Releases: aquasecurity/tracee
v0.5.0
Release highlights and discussion
Changelog
2001ffe fix dynamic code loading sig
e5f25a7 fix release
24ea252 fix docker image contains glibc artifacts
1b9c59f fix release to fetch submodules
6c2b2e5 fix dependency resolution in tracee-rules
0575cb7 Revert "fix release as monorepo"
ef7e96a update import paths after restructure
f1f841d remove code injection sig from go
b4501be Fix stdio over socket (#552)
a7c47e9 fix release as monorepo
a750666 tracee-ebpf: add switch_task_ns event
c92b5c5 fix match for non af_inet sockets
5b2a740 Add signatures (#528)
3fcee47 update entrypoint to use security-alerts
6ea5773 tracee-ebpf: Add commit_creds event
4bd2e3c fix make release didn't build slim image
c34c10f fix: trace-ebpf: Fix typo in clang option (#526)
f0604fb Merge pull request #525 from grantseltzer/list-flag-output-fix
b1bf684 fix: Move example sigs into own dir and exclude from build. (#523)
fc53430 add tracee container
4255857 fix makefile
6d632e3 add option to make bpf from root
f474f44 Merge pull request #518 from grantseltzer/input-source-unit-tests
2e827a3 Fix: rename signatures and add spacing to printing of them with --list flag
a5e8040 start of unit tests for input source setup functions
f41c794 fix webhook panic when server returns error
b54cfda Merge pull request #500 from grantseltzer/gs/print-help-tracee-rules
dbc56af Update readme, fix default logic
8645c0a Update tracee-rules/input.go
86c0958 fix: Address a few typos
4d43dc1 rename tracee input parsing functions
eb8f7db rename help error
48bd0d3 Remove more references to EOT, set default values for tracee input (gob from stdin)
696053a Close on EOF, not on EOT
b2756e5 remove the eof/eot option
311e423 adress feedback about help being displayed
effd1f6 Remove old flags
9829d2b add minimal unit tests
8cc046f add invalid input checks
0e5c733 Refactor flags in tracee-rules
3590ef0 feat: Add tests for core engine functionality (#477)
8e4e7b3 Merge pull request #510 from aquasecurity/remove-eot-tracee-ebpf
0e61c18 Update contributing guidelines (aka team agreements)
9deb2ce Remove the notion of an EOT event signalling end of transmision
da310b0 refactor: tracee-rules use types from tracee-ebpf
775ac46 rename tracee execuable to tracee-ebpf
17d840f feat: add root level Makefile for release
5ac1db4 feat: mostlyclean target
b04facc fix: improve makefile targets
a95d52d fix: don't send context when building builder
062c7b1 fix: docker builder file creation and cleanup
d931f21 fix: make in docker without git
02900d9 fix: make in docker ignoring target
d28d4cc feat: convert anti_debugging sig to rego
5905ce4 feat: add rego tests
febd3de lint: Address a few idiomatic Go improvements (#427)
4fdcba8 Merge pull request #449 from aquasecurity/traceprint
dd1dbb1 Add tracee-rules pr workflow
a3d5748 Fix tracee-rules build
c43b1c3 Restructure repo as monorepo (#459)
5779705 fix: allow reading from stdin
5fc24f0 docs: add tracee-rules readme
bb3d227 fix sigs building
e6b431e fix regosig numeral handling
86c815c rego optimizations
07aa51f add support for rego signatures
9a8c836 simplify finding data
4025eff add code injection signature
de77008 add anti debugging signature and sigs tests infra
e12b1ce improve signature error handling
56fa897 tracee-rules rewrite
8841bc0 Rule engine initial commit
1d879fc write errors to stderr, and close file
4d721af feat: add TracePrint to libbpfgo
a87426a fix: default output format
fbdf5a6 fix: written files index relative to out dir
871c1db Add pin, unpin and setpin for maps in libbpfgo (#437)
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.5.0
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.5.0
v0.4.0
Release highlights and discussion: https://github.com/aquasecurity/tracee/discussions/441
Changelog
