Top Related Projects
Cloud Native Runtime Security
eBPF-based Security Observability and Runtime Enforcement
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Quick Overview
Tracee is an open-source runtime security and observability tool for Linux systems. It uses eBPF technology to trace system and application behavior, detect security threats, and provide deep visibility into container and Kubernetes environments. Tracee can be used for threat detection, forensics, and compliance monitoring.
Pros
- Powerful eBPF-based tracing capabilities for deep system visibility
- Extensive set of out-of-the-box security rules and detections
- Flexible and customizable, allowing users to create their own rules and policies
- Lightweight and efficient, with minimal performance impact on monitored systems
Cons
- Requires Linux kernel version 4.18 or higher for full functionality
- Steep learning curve for users unfamiliar with eBPF and system tracing concepts
- Limited support for non-Linux operating systems
- May require additional configuration for optimal performance in large-scale environments
Getting Started
To get started with Tracee, follow these steps:
- Install Tracee on your Linux system:
sudo apt-get update && sudo apt-get install -y tracee
- Run Tracee with default settings:
sudo tracee
- To enable specific rules or customize output, use command-line flags:
sudo tracee --output json --rules TRC-1,TRC-2
For more detailed installation and usage instructions, refer to the official Tracee documentation at https://aquasecurity.github.io/tracee/dev/.
Competitor Comparisons
Cloud Native Runtime Security
Pros of Falco
- More mature project with a larger community and ecosystem
- Extensive rule set and detection capabilities out-of-the-box
- Supports multiple output formats and integrations with various SIEM systems
Cons of Falco
- Higher resource consumption, especially in large-scale environments
- Steeper learning curve for creating custom rules and configurations
- Limited support for non-Linux operating systems
Code Comparison
Falco rule example:
- rule: Unauthorized Process
desc: Detect unauthorized process execution
condition: proc.name in (unauthorized_processes)
output: "Unauthorized process started (user=%user.name command=%proc.cmdline)"
priority: WARNING
Tracee rule example:
rules:
- name: unauthorized_process
event: sched_process_exec
filter:
- comm in (unauthorized_processes)
output: "Unauthorized process started: {{.comm}}"
Both projects use YAML for rule definitions, but Falco's syntax is more verbose and includes additional fields like priority
. Tracee's rules are more concise and focus on event-based filtering.
eBPF-based Security Observability and Runtime Enforcement
Pros of Tetragon
- Tightly integrated with Cilium's eBPF-based networking and security features
- Provides real-time visibility into network flows and security events
- Offers advanced policy enforcement capabilities
Cons of Tetragon
- Primarily focused on Kubernetes environments
- Steeper learning curve due to its integration with Cilium ecosystem
- Less extensive documentation compared to Tracee
Code Comparison
Tracee example (simplified):
func main() {
events := tracee.Trace()
for event := range events {
fmt.Printf("Event: %+v\n", event)
}
}
Tetragon example (simplified):
func main() {
events := tetragon.GetEvents()
for event := range events {
fmt.Printf("Event: %+v\n", event)
}
}
Both projects use eBPF for runtime security and observability, but their implementations and focus areas differ. Tracee provides a more standalone solution for system-wide tracing, while Tetragon is designed to work seamlessly within the Cilium ecosystem, offering tighter integration with network-centric security features.
Tracee offers broader OS support and more extensive documentation, making it potentially easier for newcomers to adopt. Tetragon, on the other hand, excels in Kubernetes environments and provides advanced network flow visibility and policy enforcement capabilities.
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
Pros of Wazuh
- Comprehensive security platform with SIEM, XDR, and compliance capabilities
- Extensive integrations with various security tools and platforms
- Well-established community and extensive documentation
Cons of Wazuh
- More complex setup and configuration compared to Tracee
- Higher resource consumption due to its broader feature set
- Steeper learning curve for new users
Code Comparison
Tracee (eBPF-based event capture):
SEC("tracepoint/syscalls/sys_enter_execve")
int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx)
{
// Event handling logic
}
Wazuh (Rule definition):
<rule id="100001" level="5">
<if_sid>5716</if_sid>
<match>^New group added</match>
<description>New group added to the system</description>
</rule>
Key Differences
- Tracee focuses on eBPF-based runtime security and observability, while Wazuh offers a broader security information and event management (SIEM) solution
- Tracee is more lightweight and specialized for container and Kubernetes environments, whereas Wazuh provides a more comprehensive security platform for various infrastructure types
- Tracee's development is primarily driven by Aqua Security, while Wazuh has a larger open-source community contributing to its development
BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Pros of BCC
- More mature project with a larger community and extensive documentation
- Supports a wider range of programming languages for writing eBPF programs
- Provides a rich set of pre-built tools for various system analysis tasks
Cons of BCC
- Steeper learning curve due to its broader scope and complexity
- Requires more system resources and dependencies for installation and usage
- Less focused on security-specific use cases compared to Tracee
Code Comparison
BCC example (Python):
from bcc import BPF
prog = """
int hello(void *ctx) {
bpf_trace_printk("Hello, World!\\n");
return 0;
}
"""
b = BPF(text=prog)
b.attach_kprobe(event=b.get_syscall_fnname("clone"), fn_name="hello")
b.trace_print()
Tracee example (Go):
package main
import (
"github.com/aquasecurity/tracee/pkg/ebpf"
)
func main() {
tracee, _ := ebpf.NewTracer(&ebpf.Config{})
tracee.Run()
}
Both projects leverage eBPF technology, but BCC offers a more general-purpose toolkit for system analysis, while Tracee focuses on security monitoring and threat detection in containerized environments.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Before moving on, please consider giving us a GitHub star âï¸. Thank you!
About Tracee
Tracee is a runtime security and observability tool that helps you understand how your system and applications behave.
It is using eBPF technology to tap into your system and expose that information as events that you can consume.
Events range from factual system activity events to sophisticated security events that detect suspicious behavioral patterns.
To learn more about Tracee, check out the documentation.
Quickstart
To quickly try Tracee use one of the following snippets. For a more complete installation guide, check out the Installation section.
Tracee should run on most common Linux distributions and kernels. For compatibility information see the Prerequisites page. Mac users, please read this FAQ.
Using Docker
docker run --name tracee -it --rm \
--pid=host --cgroupns=host --privileged \
-v /etc/os-release:/etc/os-release-host:ro \
-v /var/run:/var/run:ro \
aquasec/tracee:latest
For a complete walkthrough please see the Docker getting started guide.
On Kubernetes
helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install tracee aqua/tracee --namespace tracee --create-namespace
kubectl logs --follow --namespace tracee daemonset/tracee
For a complete walkthrough please see the Kubernetes getting started guide.
Contributing
Join the community, and talk to us about any matter in the GitHub Discussions or Slack.
If you run into any trouble using Tracee or you would like to give use user feedback, please create an issue.
Find more information on contribution documentation.
More about Aqua Security
Tracee is an Aqua Security open source project.
Learn about our open source work and portfolio here.
Top Related Projects
Cloud Native Runtime Security
eBPF-based Security Observability and Runtime Enforcement
Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot