Tracee v0.16.0 Released!

[josedonizetti]

🚨 Breaking changes 🔨

1. Multiple default actions can now be passed to a policy. The corresponding field renamed from defaultAction to defaultActions.
2. Some policy fields have been renamed to better reflect their nature as a list. Specifically, filter is now filters, and action is now actions.

name: multiple_actions_policy
description: multiple actions policy
defaultActions:
  - log
  - webhook
rules:
  - event: security_file_open
    filters:
      - args.pathname=/tmp*
      - uid=0

🚀 What's new? 🚀

🔬 analyze subcommand 🕵️‍♂️

We introduced the analyze experimental subcommand that enables users to test signatures based on previously collected events.

The following collects ptrace events into a json file and then analyzes the file for anti_debugging signature:

tracee -filter event=ptrace --output json:./events.json
tracee analyze --event=anti_debugging events.json

🦄 Misc 💐

• The --signatures-dir flag now supports multiple values, allowing you to specify multiple directories for signature files.
• The hooked_syscalls event now supports specifying specific syscalls to check. For example, the following command will check if either one of the execve, kill, getdents syscalls were hooked:
  tracee -f e=hooked_syscalls -f hooked_syscalls.args.check_syscalls=execve,kill,getdents

🔨 Fixes 👷

• Fix for panic when tracee runs for short period
• Fix for panic when using tracee-static binary
• Fix for empty container ID edge case
• Fix an issue were certain events triggered during the init stage, like init_namespaces, were not passing through the events pipeline. This caused affected signatures to remain untriggered
• Fix for socket_accept event not triggering alongside security_socket_accept