• 设为首页
  • 点击收藏
  • 手机版
    手机扫一扫访问
    迪恩网络手机版
  • 关注官方公众号
    微信扫一扫关注
    公众号

aquasecurity/tracee: Linux Runtime Security and Forensics using eBPF

原作者: [db:作者] 来自: 网络 收藏 邀请

开源软件名称(OpenSource Name):

aquasecurity/tracee

开源软件地址(OpenSource Url):

https://github.com/aquasecurity/tracee

开源编程语言(OpenSource Language):

Go 74.8%

开源软件介绍(OpenSource Introduction):

Tracee Logo

GitHub release (latest by date) Go Report Card License docker Test Signatures Release Snapshot OS Packages (DAILY)

Tracee: Runtime Security and Forensics using eBPF

Tracee is a Runtime Security and forensics tool for Linux. It uses Linux eBPF technology to trace your system and applications at runtime, and analyzes collected events in order to detect suspicious behavioral patterns. It is usually delivered as a docker container, but there are other ways you can use it (even create your own customized tracee container).

Watch a quick video demo of Tracee:

Tracee Live Demo AND Q&A

Check out the Tracee video hub for more videos.

Documentation

The full documentation of Tracee is available at https://aquasecurity.github.io/tracee/dev. You can use the version selector on top to view documentation for a specific version of Tracee.

Quickstart

Before you proceed, make sure you follow the minimum requirements for running Tracee.

  1. Running tracee:latest

    $ docker run \
        --name tracee --rm -it \
        --pid=host --cgroupns=host --privileged \
        -v /etc/os-release:/etc/os-release-host:ro \
        -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
        aquasec/tracee:latest
    
  2. Running tracee:full

     $ docker run --name tracee --rm -it \
         --pid=host --cgroupns=host --privileged \
         -v /etc/os-release:/etc/os-release-host:ro \
         -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
         -v /usr/src:/usr/src:ro \
         -v /lib/modules:/lib/modules:ro \
         -v /tmp/tracee:/tmp/tracee:rw \
         aquasec/tracee:full
    
  1. The default (latest) image is lightweight and portable. It is supposed to support different kernel versions without having to build source code. If the host kernel does not support BTF then you may use the full container image. The full container will compile an eBPF object during startup, if you do not have one already cached in /tmp/tracee.

  2. You may need to change the volume mounts for the kernel headers based on your setup. See Linux Headers section for more info.

  3. Tracee supports enriching events with additional data from running containers. In order to enable this capability please look here.

These docker commands run Tracee with default settings and start reporting detections to standard output. In order to simulate a suspicious behavior, you can simply run:

$ strace ls

in another terminal. This will trigger the Anti-Debugging signature, which is loaded by default, and you will get a warning:

INFO: probing tracee-ebpf capabilities...
INFO: starting tracee-ebpf...
INFO: starting tracee-rules...
Loaded 14 signature(s): [TRC-1 TRC-13 TRC-2 TRC-14 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7]
Serving metrics endpoint at :3366
Serving metrics endpoint at :4466

*** Detection ***
Time: 2022-03-25T08:04:22Z
Signature ID: TRC-2
Signature: Anti-Debugging
Data: map[]
Command: strace
Hostname: ubuntu-impish

Trace

In some cases, you might want to leverage Tracee's eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging, troubleshooting, analysising, researching OR education.

Execute docker container with the word trace as an initial argument, and tracee-ebpf will be executed, instead of the full tracee detection engine.

$ docker run \
    --name tracee --rm -it \
    --pid=host --cgroupns=host --privileged \
    -v /etc/os-release:/etc/os-release-host:ro \
    -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
    aquasec/tracee:{{ git.tag[1:] }}
    trace

See documentation or add the --help flag for more.

Components

Tracee is composed of the following sub-projects, which are hosted in the aquasecurity/tracee repository:


Tracee is an Aqua Security open source project. Learn about our open source work and portfolio Here. Join the community, and talk to us about any matter in GitHub Discussion or Slack.




鲜花

握手

雷人

路过

鸡蛋
该文章已有0人参与评论

请发表评论

全部评论

专题导读
上一篇:
longsleep/linux-pine64: Pine64 Linux Kernel发布时间:2022-08-15
下一篇:
zentyal/zentyal: Linux Small Business Server发布时间:2022-08-15
热门推荐
阅读排行榜

扫描微信二维码

查看手机版网站

随时了解更新最新资讯

139-2527-9053

在线客服(服务时间 9:00~18:00)

在线QQ客服
地址:深圳市南山区西丽大学城创智工业园
电邮:jeky_zhao#qq.com
移动电话:139-2527-9053

Powered by 互联科技 X3.4© 2001-2213 极客世界.|Sitemap