Prepare for v0.11.0 #2612
yanivagman
started this conversation in
Development
Prepare for v0.11.0
#2612
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Draft to collaborate on v0.11.0 release announcement
🚀 What's new? 🚀
🎯 Multi-Scopes 🔍
It is now possible to provide more than one set of filters to Tracee. The new feature allows you to group sets of filters into individual "scopes". To create a scope, add a
<number>:prefix to the filter on the command line. For example--trace 1:event=execve(notice the1:prefix).For example, let's say we wanted Tracee to collect the
proc_mem_accesssignature across the system, and also anysecurity_file_openunder a specific directory. If we applied a filter tosecurity_file_open, it would indirectly filterproc_mem_accessbecause it depends on that event.The new multi-scopes feature solved this common problem by letting you define two separate scopes for the two use-cases:
sudo tracee \ -t 1:event=proc_mem_access \ -t 2:event=security_file_open -t 2:security_file_open.args.pathname="/some/path/*" \We have created scopes
1and2which filter events individually. You can also see matching scopes in a new field on the event, which represent all matching scopes for the given event as a bitmap.Read the documentation for more details and examples: Scopes
🌐 Network capture 🎣
This version of Tracee brings lots of new features for the network packets capturing (pcap) functionality:
singlefile: keeps all network packets in a single PCAP file (host, containers, all processes)container: keeps a single PCAP file PER container, containing all network packets for that container.process: keeps a single PCAP file PER executed process, per CONTAINER directory.command: keeps a single PCAP file PER command name, per CONTAINER directory.Examples:
$ sudo tracee-ebpf \ --trace event=net_packet_icmp \ --capture network \ --capture pcap:process,container,command $ cd /tmp/tracee/out $ find pcap pcap pcap/commands pcap/commands/b86533d11f3 pcap/commands/b86533d11f3/ping.pcap pcap/commands/host pcap/commands/host/sshd.pcap pcap/commands/host/zerotier-one.pcap pcap/commands/host/node.pcap pcap/commands/fd95a035ce5 pcap/commands/fd95a035ce5/ping.pcap pcap/processes pcap/processes/b86533d11f3 pcap/processes/b86533d11f3/ping_1261180_1663772450241192.pcap pcap/processes/host pcap/processes/host/node_186708_1573567360495399.pcap pcap/processes/host/node_1196826_1662656211119567.pcap pcap/processes/host/zerotier-one_7882_137007714376.pcap pcap/processes/host/sshd_1196773_1662654999660718.pcap pcap/processes/fd95a035ce5 pcap/processes/fd95a035ce5/ping_1261163_1663769383806467.pcap pcap/containers pcap/containers/host.pcap pcap/containers/b86533d11f3.pcap pcap/containers/fd95a035ce5.pcapRead the documentation for more details and examples: Network capture
📩 New Events 🔔
🌪️ Binary filter improvements ⚙️
Read the documentation for more details and examples: Event Filtering
✂️ Misc 🔟
--trace event_name.context.syscall=syscall_name🚨 Breaking changes 🔨
detect-syscallflag is removed and is on by defaultsyscallthat triggered each event is now included in its context. Events that previously had thesyscallargument will no longer include it and theirsyscallshould be accessed from the context instead.--capture profilefeature was removed from tracee and moved to a separate project https://github.com/aquasecurity/tracee-actionBeta Was this translation helpful? Give feedback.
All reactions