Convert Figma logo to code with AI

aquasecurity logotracee

Linux Runtime Security and Forensics using eBPF

3,578
416
3,578
202

Top Related Projects

7,328

Cloud Native Runtime Security

eBPF-based Security Observability and Runtime Enforcement

10,656

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

20,418

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

Quick Overview

Tracee is an open-source runtime security and observability tool for Linux systems. It uses eBPF technology to trace system and application behavior, detect security threats, and provide deep visibility into container and Kubernetes environments. Tracee can be used for threat detection, forensics, and compliance monitoring.

Pros

  • Powerful eBPF-based tracing capabilities for deep system visibility
  • Extensive set of out-of-the-box security rules and detections
  • Flexible and customizable, allowing users to create their own rules and policies
  • Lightweight and efficient, with minimal performance impact on monitored systems

Cons

  • Requires Linux kernel version 4.18 or higher for full functionality
  • Steep learning curve for users unfamiliar with eBPF and system tracing concepts
  • Limited support for non-Linux operating systems
  • May require additional configuration for optimal performance in large-scale environments

Getting Started

To get started with Tracee, follow these steps:

  1. Install Tracee on your Linux system:
sudo apt-get update && sudo apt-get install -y tracee
  1. Run Tracee with default settings:
sudo tracee
  1. To enable specific rules or customize output, use command-line flags:
sudo tracee --output json --rules TRC-1,TRC-2

For more detailed installation and usage instructions, refer to the official Tracee documentation at https://aquasecurity.github.io/tracee/dev/.

Competitor Comparisons

7,328

Cloud Native Runtime Security

Pros of Falco

  • More mature project with a larger community and ecosystem
  • Extensive rule set and detection capabilities out-of-the-box
  • Supports multiple output formats and integrations with various SIEM systems

Cons of Falco

  • Higher resource consumption, especially in large-scale environments
  • Steeper learning curve for creating custom rules and configurations
  • Limited support for non-Linux operating systems

Code Comparison

Falco rule example:

- rule: Unauthorized Process
  desc: Detect unauthorized process execution
  condition: proc.name in (unauthorized_processes)
  output: "Unauthorized process started (user=%user.name command=%proc.cmdline)"
  priority: WARNING

Tracee rule example:

rules:
  - name: unauthorized_process
    event: sched_process_exec
    filter:
      - comm in (unauthorized_processes)
    output: "Unauthorized process started: {{.comm}}"

Both projects use YAML for rule definitions, but Falco's syntax is more verbose and includes additional fields like priority. Tracee's rules are more concise and focus on event-based filtering.

eBPF-based Security Observability and Runtime Enforcement

Pros of Tetragon

  • Tightly integrated with Cilium's eBPF-based networking and security features
  • Provides real-time visibility into network flows and security events
  • Offers advanced policy enforcement capabilities

Cons of Tetragon

  • Primarily focused on Kubernetes environments
  • Steeper learning curve due to its integration with Cilium ecosystem
  • Less extensive documentation compared to Tracee

Code Comparison

Tracee example (simplified):

func main() {
    events := tracee.Trace()
    for event := range events {
        fmt.Printf("Event: %+v\n", event)
    }
}

Tetragon example (simplified):

func main() {
    events := tetragon.GetEvents()
    for event := range events {
        fmt.Printf("Event: %+v\n", event)
    }
}

Both projects use eBPF for runtime security and observability, but their implementations and focus areas differ. Tracee provides a more standalone solution for system-wide tracing, while Tetragon is designed to work seamlessly within the Cilium ecosystem, offering tighter integration with network-centric security features.

Tracee offers broader OS support and more extensive documentation, making it potentially easier for newcomers to adopt. Tetragon, on the other hand, excels in Kubernetes environments and provides advanced network flow visibility and policy enforcement capabilities.

10,656

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

Pros of Wazuh

  • Comprehensive security platform with SIEM, XDR, and compliance capabilities
  • Extensive integrations with various security tools and platforms
  • Well-established community and extensive documentation

Cons of Wazuh

  • More complex setup and configuration compared to Tracee
  • Higher resource consumption due to its broader feature set
  • Steeper learning curve for new users

Code Comparison

Tracee (eBPF-based event capture):

SEC("tracepoint/syscalls/sys_enter_execve")
int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx)
{
    // Event handling logic
}

Wazuh (Rule definition):

<rule id="100001" level="5">
  <if_sid>5716</if_sid>
  <match>^New group added</match>
  <description>New group added to the system</description>
</rule>

Key Differences

  • Tracee focuses on eBPF-based runtime security and observability, while Wazuh offers a broader security information and event management (SIEM) solution
  • Tracee is more lightweight and specialized for container and Kubernetes environments, whereas Wazuh provides a more comprehensive security platform for various infrastructure types
  • Tracee's development is primarily driven by Aqua Security, while Wazuh has a larger open-source community contributing to its development
20,418

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

Pros of BCC

  • More mature project with a larger community and extensive documentation
  • Supports a wider range of programming languages for writing eBPF programs
  • Provides a rich set of pre-built tools for various system analysis tasks

Cons of BCC

  • Steeper learning curve due to its broader scope and complexity
  • Requires more system resources and dependencies for installation and usage
  • Less focused on security-specific use cases compared to Tracee

Code Comparison

BCC example (Python):

from bcc import BPF

prog = """
int hello(void *ctx) {
    bpf_trace_printk("Hello, World!\\n");
    return 0;
}
"""

b = BPF(text=prog)
b.attach_kprobe(event=b.get_syscall_fnname("clone"), fn_name="hello")
b.trace_print()

Tracee example (Go):

package main

import (
    "github.com/aquasecurity/tracee/pkg/ebpf"
)

func main() {
    tracee, _ := ebpf.NewTracer(&ebpf.Config{})
    tracee.Run()
}

Both projects leverage eBPF technology, but BCC offers a more general-purpose toolkit for system analysis, while Tracee focuses on security monitoring and threat detection in containerized environments.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Tracee Logo

Before moving on, please consider giving us a GitHub star ⭐️. Thank you!

About Tracee

Tracee is a runtime security and observability tool that helps you understand how your system and applications behave.
It is using eBPF technology to tap into your system and expose that information as events that you can consume.
Events range from factual system activity events to sophisticated security events that detect suspicious behavioral patterns.

To learn more about Tracee, check out the documentation.

Quickstart

To quickly try Tracee use one of the following snippets. For a more complete installation guide, check out the Installation section.
Tracee should run on most common Linux distributions and kernels. For compatibility information see the Prerequisites page. Mac users, please read this FAQ.

Using Docker

docker run --name tracee -it --rm \
  --pid=host --cgroupns=host --privileged \
  -v /etc/os-release:/etc/os-release-host:ro \
  -v /var/run:/var/run:ro \
  aquasec/tracee:latest

For a complete walkthrough please see the Docker getting started guide.

On Kubernetes

helm repo add aqua https://aquasecurity.github.io/helm-charts/
helm repo update
helm install tracee aqua/tracee --namespace tracee --create-namespace
kubectl logs --follow --namespace tracee daemonset/tracee

For a complete walkthrough please see the Kubernetes getting started guide.

Contributing

Join the community, and talk to us about any matter in the GitHub Discussions or Slack.
If you run into any trouble using Tracee or you would like to give use user feedback, please create an issue.

Find more information on contribution documentation.

More about Aqua Security

Tracee is an Aqua Security open source project.
Learn about our open source work and portfolio here.