These 73 commits are when the Protocol Buffers files have changed:
| Commit: | 92a77ec | |
|---|---|---|
| Author: | Thales Paiva | |
| Committer: | Thales Paiva | |
feat(grpc): add GetDetectorsCatalog RPC Add a read-only gRPC endpoint that exposes detector catalog entries from Tracee event definitions. Consumers can sync detectors metadata without mutating shared caches, enabling a safe replacement for cache-enrichment workflows. The catalog includes events tagged with detectors, supports optional filtering by detector ID or event name, and sanitizes property values for protobuf transport. Also adds traceectl `detectors list` and `detectors describe` for manual validation and unit tests for the server handler.
| Commit: | 8d5d46a | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
feat(datastores): Add IP reputation store reference implementation Add reference implementation of WritableStore for IP reputation tracking. - Implement IPReputationStore with type-safe and generic methods - Support three conflict resolution policies (LastWriteWins, MaxSeverity, PriorityBased) - Source partitioning for multi-feed aggregation - Thread-safe operations with proper locking - Comprehensive test suite (15 tests, 78% coverage) - Type-safe methods: GetReputation, IsBlacklisted, WriteReputation, WriteBatch - Generic methods: WriteValue, WriteBatchValues, Delete, ClearSource, ListSources
The documentation is generated from this commit.
| Commit: | 8145a24 | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
feat(datastores): Add WritableStore interface Add WritableStore interface for detectors/extensions to store custom data. - Add WritableStore interface (WriteValue, WriteBatchValues, Delete, ClearSource, ListSources) - Add RegisterWritableStore() to Registry - Define protobuf schemas for DataEntry and gRPC DataSourceService - Source isolation for data provenance tracking - Update Makefile for subdirectory protobuf generation - Ownership model: registrant controls store behavior - Fix test mocks to return valid health/metrics objects
| Commit: | 3787226 | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Geyslan Gregório | |
fix(api): align event definitions across proto and core Event Name Alignment: - Rename security_post_read_file to security_kernel_post_read_file to match the actual hook name - Rename security_inode_symlink_event_id to security_inode_symlink to align with naming conventions (remove redundant _event_id suffix) - Fix event name mismatches: __kernel_write, call_usermodehelper, net_packet_flow_base, and security_task_setrlimit Event Definition Alignment: - Add missing events: net_packet_raw, tracee_info - Remove undefined event: net_flow_end - Convert marker events (max_net_id, max_user_net_id) to reserved IDs - Reorder event IDs to maintain consistency Updates proto definitions and all references across core events, translation tables, and parsers.
| Commit: | 4dd8619 | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
api: add dedicated pointer type to EventValue Add explicit pointer field (field 31) to EventValue protobuf oneof to distinguish pointers from regular uint64 values. - Update protobuf definition with pointer type - Convert trace.Pointer to EventValue_Pointer - Add reverse conversion for round-trip support - Regenerate protobuf Go code This enables type-safe pointer handling and proper hex formatting.
| Commit: | 09cc7bd | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Geyslan Gregório | |
feat(detectors): implement recursive DetectedFrom chain tracking Add parent field to DetectedFrom for complete detection provenance through multi-level chains. (cherry picked from commit d74a67bd5b0c77afb9a2767b7c5e0399cb059f78)
| Commit: | d74a67b | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
feat(detectors): implement recursive DetectedFrom chain tracking Add parent field to DetectedFrom for complete detection provenance through multi-level chains.
| Commit: | 76355ac | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Geyslan Gregório | |
feat(events): add extended events infrastructure Add parseArgsExtended() stub for non-extended builds that can be replaced in extended builds for custom event argument parsing. Use X-macros for tail call IDs in types.h to enable extension in extended builds. Export MaxTail constant via definition_dependencies_core.go for proper bounds checking. Reserve API event ID ranges for extended events (1500-1999, 3000-3999). Co-authored-by: Raphael Campos <raphaelcampos.rp@gmail.com>
| Commit: | f39337e | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
api: rename Container.is_running to Container.started The field 'is_running' was semantically incorrect as it represents whether a container has started (executed its entrypoint), not whether it is currently running. A paused container has 'started' but is not 'running'. Changes: - Rename proto field: is_running → started - Update tracee.go to use Started field - Update tracee_test.go test cases - Add test coverage for Started field (both true/false cases) - Regenerate protobuf code This is a breaking API change but acceptable during active development.
