detections, capture events, and more. The "classic" architecture is still available while users migrate to the new experience. Most of the flags you know works the same but not all. Tracee's Documentation has also been updated to reflect this change.--trace
flag renamed to--filter
In this breaking change, the flag "trace" has been renamed to "filter" while retaining the same functionality and behavior as before. This change is intended to provide clearer and more accurate semantics for Tracee users.
Multi-scopes will be removed from CLI flag
Another milestone in the new user experience is the "multi-scope" architecture, which was also introduced as technical preview in the previous version. As this feature matures and becomes more powerful, we decided it need more expressive configuration, so in the future it will move from CLI flag to a configuration through YAML (via the upcoming Tracee Policy). The plan is to keep the
--filter
flag in it's simple form of filtering a single "scope", and if multi-scopes are needed they can be configured through policies (TBD).Webhook doesn't support custom templates
Webhook output from the new
tracee
binary doesn't support formatting the output with gotemplate anymore.🚀 What's new? 🚀
🚿 Fluent output 🐦
Tracee now supports sending all events to any compatible Fluent Forward receiver, primarily the CNCF Graduated Fluentd or Fluent Bit projects.
This change allows Tracee users to take advantage of all the existing filtering, processing and output options available.
It will also integrate with existing deployments that already provide Fluent Bit (or Fluentd) very easily, this includes most cloud providers for example, and is just another input to the existing pipelines there.
Not only do we get the benefit of output support but also all the aggregation and filtering options available to Fluent Bit or Fluentd or any other Fluent Forward receiver.
To enable this just use the
forward
flag for output:tracee --output forward:tcp://127.0.0.1:24224?tag=mytest
The Fluent Bit documentation includes full examples and sandbox training courses on using it.
Thanks @patrick-stephens for the contribution! 🎉
👯♀️ Multiple outputs 🖨️
Tracee now supports producing multiple event streams, so for example you could generate a JSON output and webhook output simultaneously by just using the output flag twice.
📩 New Events 🔔
symbols_collision
warns about loaded shared objects with collisions to existing ones.vfs_utimes
indicate VFS utime changes to a file.do_truncate
indicates whenever a file is truncated.file_modification
indicates whenever a file was changed by a process.bpf_attach
event now indicates ifbpf_override_return
usage.🦄 Misc 💐
timespec
instead of apointer address
.📝 Documentation 📒
🔨 Fixes 👷
Beta Was this translation helpful? Give feedback.
All reactions