Tracee v0.23.0 Released!

[geyslan]

We are excited to announce the release of Tracee v0.23.0! This release brings significant improvements, new features, and crucial fixes to enhance security monitoring and performance. Below are the key highlights:

🔥 New Features

• Kernel Data Filtering for eBPF: Supports exact, prefix, and suffix matching, allowing efficient kernel-space filtering for improved performance. (Data filter in kernel #4324)
• New stack_pivot Event: Detects stack pivot techniques used in ROP exploits by checking the user’s stack pointer during key syscalls. (feat(events): add stack_pivot event #4403)
• New suspicious_syscall_source Event: Detects anomalies in syscall sources, improving security monitoring. (Add suspicious_syscall_source event #3953)
• New chmod_common Event: (feat(events): add chmod_common event #4339)

🛠️ Fixes & Improvements

Proctree

• Lowered Default Process Cache Size: Adjusted process cache size to a 2:1 ratio between thread (21856) and process (10928) caches, reducing memory footprint. (#4384) (#4503)
• Removed Interpreter FileInfo from Process Struct: Reduced Proctree memory usage by 8MB on average. (#4384)
• Changelog Memory Optimization: Improved Changelog structure, reducing heap memory usage by 59% for large caches. (#4384)
• Introduced Signal Pool: Reduced stack dynamic growth and allocations for better performance. (#4503)
• Reduced Thread Concurrency Lock Contention: Replaced mutex with atomic operations, improving efficiency. (#4503)
• Reordered Process and Thread Creation: Avoided unnecessary locks by reusing TaskInfo references. (#4503)
• Optimized Proctree Exit Processing: Improved performance for both Tracee and Controller. (#4503)
• Centralized Child and Thread Maps: Reduced memory usage and removed dedicated mutexes. (#4572)
• Rearranged Struct Fields for Memory Efficiency: Optimized struct padding and alignment. (#4572)
• Fixed Missing Exec Event Data in Process TaskInfo: Prevented empty entries in ProcessTree. (#4582)
• Handled kthread as a Special Case: Ensured correct TaskInfo updates. (#4582)
• Fixed Time Normalization Issues: Prevented rogue entries in ProcessTree. (#4582)

Other

• Fixed hidden_kernel_module Scan: Improved compatibility with kernels >6.2, preventing potential slice out-of-bounds errors. ( fix hidden_kernel_module history scan for kernels >6.2 #4378)
• Optimized /proc Parsing: Reduced execution time by 64% and memory usage by 27%, improving process info retrieval. (/proc parsing refactor #4364)
• Fixed Syscall Name Parsing for eBPF: Resolved incorrect translations introduced in earlier commits. (fix(epbf): fix incorrect parsed syscall name #4402)
• Removed Rego Signature Support: Enhanced performance by removing the outdated Rego-based signature system in favor of Go and future Wasm signatures. (Refactor: Remove Rego signature support #4426)
• Improved Performance of LRU Caches in ProcessTree: Reverted to a simpler LRU implementation, improving efficiency. (34be604)
• Fixed clock time detection: Brought via libbpfgo fix (fix: clock time detection #4513)
• Support recent kernels versions: Validate behavior for kernels 6.8 to 6.12 with inode struct adjustments. (fix(ebpf): adjust inode struct to kernel v6.11 #4457)(chore: add kernel 6.8 and 6.10 in matrix images #4434)(chore: add kernel 6.11 and 6.12 in matrix images #4441)

📦 Dependency & Build Updates

• Upgraded libbpfgo: Updated libbpfgo to v0.8.0-libbpf-1.5@c0ac6035ae61. (fix: clock time detection #4513, chore: bump 3rdparty/libbpf to v1.5.0 #4530)

For full details, see the release notes.

We appreciate your contributions and feedback - keep them coming! 🎉