| Commit: | 7b9fd67 | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Geyslan Gregório | |
refactor(metrics): consolidate BPF perf event stats API Changes: - Replace separate BPFPerfEventSubmitAttempts/Failures fields with unified BPFEventStats - Add BPFEventStats message containing id, name, internal flag, attempts, and failures - Optimize gRPC metrics collection to use single BPF map iteration instead of two eBPF Changes: - Create reusable update_event_stats() to deduplicate metrics code - Add metrics tracking to signal_perf_submit() for signal events - Move #ifdef METRICS guards inside update_event_stats() for cleaner code - Update cgroup_skb_submit() and events_perf_submit() to use new function Prometheus Integration: - Maintain existing Prometheus metrics structure (separate attempts/failures metrics) Code Organization: - Consolidate BPF map setup logic into initializeBPFEventsStatsMap() - Remove deprecated EventCount message and associated helper functions Performance: - Reduce BPF map iterations from 2 to 1 for gRPC metrics collection - Maintain on-demand metrics collection for both Prometheus and gRPC
| Commit: | 3302734 | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
api: rename TriggeredBy to DetectedFrom Rename for better semantic clarity. 'DetectedFrom' more clearly indicates that this is the source event that led to a detection, better aligning with detection and signature terminology. This change renames the concept consistently across all layers: Protobuf changes: - Message TriggeredBy renamed to DetectedFrom - Event.triggered_by field renamed to detected_from Internal argument name changes: - Argument name 'triggeredBy' renamed to 'detectedFrom' everywhere - Updated in findings.go, event_data.go, printer.go, and all tests Go code changes: - getTriggerBy() function renamed to getDetectedFrom() - Variable names updated for consistency (sourceEvent, sourceEventArgs, etc.) - Updated all comments and test fixtures BREAKING CHANGE: TriggeredBy renamed to DetectedFrom in API and internal code. Any code creating or reading the 'triggeredBy' argument must update to 'detectedFrom'.
| Commit: | 760c19b | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
api: remove Threat field from EventDefinition EventDefinition describes the structure and schema of an event type, not whether it represents a threat. Event definitions should be neutral descriptors. Threat assessment belongs on Event instances (which already have an optional Threat field), not on the type definition itself. This change removes: - optional Threat threat field (was field 6) - import of threat.proto from definition.proto - getThreat() call in convertDefinitionToProto() The fields member has moved from field 7 to field 6. BREAKING CHANGE: EventDefinition.threat field removed
| Commit: | caebf46 | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
api: add event field schema to EventDefinition Add EventField message containing name and type fields, and include a repeated fields member in EventDefinition (field 7). This enables API consumers to dynamically discover the schema of events. The type field uses DecodeAs.String() to provide user-friendly type names (e.g., 'string', 'int32', '[]byte') rather than internal Go types, since these are the actual types users see in events. The convertDefinitionToProto() function now populates the fields array by converting from the internal events.Definition.GetFields(). This change is additive and maintains backward compatibility. Files modified: - api/v1beta1/definition.proto: Added EventField message - pkg/server/grpc/tracee.go: Updated conversion logic - go.mod: Added replace directive for local api module
| Commit: | 3e47b0c | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Geyslan Gregório | |
fix(api): add missing event ids Rearranged event IDs in event.proto at the same order of their definitions. Removal of api replace (go.mod) will be done in a sequential PR.