da6a281 fix release workflow for github actions
c22b855 release with github action
60f353e remove redundant go setup steps
4f289b5 update readme
16f1688 refactor output flag
afa9b2d improve --capture help
7d2ce34 Add return value filter
3098430 Make '--capture clear-dir' safer
ee2d9bb Handle capture output dir in capture flag
534d012 Decouple and remove filter-file-write flag
062947d Add prefix operator to argument filters
b47bbc5 Remove trace flag and add new filters
1993577 Remove vfs_write(v) and ioctl from default set
d38fbef Added --stack-addresses flag to log stack addresses to JSON output
487d1e4 added 'DeleteKey' and 'GetValue' to 'libbpfgo'
409f21e Move pidns trace mode to filter flag
b486a25 Use filters instead of modes in bpf code
6b4fe81 Move follow trace mode to filter flag
4b3d318 Add EventID postfix to new syscall events to fit convention
3ac6a21 Add support for filtering an event by its argument
f44eb20 Supporting new syscalls from kernel version 5.7 - Resolves #372
7ce92f6 Fix bad param renaming
3c622e0 Fix comm and uts filters
e36e880 fix libbpf import
96ed00e Issue-398 add arguments to events
d387056 Add indexing of written files
b4f0a0a Support using filter prefix for common filters
1edeff8 Move event flags into filter flag
1bd03a9 Change trace modes and add container filter
f1968a7 refactor Event and params
ff0cb90 fix compat detection for older kernels
54d324f Add support for arm64 32bit compatibility mode
af0ea08 Fix ptrace request argument print
0536237 remove redundant var
ad3cb5d Fix event listing
21720af Simplify filters logic
ea5dca1 Move pid filter to filter flag
c3d5c4d signal end of transmission for gob output
84180be Support ARM64 architecture
bfcabb2 Set TRACEE_BPF_FILE to point to file instead of dir
68d6c71 Fix execve pointer errors
8ed6772 Fix pidns filter erroneously set to mntns
f32c50b Add process follow mode
22ffc4e rename master to main
5702252 Merge filters and set bit size
ef665e3 Rearrange bpf filtering code
11b251f Add UTS and COMM filters
88f5d6b Add mnt ns and pid ns filters
64a084a Simplify uid filtering code
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.4.0
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.4.0
v0.3.1
Changelog
d4b7008 Fix bpf compilation on redhat and centos with kernel 4.18
57e2178 Add the ability to specify filters (such as UID) using comparison operators (=, !=, >, <).
a92b1ef Use more informative error when making bpf object fails
800a079 Split kernel headers to source and build
79d625e Add security_inode_unlink event
5564d6e Print bpf cmd argument and make a default event
919c261 Add host only mode
741f107 Use alpine image instead of ubuntu
f302eaf Fix docker build on manjaro(arch) linux
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.3.1
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.3.1
v0.3.0
Release highlights and discussion: #331
Changelog
fff75d0 fix version for build in docker
5a7a7fc fix make libbpf headers
f1a239b fix make clean
e210c72 fix version detection for docker build
8d0ac30 fix version detection for release
dab487d fix version detection for release
b481f0d update readme for release
b837b6b fix kernel headers defaults in other distros
aa5ec50 make bpf obj file version dependent
e123fca refactor release script, include slim images in notes
87d70f9 update readme
318933e update readme
eb47b74 test for bpf build in ci
5b90fd5 fetch libbpf source from make if needed
52c397b fix building in docker without tools
86392ee fix release process and add slim image
ee46b6f fix typo
85c3379 docker builder in cwd
151b137 make docker targets real targets
ae2fd1a improve naming of tools and fix make bpf-docker
4a9734e optimize docker building
5faa7c1 improve building in docker
e4f502c require llvm 9
b4ddc99 Add a --filter
flag which takes arguments of the form =,,...
