Tracee v0.15.0 Released!

[josedonizetti]

🚀 What's new? 🚀

⎈ Kubernetes experience 🤖

The user experience in Kubernetes environment has been enhanced. You can now configure Tracee using Kubernetes-native ConfigMaps:

1. The tracee-config ConfigMap which configures general setup of Tracee.
2. The tracee-policies ConfigMap which selects which signatures to load. You can edit this CM to add/remove events to trace.
   eg:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: tracee
    app.kubernetes.io/component: tracee
    app.kubernetes.io/part-of: tracee
  name: tracee-policies
data:
  signatures.yaml: |-
    name: signature_events
    description: traces all signature events
    defaultAction: log
    scope:
      - global
    rules:
      - event: stdio_over_socket
      - event: k8s_api_connection
      - event: aslr_inspection
      - event: proc_mem_code_injection
      - event: docker_abuse
      - event: scheduled_task_mod
      - event: ld_preload
      - event: cgroup_notify_on_release
...

3. Event context now includes container and Kubernetes specific information by default (e.g image name, kubernetes pod and namespace).
4. Postee is no longer included in the default Kubernetes installation.

⚡️ New Policy Actions 📩

1. webhook action lets you send the event to a webhook of your choice
2. forward action lets you send the event to a fluentbit collector using the native "forward" protocol

eg:

name: dig
description: traces dns events from the dig binary
scope: 
  - binary=/usr/bin/dig
defaultAction: webhook
rules:
  - event: net_packet_dns_request        
  - event: net_packet_dns_response

tracee --policies sample_policy.yaml --output webhook:http://localhost:8080

🛢️ Event Data Sources (Experimental) 🗄️

Introduced a new mechanism, data sources, for exposing external data in signature events.

Currently only tracee can register data sources to be exposed in signatures but we may add the capability plugin data sources in the future.

As of this release tracee only exposes a data source for querying currently running container's information.
Usage examples are given in feature's instrumentation test and in the docs.

📸 Capture read 📖

• Added support for capturing file read operations alongside file writes, using the new --capture read flag.
• Introduced two new capture filters:
  1. type: Filters the type of I/O operation (pipe, socket, regular file).
  2. fd: Filters the file descriptor of the I/O operation (stdin, stdout, stderr).
• You can still use the previous path filter format --capture <read/write>=<path>. Additionally, you can now use the specific
  format --capture <read/write>:path=<path> for path filtering.
• These filters are particularly useful with the new capture read option as they help reduce system loads by targeting specific read operations.

Example usage:

tracee --capture write:path=/tmp --capture write:type=regular --capture fd=stdout

📩 Events 🔔

bpf_attach event now fires when attaching to raw_tracepoint.

🔨 Fixes 👷

• Fix event argument and return code filter parsing when used in a policy
• Fix Tracee container image signing