v0.7.0 is out! It contains many new features, huge improvements to stability, performance, and documentation!
Docker images
docker pull docker.io/aquasec/tracee:v0.7.0 (embedded eBPF CO-RE obj with BTFHUB support)docker pull docker.io/aquasec/tracee:full-v0.7.0 (compiles non CO-RE eBPF object on startup)
What's Changed
Features
- BTFHub Support (#1226)
- Added support for tracing many new 32 and 64 byte system calls (#1245. #1196)
sched_process_forkevent now includes pid of both processes (#1280)- New Hidden Inode event (#1187)
- New capabilities package (#1256)
- Many new documentation files and improvements
- New process context map (#1300)
- Support for libbpf/libbpfgo 0.7
- Container lifecycle events (#1397)
- Container ID filtering (#1426)
- Sorting of events by timestamp (#1103)
- New decoder package (#1405)
- Introducing packages for linux distros (#1403, #1479)
- Prometheus support (#1404)
- New net_packet event (#1469)
- New security_path_symlink event (#1490)
- Expanded kconfig to BPF code (#1512)
- New
existing_containersevent (#1519) - eBPF events caching option (#1527)
Fixes
- Argument types are properly changed when the output option 'parse-arguements' is passed (#1235)
- Remove false positives for memfd executables (#1207)
- Huge improvements to makefiles, dockerfiles, and whole build system (#1241, #1252, #1437, #1367, ...)
- Corrected incorrect PPID in ebpf events (#1244)
- Fix non-systemd docker runtime support (#1319)
- Fix
tracee-rules --list-eventsoutput to remove duplicates and sort (#1327) - eBPF non-core will not be built during tracee-ebpf execution (#1273)
- Proper handling of errors when BPF object can't be loaded (#1349)
- Reordering variables on the stack (#1281)
- Refactoring of events map (#1293)
- Update to go 1.17 (#1084)
- Stats for lost events are printed to stderr (#1387)
- Fixed missing security lockdown sysfs file (#1402)
- Improved testing (#1282, #1410, #1411, #1416)
- Fix for inequality filter in tracee-ebpf (#1419)
- Fixed pcap packet data (#1500)
New Contributors
- @chriskaliX made their first contribution in #1296
- @vincent-pli made their first contribution in #1327
- @liamg made their first contribution in #1360
- @Akasurde made their first contribution in #1427
- @Phat3 made their first contribution in #1480
- @OriGlassman made their first contribution in #1490
- @kaitoii11 made their first contribution in #1567
- @YuviGold made their first contribution in #1570
Full Changelog: v0.6.5...v0.7.0