99c36be update_logo
42e11de fix clang version detection
efa68ee tracee use libbpgo relatively
8d536db fix naming convention
9f5a305 add libbpfgo readme
5aaf230 make libbpfgo a module
d5be3a6 feat: add test to ci/cd workflow
2a9d54e Fix capture exec with empty string
a78a915 fix test target and add test-docker
1943eaa fix bundle path
4bd1c7b check minimum clang version (#310)
d8a55e7 Fix and enable tests again
9edac6b Add sched_process_exit event
f35a8f3 Add libbpf uapi headers - fix ubuntu16 compilation
aefd3cd Fix asm_inline for kernel > 5.4
fe77c7f Print uts name in container mode
46f1e2a force clang compiler
d075722 rewrite release process
2cccd1d Update readme with build comments
71c97f0 Don't make llvm-strip a dependency
13c4d1a fix makefile dependency
9e06a20 Fix lint and build errors
935540e Rename bpfwrap to libbpfgo
6cfa83d fix docker builds for libbpf
cc7f1ea Organize probe attach code
ffe7b63 Disable bpf program autoload if not required
3e7199e Reorganize initBPF function
6a379a2 add build-policy flag
8fb3fa5 use different dirs for output and install by default
b06c481 use tmp as default install path
fbf395a drop capabilities during compilation
3b80e0f bundle bpf source for compilation at runtime
6ea6fbf compile bpf obj on startup
765d4fa fix bpf src injection
8c4a1bb refactor bpf obj searching
a074b37 Update libbpf submodule
5109ae1 improve and organize build (#280)
1208adb add new module creation from buffer to bpfwrap
b17be81 Remove BCC from readme
a2e4359 Move from gobpf to bpfwrap (libbpf)
172655f Add bpfwrap - a thin libbpf wrapper
73d4b73 Add libbpf submoudle
2cac3ee Fix tests
49dee1e Fix lint errors
f1f43f8 fix ci trigger
d64607a Fix bad string size type
7a755e3 update go version to 1.15
d0fe845 updated to golang 1.15
4964f5c Output formatting via gotemplate (#256)
a3e991f feat: Add CI/CD Workflow (#259)
5d49921 fix memfd files not shown in vfs_write
bc84eae fix sockaddr_in parsing
0bb0dbe fix error printing line break
582a380 Created a new --trace flag to replace and enhance the --pid and --container flags
4f50e28 Revert "Created a new --trace flag to replace and enhance the --pid and --container flags"
120204f Created a new --trace flag to replace and enhance the --pid and --container flags
aec1ef6 Fix send bin chunk size
d58cd29 Fix broken kernel 4.14 support
e753945 Made the typo change as requested
91fcd92 Typo Corrected in README.md to sound more meaningfull
42cd0b7 change readiness file format
751f38d Various Grammatical and Spelling Changes (#246)
Docker images
docker pull docker.io/aquasec/tracee:latest
docker pull docker.io/aquasec/tracee:0.3.0
docker pull docker.io/aquasec/tracee:slim
docker pull docker.io/aquasec/tracee:slim-0.3.0
v0.2.1
Changelog
8ce4688 Small typo fixes (#245)
e97ca4a add contribution guidelines (#242)
bd05ede chore(docs): Added badges in README.md file (#236)
a756211 Read kernel pointers with bpf_probe_read
214346a improve code portability and be generic
f4ad395 Don't monitor events generated by tracee
84c3a7a fix_32bit_before_4.17
Docker images
docker pull docker.io/aquasec/tracee:0.2.1
docker pull docker.io/aquasec/tracee:latest
v0.2.0
v0.1.0
Changelog
b497d9d fix capture exec when sharing pidns (#208)
b5fb620 Use generic return for execve syscalls
31887af Simplify raw_syscalls logic and remove security_alerts workaround
bc2ee10 clear output dir (#222)
c40f64a Fix fork of traced processes not traced when clone event not chosen
d20395c signal readiness using a file in output dir (#218)
1fbce2e Fix decoding errors when save_args fails
389e596 Handle raw tracepoints fallback
aefee76 Enable support for all syscalls
915a1cc Handle events parameters types and names using parameters map
1adf1e4 Add events parameters map
29f5ee9 Add 32bit syscalls support
0e4adff Reduce syscalls handlers instructions size
8b17cf9 Use tracepoints instead of kprobes for syscalls
60b2e09 check null terminated string size
932a706 Add system calls sets
ddccf41 Update args macro to be more compact
425193e Use bigger buffer size
bdaa084 Update intro video in readme
c962d21 Add more syscalls
c2b7e4f Add events by sets
57fd98b Pretty print event list
0cebf01 Print raw syscalls only when event was not requested
da1e24b Update readme to reflect verbose output
Docker images
docker pull docker.io/aquasec/tracee:0.1.0
docker pull docker.io/aquasec/tracee:latest
v0.0.3
Changelog
6df40c6 Fix double printing of first arg
4795a63 Fix print indentation
077916a Update readme file to include host pid when running from docker
adab925 fix context parsing
