v0.13.0

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2963⚡️

Docker Images (x86_64 only)

• docker pull docker.io/aquasec/tracee:0.13.0
• docker pull docker.io/aquasec/tracee:0.13.0-full

Docker Images (per architecture)

• docker pull docker.io/aquasec/tracee:x86_64-0.13.0
• docker pull docker.io/aquasec/tracee:x86_64-0.13.0-full
• docker pull docker.io/aquasec/tracee:aarch64-0.13.0
• docker pull docker.io/aquasec/tracee:aarch64-0.13.0-full

The regular image is built with an embedded portable CO-RE eBPF object and BTFHub (for kernels not supporting BTF info). The full image is built with an embedded portable CO-RE eBPF object and it is capable of building a per kernel non CO-RE eBPF object.

What's Changed

• workflow: turn github node jobs paralell by @rafaeldtinoco in #2805
• docs: small fixes by @yanivagman in #2811
• standardize error/log first letter by @geyslan in #2812
• cleanup: order import blocks by @geyslan in #2815
• docs: fix readme links by @yanivagman in #2816
• [ARM64 TESTS] workflow: add arm64 runners and tests by @rafaeldtinoco in #2817
• builder: add goimports to tracee-make docker imgs by @geyslan in #2828
• workflow: add alma linux as rhel clone to the PR workflow by @rafaeldtinoco in #2831
• Workflow paths by @rafaeldtinoco in #2833
• docs: fix readme docs links by @josedonizetti in #2837
• events: fix signature event name by @josedonizetti in #2839
• chore: go mod tidy by @josedonizetti in #2843
• workflow: pr: reenable TRC-103 by @geyslan in #2840
• workflow: pr: enable tests in arm64 and rhel_arm64 by @geyslan in #2844
• workflow: test other tools builds as well by @rafaeldtinoco in #2848
• maintenance: build: enable arm64 container images, fix building by @rafaeldtinoco in #2849
• workflow: update AMI IDs for 30GB images by @rafaeldtinoco in #2850
• workflow: change release AMI IDs to latest by @rafaeldtinoco in #2851
• chore: fix deprecated nodejs warning for github action by @rafaeldtinoco in #2856
• go: update runc from 1.1.2 to 1.1.4 due to security by @rafaeldtinoco in #2857
• workflow: login to docker.io before docker pulls by @rafaeldtinoco in #2859
• go: fix security issue CVE-2022-1996 by @rafaeldtinoco in #2861
• workflow: fix release-snapshot with dev-full tag by @rafaeldtinoco in #2862
• feat: add PTRACE_POKEDATA to ptrace_code_injection by @roikol in #2846
• workflow: fix: github login action not working by @rafaeldtinoco in #2865
• chore: enable btfhub after arm64 changes by @rafaeldtinoco in #2867
• workflow: change release AMI IDs to latest (#2851) by @rafaeldtinoco in #2869
• feat: add inotify_find_inode event by @roikol in #2794
• errfmt: introduce new package for error formatting by @geyslan in #2842
• workflow: update AMI IDs by @rafaeldtinoco in #2872
• workflow: add PRs labeler by @rafaeldtinoco in #2875
• workflow: updates to the workflow by @rafaeldtinoco in #2877
• workflow: snapshot labels for jenkins are too long by @rafaeldtinoco in #2878
• types: add SignatureContext type for init by @NDStrahilevitz in #2880
• Logger in signatures by @NDStrahilevitz in #2864
• types: matchedScopes -> matchedPolicies by @geyslan in #2881
• rename scopes related to policies by @geyslan in #2845
• make go routines shutdown gracefully by @geyslan in #2784
• ebpf: remove params_type_map and use events_map instead by @yanivagman in #2825
• workflow: re-enable v4.19 and add arm64 version by @rafaeldtinoco in #2879
• workflow: add amzn2 5.10 kernel AMIs to tests by @rafaeldtinoco in #2885
• ebpf: remove bin_args_map by @yanivagman in #2813
• tests: disable cache for integration tests by @geyslan in #2884
• workflow: add gke 5.4, 5.10 and 5.15 kernel AMIs to tests by @rafaeldtinoco in #2886
• check relevant error returns by @geyslan in #2818
• fix: base event filters by @yanivagman in #2897
• fix: fix old_path arg of security_inode_rename by @roikol in #2895
• add bpf byte code capture by @AsafEitani in #2874
• feat: add helpers list to bpf_attach by @roikol in #2855
• ebpf: align execve enter and exit timestamps by @yanivagman in #2853
• workflow: pr: enable tests in all archs by @geyslan in #2863
• workflow: pr: enable TRC-104 test in RHEL ARM64 by @geyslan in #2910
• fix: use correct type for bpf helpers by @roikol in #2912
• feat: use libbpfgo helpers to parse bpf helpers by @roikol in #2905
• libbpf bump by @geyslan in #2911
• Revert "libbpf: bump to v1.1.0 (#2911)" by @rafaeldtinoco in #2917
• refactor: move log-file to be under --log by @josedonizetti in #2909
• skip arg filtering for PrintMemDump by @geyslan in #2914
• Policies by @josedonizetti in #2892
• types: add container and kubernetes context fields by @NDStrahilevitz in #2921
• Enrich image digest by @NDStrahilevitz in #2760
• add syscall support for print_mem_dump by @AsafEitani in #2903
• types: event policy name by @geyslan in #2922
• containers: parse ContainerID by inner cgroup by @NDStrahilevitz in #2925
• policy: enrich matched event with policy name by @geyslan in #2923
• Policy number CLI removal by @geyslan in #2919
• Feature/improve symbols loaded performance by @AlonZivony in #2891
• tests: re-enable integration for policies by @geyslan in #2927
• events: add process_execute_failed event by @OriGlassman in #2858
• events: prevent symbols map cache corruption by @AlonZivony in #2930
• chore: add tracee logos by @itaysk in #2931
• build(deps): bump github.com/opencontainers/runc from 1.1.4 to 1.1.5 by @dependabot in #2932
• policies: fix container scope by @josedonizetti in #2938
• Add hidden linux kernel module event by @OriGlassman in #2714
• docs: add policies reference documentation by @josedonizetti in #2936
• docs: update docs to reflect new binary by @geyslan in #2939
• improve policies overview by @yanivagman in #2947
• Fix policy docs newline by @yanivagman in #2948
• k8s: bump version by @rafaeldtinoco in #2949
• chore: release minor fixes by @rafaeldtinoco in #2951
• release: makefile change to sign all images by @rafaeldtinoco in #2952
• release: crane is buggy, remove until fixed by @rafaeldtinoco in #2953
• makefile: remove cosign leftover and fix release makefile by @rafaeldtinoco in #2955
• workflows: make release like the snapshot logic by @rafaeldtinoco in #2958
• release: fix relea...

v0.12.0

⚡️ Release notes and discussion: https://github.com/aquasecurity/tracee/discussions/2803 ⚡️

Docker images

• docker pull docker.io/aquasec/tracee:0.12.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.12.0 (compiles non CO-RE eBPF object on startup)

commit log

• refactor: simplify output flags by @josedonizetti in #2700
• chore: generate k8s statics by @josedonizetti in #2703
• tracee: fix filters by @josedonizetti in #2720
• flags: remove cache-events from output help by @josedonizetti in #2729
• swap uint and containers equality order by @geyslan in #2726
• types: upgrade go-yaml by @josedonizetti in #2719
• dep: update githuhub.com/aquasecrity/tracee/types by @josedonizetti in #2730
• ebpf: add prog_override_return arg to bpf_attach by @roikol in #2560
• build(deps): bump github.com/containerd/containerd from 1.6.15 to 1.6.18 by @dependabot in #2732
• filterscopes: create a filterscopes pkg by @rafaeldtinoco in #2738
• log when not a container cgroup instead of err by @geyslan in #2737
• pkg/ebpf: add derived events for ld SO symbols collision (rebase) by @rafaeldtinoco in #2740
• sign container images with cosign by @developer-guy in #2607
• chore: bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #2741
• trace: add hidden kernel module struct by @OriGlassman in #2742
• adjust recently merged symbols_collision event and better document it by @rafaeldtinoco in #2743
• refactor: rules renamed to signatures by @josedonizetti in #2715
• logger: set libbpfgo logger callback by @geyslan in #2663
• events: print seconds of timespec by @roikol in #2712
• ebpf: save_args_to_submit_buf minor format change by @rafaeldtinoco in #2755
• types: add event metadata by @josedonizetti in #2752
• events: add vfs_utimes event by @roikol in #2690
• Provide Fluent Forward output option by @patrick-stephens in #2155
• chore (tests): add e2e instrumentation tests by @roikol in #2764
• Refactor output forward flag by @josedonizetti in #2766
• feat: add do_truncate event by @roikol in #2749
• Add signature event metadata by @josedonizetti in #2753
• tracee: fix args on signatures events by @josedonizetti in #2713
• tests: fix integration pkg race conditions by @geyslan in #2768
• test: fix flaky TestFindingToEvent by @josedonizetti in #2774
• workflow: move runners to jenkins by @rafaeldtinoco in #2776
• errors: improve error output by @rafaeldtinoco in #2773
• flags: cli: docs: rename trace flag to filter by @geyslan in #2767
• libbpfgo: set libbpfgo callbacks by @geyslan in #2761
• signatures: load sigs as default events by @josedonizetti in #2779
• tracee: make it the default binary by @josedonizetti in #2777
• Add multiple printers by @josedonizetti in #2746
• Add file modification event by @roikol in #2780
• Add webhook printer by @josedonizetti in #2782
• k8s: remove flag everythingIsAnEvent from helm by @josedonizetti in #2785
• Improve building docs by @rafaeldtinoco in #2787
• printer: block instead of drop events for broadcast by @josedonizetti in #2789
• k8s: fix templates to use unified binary by @josedonizetti in #2786
• k8s: bump version by @josedonizetti in #2791
• k8s: remove falcosidekiq yaml by @josedonizetti in #2795
• documentation: add syscall events markdown files from ChatGPT by @rafaeldtinoco in #2792
• gptdocs: add option to generate docs for a list of events by @rafaeldtinoco in #2800
• sets: default set can't have network events v419 by @rafaeldtinoco in #2771
• adding promtail tutorial by @AnaisUrlichs in #2781
• docs: restructure #2788 by @AnaisUrlichs in #2797
• docs: update output docs by @itaysk in #2802

New Contributors

• @developer-guy made their first contribution in #2607
• @patrick-stephens made their first contribution in #2155

Full Changelog: v0.11.1...v0.12.0

v0.11.1

v0.11.1 highlights and discussion

Docker images

• docker pull docker.io/aquasec/tracee:0.11.1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.11.1 (compiles non CO-RE eBPF object on startup)

v0.11.0

v0.11.0 highlights and discussion

Docker images

• docker pull docker.io/aquasec/tracee:0.11.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.11.0 (compiles non CO-RE eBPF object on startup)

