GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → aquasecurity → Tracee

aquasecurity / Tracee

Licence: apache-2.0
Linux Runtime Security and Forensics using eBPF

Programming Languages

go
31211 projects - #10 most used programming language
golang
3204 projects

Labels

linuxsecurityebpfbpf

Projects that are alternatives of or similar to Tracee

Bpftrace
High-level tracing language for Linux eBPF
Stars: ✭ 4,526 (+474.37%)
Mutual labels:  bpf, ebpf
Goebpf
Library to work with eBPF programs from Go
Stars: ✭ 666 (-15.48%)
Mutual labels:  bpf, ebpf
p2pflow
Ethereum p2p traffic analysis with eBPF
Stars: ✭ 24 (-96.95%)
Mutual labels:  ebpf, bpf
libebpf
Experiemental userspace eBPF library
Stars: ✭ 14 (-98.22%)
Mutual labels:  ebpf, bpf
bpflock
bpflock - eBPF driven security for locking and auditing Linux machines
Stars: ✭ 54 (-93.15%)
Mutual labels:  ebpf, bpf
KubeArmor
Cloud-native Runtime Security Enforcement System
Stars: ✭ 434 (-44.92%)
Mutual labels:  ebpf, bpf
XDP-Firewall
An XDP firewall that is capable of filtering specific packets based off of filtering rules specified in a config file. IPv6 is supported!
Stars: ✭ 129 (-83.63%)
Mutual labels:  ebpf, bpf
portablebpf
You came here so you could have a base code to serve you as an example on how to develop a BPF application, compatible to BCC and/or LIBBPF, specially LIBBPF, having the userland part made in C or PYTHON.
Stars: ✭ 32 (-95.94%)
Mutual labels:  ebpf, bpf
Rbpf
Rust virtual machine and JIT compiler for eBPF programs
Stars: ✭ 306 (-61.17%)
Mutual labels:  bpf, ebpf
packiffer
lightweight cross-platform networking toolkit
Stars: ✭ 52 (-93.4%)
Mutual labels:  ebpf, bpf
Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (-49.75%)
Mutual labels:  bpf, ebpf
oxdpus
A toy tool that leverages the super powers of XDP to bring in-kernel IP filtering
Stars: ✭ 59 (-92.51%)
Mutual labels:  ebpf, bpf
ebpf
eBPF package for Go
Stars: ✭ 25 (-96.83%)
Mutual labels:  ebpf, bpf
ebpfpub
ebpfpub is a generic function tracing library for Linux that supports tracepoints, kprobes and uprobes.
Stars: ✭ 86 (-89.09%)
Mutual labels:  ebpf, bpf
ebpfault
A BPF-based syscall fault injector
Stars: ✭ 65 (-91.75%)
Mutual labels:  ebpf, bpf
go-tc
traffic control in pure go - it allows to read and alter queues, filters and classes
Stars: ✭ 245 (-68.91%)
Mutual labels:  ebpf, bpf
Polycube
eBPF/XDP-based software framework for fast network services running in the Linux kernel.
Stars: ✭ 217 (-72.46%)
Mutual labels:  bpf, ebpf
libbpf-sys
Rust bindings to libbpf from the Linux kernel
Stars: ✭ 103 (-86.93%)
Mutual labels:  ebpf, bpf
aya
Aya is an eBPF library for the Rust programming language, built with a focus on developer experience and operability.
Stars: ✭ 950 (+20.56%)
Mutual labels:  ebpf, bpf
pwru
Packet, where are you? -- Linux kernel networking debugger
Stars: ✭ 694 (-11.93%)
Mutual labels:  ebpf, bpf
View All Similar Projects ➔

Tracee Logo

GitHub release (latest by date) Go Report Card License docker

Tracee: Linux Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

Tracee is delivered as a Docker image that once run, will start to monitor the OS and detect suspicious behavior based on a pre-defined set of behavioral patterns.

Tracee is composed of the following sub-projects:

Getting started

Prerequisites

  • Linux kernel version >= 4.18
  • Relevant kernel headers available under conventional location (see Linux Headers section for info)
  • libc, and the libraries: libelf and zlib
  • Gnu Make >= 4.3, needed for "group targets" support.
  • clang >= 9
  • go >= 1.16, needed for embedded support.

Exceptions:

  • Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are required only for the one-time compilation, and not at runtime. See Setup Options for more info.
  • When using Tracee's Docker image, all of the aforementioned requirements are built into the image. The only requirement left is the kernel headers or the pre-built eBPF. See Setup Options for more info.

Quickstart with Docker

docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest

Note: You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for info.

This will run Tracee with no arguments, which defaults to loading the default set of rules (see below), and to report detections on standard output (can be customized). In order to simulate a suspicious behavior, you can run strace ls in another terminal, which will trigger the "Anti-Debugging" signature, which is loaded by default.

Rules

To view the list of available rules, run the container with the --list flag.