040463a improve table output
9c9e4b7 update readme example
3fdcbbb comma separate args in table
9983e23 retstore tid to table
dba88af widen pid column
100834d improve table output
7d9c8d1 Fix capture exec for containers
425ecb7 Save host and container pids in host mode
1f5dd76 add host pids to context
b93fff5 Add clone flags
54b1b34 Save writes to /dev/null by pid
b100a20 improve output of args
3137927 Don't print raw_syscall if event exists
2d4ba36 Remove essentialEvents map and simplify code
7805c5e Change event print location in table output
46d9ccc Handle events in a pipeline
4245623 Remove global EventNameToID map
701547d Code refactoring
f29810f Optimize string array buffer layout
6a80860 Optimize string array buffer layout
a591013 Support tracing by pid
35105ce Decouple event data extraction from event parsing
0f5236d Use event id constants for performance
50a7e17 Add argument names
378263e Fix error counter always 0
568afc5 Fix broken raw syscalls feature
7c257ce Beautify table print
888c0e7 Fix getsockname error on null string
dce995d fix capture exec for non-filesystem files
Docker images
docker pull docker.io/aquasec/tracee:0.0.3
docker pull docker.io/aquasec/tracee:latest
v0.0.2
Changelog
a87a69e remove python version
398138d fix mem alert when not capturing
ebb5563 Add exclude event flag
6c63231 Remove PrintSyscall func
0dbb1ef Fix chmod invalid file
f1a66bd Append file write if written file type is char, socket or fifo
de74185 change socket address output format
726059c Remove unix socket leading zero in json output
267dae5 Fix unix socket name when there are leading zeros
7c4b242 fix json tags spelling
32051f8 Update readme to include capture flag
e2b935b Update readme to include file and binary capture
dbacd6e Change consts to use go naming conventions
4cc05ea Change mmap_alert and mprotect_alert to one mem_prot_alert
951fbb2 Support multiple probes for one event
7818daa Use alert struct and save alert payload using timestamp
ef4c92e validate capture options
8e79924 don't capture same exec twice
58ead5d Add mmap and mprotect security alerts and data extraction
4074a94 Add chosen events map
bbe5fe4 Fix "memory leaks" in bin_args_map and args_map
87a4a78 fix test for ptrace printing
a523eae fix file capture when dependent event is missing
b10961f Fix write error when buffer and chunk are equal in size
9602d12 allow granular selection of capture-files
6c3fc99 fix ptrace flags print
8114f9c Remove EventsIDToName map
6a6f918 auto build essentialEvens map
165a971 print all raw_syscall names
3e72e64 Add event configuration map
309aab7 fix lost event counter
2cb8a20 print errors to a dedicated file
b27aca3 fix raw_syscall printing if syscall is not known to tracee
ffa8183 capture executed files
395e9da add hook to process events and use it to show raw_syscall name
17c619d refactor stats collection and printing
2abdacb fix map update issue with old kernels
5fb424a Change save_args key to be unique
e2b0a8a decouple internal and external types
90988aa Add tail call event handler
db158f1 Use generic method to send binary data
da567dd add output gob output format
c3af6f3 Support file-write filters up to 64 chars
bad16bc Add Tracee logo
498265d cleanup file event handling code
17a08ad decouple should_trace and init_context
280ad5d Handle buffers more efficiently
e8eca12 parameterize stdout in tracee package
c9b0e91 simplify tracee config
9f17b17 remove args brackets
758145d don't show raw_syscalls by default
0bcf7a8 change printed time resolution from seconds to microseconds
ff413c4 Check for privileges
2a74671 read file buffer with struct
e84324c move should_trace to a function
45516c7 remove get_config wrapper functions
c8982e4 Change vfs_write flags
c448b3e Port vfs_write to go
05cfc5a Add configuration flags for vfs_write
89e3b64 Correlate vfs_write with execve and open with dev_id and inode_nr
7ca4b05 Support vfs_write filters
184610d Change output path to include mnt ns id
55917d5 Use tail calls to send vfs writes
c77a643 Support multiple chunks in file send
a41baa1 Add vfs_write event and file writes extraction
5d28b9d remove redundant casting
61d273f Use full submission buffer size
d278132 Remove type argument from save_str_to_buf
39bb47e Save path using helper function
75cb776 Remove R_PATH type and handle as regular string
d20cf0d fix make build dependencies
799ed4f add support for tracepoints and implement raw_syscalls tracepoint (#89)
2d5d1cc refactor events map
55b6cc6 update gobpf to include memory leak fix
68b2ce8 add youtube demo to readme
