Tracee
Definition
Tracee is an open-source runtime security and forensics tool for Linux, developed by Aqua Security. It leverages eBPF (extended Berkeley Packet Filter) technology to trace system calls and other kernel-level events, providing visibility into the behavior of applications and the operating system. Tracee is particularly useful for detecting malicious activities, debugging, and monitoring system performance in real-time.
Secure Settings Example
# Example of a secure Tracee configuration using a policy file
policies:
- name: "Detect Privilege Escalation"
rules:
- event: "execve"
args:
- name: "uid"
operator: ">"
value: "0"
action: "alert"
Insecure Settings Example
# Example of an insecure Tracee configuration with overly permissive rules
policies:
- name: "Allow All"
rules:
- event: "*"
args:
- name: "*"
operator: "*"
value: "*"
action: "allow"