We are currently working on creating a library of behavioral signature detections. Currently, the following are available:

Name Description Tags
Standard Input/Output Over Socket Redirection of process's standard input/output to socket "linux", "container"
Anti-Debugging Process uses anti-debugging technique to block debugger "linux", "container"
Code injection Possible code injection into another process "linux", "container"
Dynamic Code Loading Writing to executable allocated memory region "linux", "container"
Fileless Execution Executing a precess from memory, without a file in the disk "linux", "container"
kernel module loading Attempt to load a kernel module detection "linux", "container"
LD_PRELOAD Usage of LD_PRELOAD to allow hooks on process "linux", "container"

Integrations

Tracee can notify a web service when a detection is made using a custom webhook. You can configure Tracee's webhook settings using the following flags:

Flag name Description Example
--webhook-url The webhook URL --webhook-url http://my.webhook/endpoint
--webhook-template Path to Go-template that formats the payload to send. Tracee's Finding type is available to use within the template --webhook-template /path/to/my.tmpl
See template examples here.
--webhook-content-type If present, will set the Content-Type HTTP header to match the provided template --webhook-content-type application/json

A popular webhook server that can be used with Tracee is falcosidekick, which can send detection events into other systems of your choosing (for example Slack, Teams, Datadog, Prometheus, Email, Elasticsearch, PagerDuty, and many more). For more information on falcosidekick see here.

Setup options

Tracee is leveraging Linux's eBPF technology, which is kernel and version sensitive, and therefore needs to be specifically compiled for your hosts.

The easiest way to get started is to just let Tracee build the eBPF program for you automatically when it starts, as demonstrated by the Quickstart.
Alternatively, you can pre-compile the eBPF program, and provide it to Tracee. There are some benefits to this approach as you will not need clang and kernel headers at runtime anymore, as well as reduced risk of invoking an external program at runtime.

You can build the eBPF program in the following ways:

  1. Clone the repo including submodules (git clone --recursive https://github.com/aquasecurity/tracee.git) and make bpf.
  2. make bpf DOCKER=1 to build in a Docker container which includes all development tooling.

Running this will produce a file called tracee.bpf.$kernelversion.$traceeversion.o under the dist directory.
Once you have the eBPF program artifact, you can provide it to Tracee in any of the following locations:

  1. Path specified in TRACEE_BPF_FILE environment variable
  2. /tmp/tracee

In this case, the full Docker image can be replaced by the lighter-weight aquasec/tracee:slim image. This image cannot build the eBPF program on its own, and is meant to be used when you have already compiled the eBPF program beforehand.

Running in container

Tracee uses a filesystem directory, by default /tmp/tracee as a work space and for default search location for file based user input. When running in a container, it's useful to mount this directory in, so that the artifacts are accessible after the container exits. For example, you can add this to the docker run command -v /tmp/tracee:/tmp/tracee.

If running in a container, regardless if it's the full or slim image, it's advisable to reuse the eBPF program across runs by mounting it from the host to the container. This way if the container builds the eBPF program it will be persisted on the host, and if the eBPF program already exists on the host, the container will automatically discover it. If you've already mounted the /tmp/tracee directory from the host (like suggested by the quickstart, you're good to go, since Tracee by default will use this location for the eBPF program. You can also mount the eBPF program file individually if it's stored elsewhere (e.g in a shared volume), for example: -v /path/to/tracee.bpf.1_2_3.4_5_6.o:/some/path/tracee.bpf.1_2_3.4_5_6.o -e TRACEE_BPF_FILE=/some/path.

If you are building the eBPF program in a container, you'll need to make the kernel headers available in the container. The quickstart example has broader mounts that works in a variety of cases, for demonstration purposes. If you want, you can narrow those mounts down to the specific directory that contains the headers on your setup, for example: -v /path/to/headers:/myheaders -e KERN_HEADERS=/myheaders. As mentioned before, a better practice for production is to pre-compile the eBPF program, in which case the kernel headers are not needed at runtime.

Permissions

If Tracee is not actually tracing, it doesn't need privileges. For example, just building the eBPF program, or listing the available options, can be done with a regular user.
For actually tracing, Tracee needs to run with sufficient capabilities:

  • CAP_SYS_RESOURCE (to manage eBPF maps limits)
  • CAP_BPF+CAP_TRACING which are available on recent kernels (>=5.8), or SYS_ADMIN on older kernels (to load and attach the eBPF programs).

Alternatively, running as root or with the --privileged flag of Docker, is an easy way to start.

Linux Headers

In order to compile the eBPF program, Tracee needs some of the Linux kernel headers. Depending on your Linux distribution, there may be different ways to obtain them.

  • On Docker for MAC follow the following guidelines.
  • On Ubuntu/Debian/Arch/Manjaro install the linux-headers package.
  • On CentOS/Fedora install the kernel-headers and kernel-devel packages.

Normally the files will be installed in /lib/modules/${kernel_version}/build which is where Tracee expects them. If you have the headers elsewhere, you can set the KERN_HEADERS environment variable with the correct location.

Note that it's important that the kernel headers match the exact version of kernel you are running. To check the current kernel version, run the command uname -r. To install a specific kernel headers version append the version to the package name: linux-headers-$(uname -r).

Note that more often than not the kernel headers files contains filesystem links to other files in other directories. Therefore, when passing the kernel headers to Tracee docker container, make sure all the necessary directories are mounted. This is why the quickstart example mounts /usr/src in addition to /lib/modules.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].