v0.10.0

Release highlights and summary

👉 https://github.com/aquasecurity/tracee/discussions/2503

Full Changelog

• k8s: update tags to 0.9.3 by @josedonizetti in #2329
• doc: move kallsyms_lookup_name event doc to new doc path by @AlonZivony in #2333
• [MAINT] btfhub: adjust ol7 path after btfhub change by @rafaeldtinoco in #2341
• k8s: fix postee dependency by @josedonizetti in #2342
• docs: add tag to kubect apply by @josedonizetti in #2343
• pkg/ebpf: add syscalls arguments to security_file_mprotect by @AlonZivony in #2335
• feature: add stdin path to sched_process_exec by @roikol in #2216
• pkg/ebpf: fix multi use of string buf in seched_process_exec by @AlonZivony in #2345
• refactor: probes: move diff probe types to own files by @rafaeldtinoco in #2349
• refactor: pkg/cgroup and pkg/containers initial structure by @rafaeldtinoco in #2350
• [FEAT] Args syscall filter by @NDStrahilevitz in #2251
• [FIX] events_enrich: fix missing container_remove event by @NDStrahilevitz in #2357
• [FEAT] logger: debug output enrichment by @geyslan in #2254
• builder: increase alpine version to fix golang dependency by @rafaeldtinoco in #2373
• [REFACTOR] Cgroup Interface (cgroupv1 and cgroupv2 initialization) by @rafaeldtinoco in #2233
• pkg/ebpf: add arguments and doc to mem_prot_alert by @AlonZivony in #2339
• Feature/event context filter by @NDStrahilevitz in #2229
• pkg/ebpf: cancel event with missing symbols dependency by @AlonZivony in #2370
• pkg/ebpf: process existing mount ns upon initialization by @AlonZivony in #2283
• Fix capabilities initialization by @rafaeldtinoco in #2380
• pkg/events: add API to derive multiple events from single function by @AlonZivony in #2384
• pkg/procinfo: procfs errors are too frequent by @rafaeldtinoco in #2394
• [MAINT] workflows/pr: add kinetic60 and focal419 by @rafaeldtinoco in #2399
• pkg/ebpf/tracee: fix capabilities for procfs reads by @rafaeldtinoco in #2406
• types: add network protocol events types by @rafaeldtinoco in #2378
• types: add EventName to SignatureMetadata by @josedonizetti in #2408
• pkg/ebpf: change fork thread start time to be since epoch by @AlonZivony in #2387
• tracee-rules: extract getSignatures by @josedonizetti in #2413
• tracee-ebpf: extract logic into pkg/cmd by @josedonizetti in #2416
• [FEATURE] New network code with tests by @rafaeldtinoco in #2200
• tracee: add new binary by @josedonizetti in #2418
• pkg/utils/proc: log errors as debug only by @rafaeldtinoco in #2426
• tracee: make some perf buffers optional by @NDStrahilevitz in #2423
• pkg/counter: change Counter type by @geyslan in #2427
• signatures: add event name to golang sigs by @josedonizetti in #2412
• Embed test script and import environment variable by @grantseltzer in #2366
• [FEAT] Simple DNS events compatible with old ones by @rafaeldtinoco in #2425
• pkg/ebpf: reduce security_file_mprotect instructions by @AlonZivony in #2421
• printer: add container image to table printer by @NDStrahilevitz in #2232
• Streamline error logging by @NDStrahilevitz in #2403
• rules: refactor engine.New to receive sigs via Cfg by @josedonizetti in #2438
• Add AVD link from detection docs by @grantseltzer in #2326
• ebpf: fix process tree filter by @yanivagman in #2431
• rules: reenable dropped_executable by @josedonizetti in #2445
• Bugfix/rodata err 419 by @AlonZivony in #2447
• ebpf: fix error handling by @josedonizetti in #2354
• pkg/utils/sharedobjs: check open failure by @AlonZivony in #2450
• tracee: trim event name for table output by @josedonizetti in #2440
• derive: fix cgroupv1 hid false derives by @NDStrahilevitz in #2453
• rules: refactor signature name by @josedonizetti in #2455
• [FIX] network: do not run e2e-net-test for vanilla v4.19 by @rafaeldtinoco in #2456
• caps: log errors from caps Requested and cb func by @geyslan in #2459
• network: e2e-net-test v419 skip should return 0 by @rafaeldtinoco in #2461
• rules: add event name to rego signatures by @josedonizetti in #2457
• probes: fix lockup when nested raising privileges by @rafaeldtinoco in #2460
• build(deps): bump github.com/containerd/containerd from 1.6.8 to 1.6.12 by @dependabot in #2452
• Feature/reduce sched exec instruction by @AlonZivony in #2434
• events_pipeline: run filters for derived events by @rafaeldtinoco in #2463
• Bump libbpfgo to v0.4.5-libbpf-1.0.1 by @rafaeldtinoco in #2472
• Add rules to the pipeline by @josedonizetti in #2439
• tracee: add flag to install new tracee by @josedonizetti in #2473
• sorting: add race condition checks for queues usage by @AlonZivony in #2465
• Quick start update & adding commands to create docs previous to Makefile by @AnaisUrlichs in #2478
• tracee.bpf: arm64: fix var warning for bpf-nocore by @rafaeldtinoco in #2480
• events: remove unused dependency by @yanivagman in #2464
• pkg/events/parse: use generic function to parse args by @AlonZivony in #2482
• Arg filter fixes by @rafaeldtinoco in #2488
• docs: add network events documentation to mkdocs by @rafaeldtinoco in #2494
• [FEAT] builder: add custom-rules arg opt to entrypoint.sh by @geyslan in #2493
• [FEAT] log ebpf errors by @geyslan in #2352
• k8s: bump tag to 0.10.0 by @josedonizetti in #2496
• docs: add everything is an event tutorial by @josedonizetti in #2495
• Binary filter by @yanivagman in #2385
• docs: fix typo by @josedonizetti in #2501
• network: add port arg to protocols TCP and UDP by @rafaeldtinoco in #2502

v0.9.3

v0.9.3

This version continues the trend within the v0.9.X series of Tracee versions, quickly fixing bugs and updating documentation in small and fast coming releases. We're happy that this trend makes Tracee a more reliable system to depend on for having a stable latest version.

See the full release notes and closed milestone issues for highlights.

Docker images

• docker pull docker.io/aquasec/tracee:0.9.3 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.3 (compiles non CO-RE eBPF object on startup)

Full Changelog

b784993 - workflows: add stream8 back (#2327) (Rafael David Tinoco)
20daa29 - Documentation: Fix broken links, move deep dive section (#2322) (grantseltzer)
430c073 - ebpf: fix mem_prot_alert invalid args (#2324) (Yaniv Agman)
a37dcf6 - workflows: change pr to new runners (#2325) (Rafael David Tinoco)
ea11896 - Run integration test triggers in own PID (#2323) (grantseltzer)
380070e - flags: add a test for prepareEventsToTrace (Nadav Strahilevitz)
766f588 - events: add a "containers" set (Nadav Strahilevitz)
31d09d4 - filter: fix wildcard not working for events (Nadav Strahilevitz)
ca2a14e - bucketscache: add RWMutex (#2316) (Nadav Strahilevitz)
534b6a4 - types/trace: add u8 type support to UnmarshalJson (#2312) (Alon Zivony)
4ff5914 - tracee: remove invalid events from tailcalls (#2310) (Nadav Strahilevitz)
f51b41a - filters: flags: change mntns and pidns filter expressions (#2302) (Geyslan Gregório)
df6d661 - logger: move logger start to init functions (#2252) (Geyslan Gregório)

v0.9.2

v0.9.2

This is release contains fixes to regressions that were introduced in the last two releases. In particular we've disabled TRC-108, TRC-1022, default capabilities drop, move libbpf back to v1.0.1.

As this comes very soon after the prior two releases, take a look at v0.9.0's release notes to see recent highlights of tracee's improvements and added features!

Docker images

• docker pull docker.io/aquasec/tracee:0.9.2 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.2 (compiles non CO-RE eBPF object on startup)

Full changelog

f7a0b78 - rules: disable TRC-1022 (#2304) (Jose Donizetti)
84fd91e - capabilities: do not drop caps by default (Rafael David Tinoco)
29b89f8 - golang: go mod tidy (Rafael David Tinoco)
70ea836 - libbpfgo: bump to v0.4.4-libbpf-1.0.1 (Rafael David Tinoco)
6a079a9 - libbpf: back to v1.0.1 (Rafael David Tinoco)
537fe6c - hooked_proc_fops: remove redundant struct check and handle null pointer (#2303) (AsafEitani)
b8ac9db - k8s: disable signature TRC-108 (#2297) (Jose Donizetti)
bbcc6a5 - k8s: update version to 0.9.2 (#2299) (Jose Donizetti)
ae722d7 - event fix: bpf_attach map key (#2295) (roikol)

v0.9.1

v0.9.1

This is a small release that only contains bug fixes, it is recommended to use over v0.9.0. As this comes two days after the prior release, take a look at v0.9.0's release notes to see highlights of its improvements and added features!

