Tracee is a Runtime Security and Forensics software for Linux.
It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioural patterns.
It is delivered as a Docker image that monitors the OS and detects suspicious behaviour based on a pre-defined set of behavioural patterns.
What is eBPF?
eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules.
eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. By making the Linux kernel programmable, infrastructure software can leverage existing layers, making them more intelligent and feature-rich without continuing to add additional layers of complexity to the system.
Before you proceed, make sure you follow the minimum requirements for running Tracee.
docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest
This will run Tracee with default settings and start reporting detections to standard output.
In order to simulate a suspicious behavior, you can run strace ls in another terminal, which will trigger the “Anti-Debugging” signature, which is loaded by default.
Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info.
In some cases, you might want to leverage Tracee’s eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging/troubleshooting/analysis/research/education.
In this case you can run Tracee with the trace sub-command, which will start dumping raw data directly into standard output. There are many configurations and options available so you can control exactly what is being collected and how. see the Documentation or add the –help flag for more.
- Linux kernel version >= 4.18
- Linux kernel headers available under conventional location (see Linux Headers section for more info)
- libc, and the libraries: libelf, zlib
- GNU Make >= 4.3
- clang >= 9
Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are not required at runtime, but only for the one-time compilation of the eBPF program. See Setup Options for more info.
When using Tracee’s Docker image, all of the tooling is built into the image. The only requirement left is the kernel headers or the pre-built eBPF artifact.
Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository: