Tracee- Linux Runtime Security And Forensics Using eBPF


Tracee is a Runtime Security and Forensics software for Linux.

It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioural patterns.

It is delivered as a Docker image that monitors the OS and detects suspicious behaviour based on a pre-defined set of behavioural patterns.

What is eBPF?

eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules.

eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. By making the Linux kernel programmable, infrastructure software can leverage existing layers, making them more intelligent and feature-rich without continuing to add additional layers of complexity to the system.


Before you proceed, make sure you follow the minimum requirements for running Tracee.

docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest

This will run Tracee with default settings and start reporting detections to standard output.

In order to simulate a suspicious behavior, you can run strace ls in another terminal, which will trigger the “Anti-Debugging” signature, which is loaded by default.

Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info.


In some cases, you might want to leverage Tracee’s eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging/troubleshooting/analysis/research/education.

In this case you can run Tracee with the trace sub-command, which will start dumping raw data directly into standard output. There are many configurations and options available so you can control exactly what is being collected and how. see the Documentation or add the –help flag for more.


  • Linux kernel version >= 4.18
  • Linux kernel headers available under conventional location (see Linux Headers section for more info)
  • libc, and the libraries: libelf, zlib
  • GNU Make >= 4.3
  • clang >= 9


Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are not required at runtime, but only for the one-time compilation of the eBPF program. See Setup Options for more info.

When using Tracee’s Docker image, all of the tooling is built into the image. The only requirement left is the kernel headers or the pre-built eBPF artifact.


Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository:

Tracee-eBPF – Linux Tracing and Forensics using eBPF
Tracee-Rules – Runtime Security Detection Engine
libbpgo – Go library for eBPF programming using Linux’s libbpf

Download Tracee

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

Related Posts