Docker images

• docker pull docker.io/aquasec/tracee:0.9.1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.1 (compiles non CO-RE eBPF object on startup)

Full Changelog

58399f0 - k8s: update image tag to latest (#2293) (Jose Donizetti)
0842226 - capabilities: do not drop privileges in tracee-ebpf by default (Rafael David Tinoco)
00c7bd2 - symbols_loaded: raise privileges when needed (Rafael David Tinoco)
9826640 - path_resolver: raise privileges when needed (Rafael David Tinoco)
7ef3541 - probes: add NET_ADMIN capability as required for tcProbes (Rafael David Tinoco)
73fb7eb - capabilities: make new capabilities a singleton (Rafael David Tinoco)
02804d8 - capabilities: raise caps for init_namespaces event (Yaniv Agman)
73273d2 - caps: raise privileges for cgroupv1 mount (#2290) (Rafael David Tinoco)
cbaeac2 - pkg/ebpf: fix symbols_loaded initialization crash (#2284) (Alon Zivony)
1bb7264 - capabilities: fix: raise caps ring for privileged operations (#2280) (Rafael David Tinoco)

Full Changelog: v0.9.0...v0.9.1

v0.9.0

v0.9.0

It's never been better to run Tracee in Kubernetes! This release represents a significant jump in the value of running Tracee in user's Kubernetes environment. This is most notably because of the huge contribution of Aqua's research team, adding 20+ new signatures to tracee-rules. Users can enable these to instantly gain detection of common cloud native attacks without having to write a single policy.

We've also revamped our documentation to make installing, running, and understanding Tracee even more accessible to its users.

Thank you to all our external contributors who participated in this release by either contributing code, documentation, or opening issues!

New Signatures

In #2271/2259, 20+ new signatures were introduced. Signatures allow users of Tracee to apply policies for what kind of potentially malicious behaviors they want to be alerted of.

For example, the new proc_mem_access signature alerts on common attack patterns where one process attempts to read for the memory of another vulnerable process. Credentials and secrets can be obtained this way

Check out the Available Rules page on the documentation site for an explanation of all provided signatures you can use with Tracee.

New Events

To power some of these new signatures and add more possibilities for future ones, we've added two new events, the raw hooks that Tracee uses to gather insight. In particular they are kallsyms_lookup_name and bpf_attach. (#2255 and #2079)

Documentation

We've restructured documentation to be more accessible for users, as opposed to just developers. There's also a new quickstart guide for running Tracee in Kubernetes, the target use-case for it. Check out the documentation site here.

More Highlights

There are many fixes and code quality improvements to Tracee. This includes but isn't limited to new tests, standardizing of logging, fixing the way you can install Tracee with Helm, and upgrading to the latest version of libbpf.

Breaking Changes

• security_inode_unlink event's 'device' argument was renamed to 'dev' (#2175)

Docker images

• docker pull docker.io/aquasec/tracee:0.9.0 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.9.0 (compiles non CO-RE eBPF object on startup)

