Tracee v0.13.0 Released!

[rafaeldtinoco]

🚨 Breaking changes 🔨

Tracee is undergoing a major revision which affects the user experience, so we expect several breaking changes in upcoming releases. Please read #2890 for more info.

⛩️ Event structure 🏗️

Event's container and pod fields are now organized in groups as follows:
1. container: id, ImageName, ImageDigest (new), Name
2. kubernetes: PodName, PodNamespace, PodUID, PodSandbox
Event structure will further change in next release as discussed in #2870

🚀 What's new? 🚀

👮‍♀️ Policies 📃

Tracee now has a new user experience based on policies. A policy is a yaml document where you can specify a scope and associate it with a set of rules. A scope defines the workloads to which the policy applies. A rule defines events to be matched and actions to take on them. For example, the following policy collects DNS events originating from the dig binary inside containers:

name: example
description: trace dns events from the dig binary in containers
scope: 
  - binary=/usr/bin/dig
  - container
defaultAction: log
rules:
  - event: net_packet_dns_request        
  - event: net_packet_dns_response

You can load multiple policies into Tracee using the --policy flag providing a path to the policy file.
For more information, see the documentation on policies.

📺 ARM64 support 💪

Tracee already supported ARM64 architecture for some time now, despite not being fully tested or packaged for the end user. From this version and on, Tracee now officially supports ARM64 architecture and provides docker images for it. You can give it a try by running:

docker run --name tracee --rm -it \
 --pid=host --cgroupns=host --privileged \
 -v /etc/os-release:/etc/os-release-host:ro \
 -v /boot/config-$(uname -r):/boot/config-$(uname -r):ro \
 -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host \
 aquasec/tracee:$(uname -m)

📸 BPF program capturing 🪝

It is now possible to capture the bytecode of BPF programs as they are being loaded into the kernel, using the new --capture bpf flag.

📩 Events 🔔

• inotify_watch: indicates the usage of inotify mechanism on a path
• security_bpf_prog: provides information about BPF programs loaded into the kernel or requested by the user
• hidden_kernel_module: which periodically checks for a hidden kernel module in your system
• process_execute_failed: indicates a failed execution
• bpf_attach: Added the list of helpers used by a BPF program and removed the prog_write_user and prog_override_return arguments as they are now redundant.

🦄 Misc 💐

• Container enrichment now adds a new ImageDigest field.

🔨 Fixes 👷

• The .context.podName filter was incorrectly filtering the image name.
• Fix wrong old_path argument value of security_inode_rename event.
• Fix print_mem_dump regression in previous version.
• Correctly identify nested container IDs.