Tracee v0.19.0 Released!

[rafaeldtinoco]

🚨 Breaking changes 🔨

The --crs flag/key was renamed to --cri.
Check documentation for more information.

Quieter default policy
The default policy included many events that made Tracee very verbose and noisy. We have settled on a different set of events that hopefully strike a better balance between useful information and not too much information.

🚀 What's new? 🚀

☸️ Kubernetes Operator For Policies ☎️

Tracee Policies can now be managed as CRDs with a Kubernetes Operator. With the Operator in place you can use GitOps and your favorite Kubernetes tools to manage Tracee policies. For example, with kubectl:

kubectl create -f ./mypolicy.yaml

⚙️ Structured YAML Configuration 🗒️

As Tracee slowly shifted from CLI Flags configuration to YAML file configuration, we added support for YAML file configuration which mirrored the CLI flags such that every flag was configurable as a key/value string in YAML. That was not feel natural for YAML and did not leverage the benefits of hierarchical YAML configurations, which is what we added in this release.
For example, the previous output config:

output: "webhook:http://webhook:8080?timeout=5s"

is now:

output:
    webhook:
        - webhook1:
            protocol: http
            host: localhost
            timeout: "5s"

↔️ Multi-platform container image 📀

Tracee had supported x84 and arm64 architecture, as separate container images. We now build a single multi-platform image so you can use aquasec/tracee everywhere and it will use the correct image for your environment.

🤓 Improved documentation 📜

We have revised the entire project documentation, made it much more easy to get started, and focus in the major use cases. The new documentation favors YAML configuration over CLI flags, which are now documented in a dedicated section which mirrors the help you get from the Tracee man pages. As part of this rewrite we have documented many of the existing events which better demonstrate the extensive coverage of Tracee's events.

📩 Events / Signatures ⚡️

🪝 Hooked Syscalls 🕹️

In our continuous effort to provide comprehensive security monitoring, Tracee's hooked_syscall event has received a significant enhancement. Previously limited in scope, it now offers expanded surveillance capabilities by monitoring the entire syscall table.

As a result, Tracee generates a distinct event for each hooked syscall, providing a more detailed and complete overview of system-level interactions and potential security breaches.

🔨 Fixes 👷

• fix(proctree): register processors correctly
• fix: k8s default policy is sigs+container events
• fix(deploy): structured k8s config (fix: structured k8s config #3646)
• fix: k8s static deploy
• fix(initialize): do not fail kconfig options (fix(initialize): do not fail kconfig options #3642)
• fix(ebpf): change error to debug level
• fix(ebpf): cancel dependencies of the canceled one
• fix: remove noisy debug log (fix: remove noisy debug log #3631)
• fix: minikube/kind enrichment
• fix(events): fix hooked_syscall for RHEL 8.x kernels
• fix(event): fix hooked_syscall when picked by sig only
• fix(events): add kernel-granularity support for hooked_syscall event
• fix(definitions): debug shows wrong logs for sig events
• fix(ebpf): fix prefix check in capture write (Bugfix/capture write address error #3600)
• fix(containers): parse cont id of cloud-foundry garden apps
• fix(events): fix hooked_proc_fops evt in v6.5+
• fix(events): make ns parent pid exist only in same ns (fix(events): make ns parent pid exist only in same ns #3577)
• fix(event): make sure parent points to a real process (fix(event): make sure parent points to a real process #3571)
• fix(tests): e2e-inst-signature bpf_attach fixes
• fix(tests): security_inode_rename test checks wrong pathname
• fix(tests): e2e-inst-test signature dir might be empty
• fix(events): fix dns events slice out of bounds issues (fix(events): fix dns events slice out of bounds issues #3548)
• fix(proctree): fix issues when updating from procfs
• fix(proctree): remove unused capabilities change
• fix(proctree): fix proctree feed in many places
• fix(datasource): thread list is indexed by tid and not pid
• fix: cap_capable didn't parse arguments
• fix: add path to executable (fix: add path to executable #3542)
• fix(decoder): read uint16 from buffer (fix(decoder): read uint16 from buffer #3536)
• fix(networking): fix net_packet_http errors on empty OK (fix(networking): fix net_packet_http errors on empty OK #3538)