Full Changelog

7954dc6 - docs: add overview to docs, contributing sections (#2275) (Jose Donizetti)
dcbcb9d - docs: stop creating docs for patch versions (#2274) (Jose Donizetti)
10b97e8 - signatures: add TRC-108 to the export list so it is installed (Rafael David Tinoco)
5271aef - signatures: do not install rego signatures by default (Rafael David Tinoco)
ecd378b - kerneltest: test new golang sigs instead of rego ones (Rafael David Tinoco)
bb5bb07 - signature: use socket_dup event instead of dup(s) syscalls in stdio_over_socket.go (RoiKol)
6a0f8a3 - signatures: use helpers to get addr argument details (RoiKol)
2694bdf - signatures: serialize TRC IDs (RoiKol)
5add098 - signature: use sched_process_exec instead of execve in kubernetes_api_connection.go sig (RoiKol)
3fc7d0e - signature: add syscall_table_hooking.go sig (RoiKol)
a5e955a - signature: add proc_fops_hooking.go sig (RoiKol)
08e363e - signature: add kubernetes_certificate_theft_attempt.go sig (RoiKol)
40fc0cd - signature: add kernel_module_loading.go sig (RoiKol)
0046569 - signature: add k8s_service_account_token.go sig (RoiKol)
36e5808 - signature: add illegitimate_shell.go sig (RoiKol)
305c7b4 - signature: add fileless_execution.go sig (RoiKol)
b5c88c3 - signature: add dynamic_code_loading.go sig (RoiKol)
904ace4 - signature: add disk_mount.go sig (RoiKol)
4e7fd14 - signature: add process_vm_write_code_injection.go sig (RoiKol)
cc469cb - signature: add ptrace_code_injection.go sig (RoiKol)
cd26823 - signature: add anti_debugging_ptraceme.go sig (RoiKol)
071bdfc - signature: add hidden_file_created.go sig (RoiKol)
d84122c - signature: add proc_mem_access.go sig (RoiKol)
b1013aa - signature: add proc_kcore_read.go sig (RoiKol)
2125a85 - signature: add core_pattern_modification.go sig (RoiKol)
a63f0b2 - signature: add rcd_modification.go sig (RoiKol)
f120665 - signature: add cgroup_release_agent_modification.go sig (RoiKol)
cc897ab - signature: add system_request_key_config_modification.go sig (RoiKol)
64356d7 - signature: add sched_debug_recon.go sig (RoiKol)
5150eb5 - signature: add sudoers_modification.go sig (RoiKol)
80f1aaa - signature: add default_loader_modification.go sig (RoiKol)
ab1f7b1 - signature: add cgroup_notify_on_release_modification.go sig (RoiKol)
7a48cea - signature: add ld_preload.go sig (RoiKol)
6885524 - signature: add scheduled_task_modification.go sig (RoiKol)
c173d22 - signature: add docker_abuse.go sig (RoiKol)
5b029ff - signature: add proc_mem_code_injection.go sig (RoiKol)
7b8b964 - signature: add dropped_executable.go sig (RoiKol)
f78982b - signature: add aslr_inspection.go sig (RoiKol)
4e9750a - Update tracee tags in deployments (#2256) (grantseltzer)
1376dfa - docs: restructuring documentation (#2265) (Jose Donizetti)
abf218b - docs: update RELEASING.md to publish helm (#2270) (Jose Donizetti)
cb1d0f3 - k8s: make postee optional (#2268) (Jose Donizetti)
53e1bbc - k8s: add kind to helm publishing for testing (#2263) (Jose Donizetti)
6242a21 - rules: migrate log calls to new logger (#2224) (Shubham Palriwala)
784df91 - events: add kallsyms_lookup_name event (RoiKol)
fe7cbbb - events: add bpf_attach event (#2079) (roikol)
3e24071 - Upgrade libbpfgo to v0.4.3-libbpf-1.0.1 and (#2220) (grantseltzer)
2f49db4 - integration: fix integration tests (#2250) (Rafael David Tinoco)