Docker images
docker pull docker.io/aquasec/tracee:0.0.2
docker pull docker.io/aquasec/tracee:latest
v0.0.1
Changelog
5dc755f work around gobpf memory leak
2187ecb add makefile target to build docker image
a207a16 add make target to build using docker
5179077 fix dockerfile
e42865f update readme with release
5294f4c save_context
0fcfd26 add release procedure using goreleaser (#75)
e21954c fix events flag in python
2efa61d fix dockerfile
1a6a69c rename events-to-trace flag to event (#73)
2684f1c update readme (#72)
5687bce build distributable binary (#71)
c06e936 update readme (#70)
6697bea update dockerfile to go
613717d handle lost events and support configurable buffer size
2d6e437 fix list command to show recent additions
dd0cedc add chown chmod and pkey_mprotect syscalls
541ae53 fix missing threads in system mode
35202dc fix makefile
9eb9f29 fix json arguments formatting to match python version
d770f33 fix comment
e366065 superficial tests for readArgFromBuff function
b9bd744 fix socket type print
67a3ac1 fix POINTER_T parsing and printing
c0b87ea fix open flags printing
6bc4686 support security_file_open lsm hook
dff978e show stats in table epilogue
b6ea608 update readme about go
189a6e7 add bprm_check event (#54)
4b9bad2 print prctl ptrace options in go
1ae06bc print sockaddr common families in go (#52)
6b2ce47 Add lsm bprm_check hook to get exec absolute path (#46)
fd8a89b implement show-exec-env in go
7278173 fix event validation
56bd72e Rewrite Python code in Go (#47)
08d5a9a Add prctl option and ptrace request enums
aee95da Add sockaddr struct fields for unix, inet, inet6 sockets
05372ab Handle failed read to buffer
8fddef9 Add optional exec-env flag to show env in execve
431eaae performance: get buffer once
58f76e7 fix missing flags
61f172f avoid fork handler code duplication
4fa4d54 Show syscall name in internal kprobes
85afe0b save container mode
04a921c update readme
58b19d9 events: add setXid syscalls
9369869 fix failed tests
6db7ef7 readme: update optional arguments
6d1effc Add config map and verify configuration
649b19f catch keyboard interrupt
4defbd5 Remove container prefix from files
3aa5c75 mount debugfs before starting
6121f73 add dockerfile
39c28ae Generic event handling in userspace
8afaa4a performance: improve performance and reduce lost events
ff9aa14 set submission array size according real cpu number
631c9f1 Merge pull request #26 from yanivagman/execve_known_issue
bdd847a Readme: update execve known issue status
5b6bffc Merge pull request #23 from yanivagman/add_event_list
7b2ce5b Add event list and update readme
e0f5549 workaround PT_REGS_PARM macros bug in new kernels
0762844 Support new kernels
8d2a31c events: add mount, umount, unlink, unlinkat syscalls
0630258 Merge pull request #12 from aquasecurity/fix_missing_stat_syscalls
4ffb880 readme: add omitted title
fbdd2e7 Add system tracing mode
2e296cf fix: stat syscalls are ignored
79c4159 Correct name in NOTICE file
f3c0e5a Merge pull request #10 from aquasecurity/add_container_id_from_uts_ns_rebased
c80ee7a Add container id by using UTS namespace node name
69f490d Merge pull request #8 from aquasecurity/event-filter
31f1a58 fix: kprobe for do_exit is essential
49132fc feat: filter events to trace
c691511 Start tracee without -v for stdout output
a069238 tracee_test: Add tests for get_sockaddr_from_buf and move offsets on init
ea9b0ec tracee_test: Add test cases for open_flags_to_str
d7bcba9 tracee_test: Add test cases for open_flags_to_str
efc2f14 tracee_test: Add tests for execveat_flags_to_str
d0f474f tracee: Apply more pep-8 fixes
95aff98 tracee: cleanup imports
630a71c .git: update gitignore
a8c2f1d tracee: Move helper methods out of EventMonitor class
ad6401f tracee: init tests and a new makefile
03f18e7 Merge pull request #4 from aquasecurity/readme
5fd4547 update readme file
e1050f8 Update readme files
9f22b49 remove execve redundant structs
2e33567 Change kernel-userspace communication buffer
9871c7a add creat syscall and fix open incorrect flags bug
220d5ed expand syscall enum for all syscalls
af9abf3 add getdents(64) syscalls
50c939e add symlink(at) syscalls
2fdcfd7 add prctl, ptrace, process_vm_read(write)v, (f)init_module, delete_module syscalls
279aabf suport python 2 json
ba4f4ac Add authors info
1fe3310 Add kernel version & usage to README
90440ef Create NOTICE
aa5bb68 Create LICENSE
3cf9917 Container tracing using eBPF
b30fc5c Initial commit
Docker images
docker pull docker.io/aquasec/tracee:0.0.1
docker pull docker.io/aquasec/tracee:latest