v0.8.0-rc-1

This is the first release candidate for the upcoming v0.8.0 release!

Docker images

• docker pull docker.io/aquasec/tracee:0.8.0-rc-1 (embedded eBPF CO-RE obj with BTFHUB support)
• docker pull docker.io/aquasec/tracee:full-0.8.0-rc-1 (compiles non CO-RE eBPF object on startup)

Preliminary Highlights

New Features

• Container event enrichment with data from multiple runtimes #1809 #1886
• New Helm chart for installing tracee with postee #1812
• Tracee-rules signatures can now be written in CEL #1766
• The sched_process_exec event now has the binary file's inode mode information #1889
• The security_file_open event now has syscall pathname #1841
• The sched_process_exec event now has an interp field #1831
• Events now contain thread start time #1849
• Tracee is now built with libbpf v0.8.0 and libbpfgo v0.3.0-libbpf-0.8.0 #1891
• Started documenting events under docs/events #1808
• Created a new derived package for a new type of 'derived' events #1822
• Install instructions for nixos #1827 - Thanks @06kellyjac!
• New grafana dashboard for tracee metrics #1605 #1610

New Events

• device_add #1690
• net_packet, dns_query, dns_response #1515
• hooked_proc_fops for /proc file operation detection #1718
• hidden_sockets #1730
• set_task_comm indicating process name change #1811
• security_socket_setsockopt (LSM hook) #1859

Fixes

• Tracee will no longer crash when tracing symbols present in kernel modules #1882
• Removed false positive for TRC-11 signature #1878
• Filtering for hooked_seq_ops event now works as expected #1860