Tracee v0.22.0 Released! #4272
itaysk
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Deprecation of ARM Kernels 5.4 and 4.18
Deprecating support ARM CPU on Linux kernels 5.4 and 4.18. Users on ARM are encouraged to update to newer kernels. #4247
⚡ New and modified Events
tracee_info
that exports information relating to Tracee upon startup, providing more visibility into the internal state of Tracee. #4166security_task_setrlimit
#4148security_settime64
to monitor time-related security changes. #4201net_packet_raw
for capturing the full payload of network packets. #4122sched_process_exec
event addedprev_comm
field. #4206module_load
event addedpath
andctime
fields. #4235🚀 New Features
Pipeline Channel Size Configuration
You can now configure the buffer size fo Go Channels that are used internally in Tracee's event processing pipeline. This is done using the new
--pipeline-channel-size
flag orpipeline-channel-size
configuration file key. This can be useful when fine-tuning Tracee for the host it is installed on. #4182Events Timestamp Using Boot Time
Tracee events timestamp now report more accurate boot time which accounts for time system was suspended (on supported kernels). This improves compatibility with other Linux facilities such as procfs. #4117
💎 Performance Optimizations
Reduced Dependency on sys_enter/sys_exit
Multiple eBPF programs were optimized to no longer rely on Linux's sys_enter/sys_exit mechanism, including events:
security_socket_setsockopt
,security_file_open
,security_socket_accept
,mem_prot_alert
,security_socket_bind
,set_fs_pwd
,trace_execute_failed2
, andsecurity_socket_connect
. This should improve the performance and resource utilization of Tracee. #4224 #4226 #4213 #4227 #4225 #4228 #4220 #4256 #4202Argument Parsing Enhancements
Enhanced the performance of data field parsing in policy event filters, reducing execution time and improving overall efficiency. #4197, #4198 #4199 #4194
Process Tree Improvements
Significant improvements made to the process tree (Proctree) feature, reducing RSS memory usage and enhancing performance. #4261 #4242
BPF Object Release
BPR programs objects are now released after locaded, saving approximately 14MB of RSS memory. #4209
Signature Metadata Optimization
Changed the signature metadata definition struct to be static, reducing memory allocation and size when large number of sugnatures are loaded. #4237
Other BPF performance optimizations
#4217 #4200 #4183 #4200
🛠️ Bug Fixes
ftrace_hook
events to ensure accurate parsing. #4110process_execute_failed
. #4203TRACE_RET_FUNC
macro to ensure proper function tracing in all scenarios. #4216For a complete list of changes and further details, please refer to the commit log on the project repository.
Beta Was this translation helpful? Give feedback.
All reactions