ae12514 - refactor: improve help handling (#2241) (Jose Donizetti)
bd48dd2 - Fix helm publishing (#2247) (Jose Donizetti)
88791a7 - k8s: fix helm publishing (#2245) (Jose Donizetti)
9a1f8c9 - refactor: remove debug flag from pkg/server (#2239) (Jose Donizetti)
f44a435 - uprobe: fix uprobe trigger triggered from multiple tracee instances (#2230) (AsafEitani)
9965fd9 - tests: add filters tests and benchmarks (Nadav Strahilevitz)
9e8ba73 - filters: refactor to allow multiple parses (Nadav Strahilevitz)
05bf6f5 - filters: add error files (Nadav Strahilevitz)
4f8684a - filters: add Min and Max methods (Nadav Strahilevitz)
1529dbe - filters: move enabling logic to methods (Nadav Strahilevitz)
cb56c15 - filters: encapsulate min, max, args and ret logic (Nadav Strahilevitz)
6697e68 - filters: split into bpf filters (Nadav Strahilevitz)
98666e1 - filters: add filter constructors (Nadav Strahilevitz)
5dbc539 - filters: reuse StringFilter in ArgFilter (Nadav Strahilevitz)
c75230e - flags: remove tests (Nadav Strahilevitz)
bb611da - events: add GetID helper (Nadav Strahilevitz)
81eb1b3 - filters: add prefix and suffix sets (Nadav Strahilevitz)
f363f1c - pkg/ebpf: fix bug in support for arg types (#2228) (Alon Zivony)
dd41bad - pkg/ebpf+events: created new event for sigaction (Alon Zivony)
4a918e2 - pkg/ebpf: fix get_node_addr macro (Alon Zivony)
024d5b4 - events: include 32bit syscalls in syscall event range (#2218) (Nadav Strahilevitz)
5c2aabe - container enrichment: skip enriched events (#2214) (Nadav Strahilevitz)
a929e9d - metrics: add events filtered stat (#2212) (Nadav Strahilevitz)
c29685c - kerneltest: fix test name variable (#2213) (Rafael David Tinoco)
ec9bcd1 - logger: change API function names (#2208) (Geyslan Gregório)
968152e - log: introduce logger package (#2110) (Geyslan Gregório)
1efc149 - docs: fix symbols_loaded typos (Nadav Strahilevitz)
3989bc3 - events: move symbols_loaded to userspace event ids (Nadav Strahilevitz)
23666f8 - pkg/ebpf: quick fix for args_map memory leak (Alon Zivony)
374e729 - tracee.bpf.c: fix submit of shared_object_loaded (Nadav Strahilevitz)
bfdd481 - README: Fix typo (Margarita Manterola)
306275d - types/trace: support arbitrary pointers in json (#2182) (Alon Zivony)
bc58ca8 - Test: Add Unit tests for params under event parsing (#2199) (Shubham Palriwala)
264056c - refactor: clean up tracee-rules/main.go (#2194) (Jose Donizetti)
b567f6b - fix: change k8s version to 0.8.3 (#2195) (Jose Donizetti)
c0ffcc6 - Test_getTailCalls: fix intermittent failure (#2192) (Nadav Strahilevitz)
cedb4c3 - README: fix indention of "docker run" blocks (#2193) (Nils Hanke)
fefeb08 - pprof: move to server package (#2180) (Jose Donizetti)
c0d24c7 - docs: small fixes (Yaniv Agman)
4f2d828 - bpf-nocore: remove compilation warnings and unused variables (#2179) (Rafael David Tinoco)
ccfb903 - deprecation: adjust deprecation warnings (Rafael David Tinoco)
a8a3668 - parse_args: fix {get,set}sockopt new parse option (Rafael David Tinoco)
9cd4e86 - capabilities: fix usage of kernel version interface (grantseltzer)
4848140 - libbpf: bump to v1.0.0 (Rafael David Tinoco)
ca6e82f - libbpfgo: bump to v0.4.0-libbpf-1.0.0-8-g14c6bc9 (Rafael David Tinoco)
8468f89 - events: rename security_inode_unlink device arg (#2175) (AsafEitani)

