v0.8.0

Docker Images

docker pull docker.io/aquasec/tracee:0.8.0 (embedded eBPF CO-RE obj with BTFHUB support)
docker pull docker.io/aquasec/tracee:full-0.8.0 (compiles non CO-RE eBPF object on startup)

Highlights

• Helm Chart still pointing to v0.7.0 release (fix it manually please) #1975

Breaking Changes

New Features

• Container event enrichment with data from multiple runtimes #1809 #1886
• New Helm chart for installing tracee with postee #1812
• Tracee-rules signatures can now be written in CEL #1766
• The sched_process_exec event now has the binary file's inode mode information #1889
• The security_file_open event now has syscall pathname #1841
• The sched_process_exec event now has an interp field #1831
• Events now contain thread start time #1849
• Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
• Started documenting events under docs/events #1808
• Created a new derived package for a new type of 'derived' events #1822
• Install instructions for nixos #1827 - Thanks @06kellyjac!
• New grafana dashboard for tracee metrics #1605 #1610
• Unrequired linux capabilities are dropped on startup #1508
• New signature for syscall hooking detection
• Capture of icmp network traffic #1362

New eBPF Events

• device_add #1690
• net_packet, dns_query, dns_response #1515
• hooked_proc_fops for /proc file operation detection #1718
• hidden_sockets #1730
• set_task_comm indicating process name change #1811
• security_socket_setsockopt (LSM hook) #1859
• dns events over tcp #1807
• do_init_module #1708
• security_mmap_file, security_file_mprotect, shared_object_loaded based on security_mmap_file (LSM hook) #1631
• device_add #1690

Fixes

• Tracee will no longer crash when tracing symbols present in kernel modules #1882
• Removed false positive for TRC-11 signature #1878
• Filtering for hooked_seq_ops event now works as expected #1860
• Kallsyms are updated when kernel modules are loaded

Full Changelog: