Tracee is an open-source runtime security and forensics tool that uses Linux eBPF for tracing applications at runtime. It analyzes the events it collects in order to discover suspicious patterns of behavior.
It was developed at Aqua Security and released as an open-source project in 2019 in order to allow practitioners and researchers to benefit from its capabilities and gain community feedback in order to improve the tool.
Internally, it was created with the goal of collecting events in containers, and over time it has gotten new features that have made its use cases broad enough to be suitable for secure tracing. With its February 2021 release of version 0.5.0, Tracee had evolved from a system tracing CLI tool into a complete runtime security solution.
At this point in time, Tracee contains two subprojects, Tracee-eBPF and Tracee-rules. Tracee-eBPF is a renamed version of the CLI tool, and Tracee-rules is a rules engine for processing events.
“Over the past few years, Tracee has greatly evolved, adding more robust and advanced capabilities. We are proud to offer Tracee to the community as an open source runtime security and forensics tool for Linux, built to address common Linux security issues,” Yaniv Agman, security researcher at Aqua Security, wrote in a post.
The project is available here.