tracee-ebpf: how to start a raw trace

[vicky3932]

Hi，
I build the eBPF program by the way of full Docker image, and a file called tracee.bpf.$kernelversion.$traceeversion.o is produced under the dist directory. Here I am running the container, but how can I start just a raw trace (Tracee-eBPF), without the detection engine (Tracee-Rules) ? The description in the current document is not clear enough, and then I watch the quick video demo of Tracee, it seems that I need to run the tracee-ebpf file under the dist directory, however, the file does not exist in the directory. What should I do?

[yanivagman]

Hi!

You can just add the sub-command "trace" to start a raw trace as described in https://github.com/aquasecurity/tracee#trace

[vicky3932]

I'm sorry I didn't understand how to run tracee with the trace sub-command. Can you give me some examples? For example, I want to collect an system call named open.

[yanivagman]

Here is the command to do what you ask for:
docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest trace --trace e=open,openat

Replace the image name with the image you built.

Here are some more examples with other options that can be used with the trace flag (note that there is the trace subcommand and the --trace flag which are used in conjunction):
https://aquasecurity.github.io/tracee/dev/tracee-ebpf/trace-options/

[yanivagman]

@vicky3932 hope this helped.
I'm converting this issue to discussion, as it better fits there.
Feel free to ask any further questions in the discussions.