v0.8.3

v0.8.3

This is a very small release mostly triggered by a security update to OPA.

Breaking changes

There should be no breaking changes.

Highlights

Fixes/Security Updates

• Bump OPA dependency from v0.42.0 to v0.44.0 (#2172)
• Fixed security_file_open event dependencies (#2166)

Improvements

• New /healthz endpoint for both tracee-ebpf and tracee-rules (#2116)
• security_inode_unlink event has been enriched with more arguments (#2136)
• You can now specify env DEBUG=1 while building to include DWARF symbols (#2164)

Docker images

• docker pull docker.io/aquasec/tracee:0.8.3 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.3 (compiles non CO-RE eBPF object on startup)

Full Changelog

792b510 - security: bump OPA from 0.42.0 to 0.44.0 (#2172) (Rafael David Tinoco)
5b91c25 - events_derived: merge into existing files (Nadav Strahilevitz)
f1ebce6 - events/derive: simplify files (Nadav Strahilevitz)
a573fe2 - tracee: debug mode: only enable net probes if needed (Rafael David Tinoco)
0321b78 - docs/installing: add 'tracee-system' namespace to the manual installation (#2167) (Vitor Duque)
e53c5c0 - net_events: remove current net debugging mechanism (Rafael David Tinoco)
42d9a2c - tracee.bpf.c: move license and kernel version to the top (Rafael David Tinoco)
048daa8 - pkg/ebpf: enrich security_inode_unlink (#2136) (Alon Zivony)
7a82831 - events: add execve and execveat to security_file_open syscalls (#2166) (Nadav Strahilevitz)
63cead8 - feat: add healthz endpoint (#2116) (Jose Donizetti)
c83ac80 - Makefile: add DEBUG flag to enable symbols (#2164) (Geyslan Gregório)
999e44f - k8s: fix tracee version to latest release v0.8.2 (#2162) (Jose Donizetti)