| Commit: | 41eca41 | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Geyslan Gregório | |
Revert "feat(events): add open_file_ns and open_file_mount events" This partially reverts three commits: ** cd951841668323370ba8c52ddb08d267e469377c: * "feat(events): add open_file_ns and open_file_mount events" - vmlinux.h was preserved since the changes are improving the types. - filesystem.h and task.h were preserved since the change improves existent API. ** c11b5724061fad21d925cc0253001d14d9905084: * "chore(grpc): update translation table (#4668)" ** ecadc0c7c567c2aef61cc117761556a1017c03fb: * "chore(api): add missing event ids"
| Commit: | ff36c55 | |
|---|---|---|
| Author: | Ofek Shaked | |
| Committer: | Nadav Strahilevitz | |
chore(api): add security_task_prctl event ID
| Commit: | ecadc0c | |
|---|---|---|
| Author: | Nadav Strahilevitz | |
| Committer: | Nadav Strahilevitz | |
chore(api): add missing event ids Missing events begin from commit 9356795.
| Commit: | 0fbac6d | |
|---|---|---|
| Author: | Raphael Campos | |
| Committer: | Raphael Campos | |
chore: rename event to zeroed_inode The event hidden_inodes was renamed top zeroed_inode in order to be generic. According to this ref "https://www.kernel.org/doc/html/ latest/filesystems/ext4/directory.html", Unused directory entries are signified by inode = 0.
| Commit: | 6968a8b | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Gregório G. | |
chore(api): add EventCounts to GetMetricsResponse commit: 1f796cb (main), cherry-pick
| Commit: | b95f206 | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Gregório G. | |
Refactor: Restructure event and rename context This commit introduces two key changes to the Tracee event structure: - Renames the `context` field to `workload` to provide a more specific and clear description of the execution environment. - Moves the `triggeredBy` field from the `data` section to the root of the event structure. This ensures the `data` section is strictly defined by the event-specific schema, improving consistency and clarity. These changes constitute a breaking change to the API. However, as `traceectl` is not yet merged, it is acceptable to introduce this breaking change now to avoid future complications. commit: 0757020 (main), cherry-pick
| Commit: | 1f796cb | |
|---|---|---|
| Author: | Geyslan Gregório | |
| Committer: | Geyslan Gregório | |
chore(api): add EventCounts to GetMetricsResponse
| Commit: | 0757020 | |
|---|---|---|
| Author: | Yaniv Agman | |
| Committer: | Yaniv Agman | |
Refactor: Restructure event and rename context This commit introduces two key changes to the Tracee event structure: - Renames the `context` field to `workload` to provide a more specific and clear description of the execution environment. - Moves the `triggeredBy` field from the `data` section to the root of the event structure. This ensures the `data` section is strictly defined by the event-specific schema, improving consistency and clarity. These changes constitute a breaking change to the API. However, as `traceectl` is not yet merged, it is acceptable to introduce this breaking change now to avoid future complications.
| Commit: | 704e6e2 | |
|---|---|---|
| Author: | Ori Glassman | |
| Committer: | Raphael Campos | |
feat(ebpf): make process_execute_failed not rely on sys_enter/exit commit: 77d04ef (main), cherry-pick
| Commit: | 77d04ef | |
|---|---|---|
| Author: | Ori Glassman | |
| Committer: | Gregório G. | |
feat(ebpf): make process_execute_failed not rely on sys_enter/exit
| Commit: | 873f896 | |
|---|---|---|
| Author: | Raphael Campos | |
| Committer: | Raphael Campos | |
chore(api): event definitions api renaming commit: 89d2d4f (main), cherry-pick
| Commit: | 89d2d4f | |
|---|---|---|
| Author: | Raphael Campos | |
| Committer: | Raphael Campos | |
chore(api): event definitions api renaming
| Commit: | ab1c72f | |
|---|---|---|
| Author: | Raphael Campos | |
| Committer: | GitHub | |
feature: add enum EventId to event definition (#4085) (#4101) commit: a237ddf (main), cherry-pick
| Commit: | a237ddf | |
|---|---|---|
| Author: | Raphael Campos | |
| Committer: | GitHub | |
feature: add enum EventId to event definition (#4085)
| Commit: | d4b717c | |
|---|---|---|
| Author: | josedonizetti | |
| Committer: | Jose Donizetti | |
fix event definitions api
| Commit: | ea2c242 | |
|---|---|---|
| Author: | josedonizetti | |
| Committer: | Jose Donizetti | |
grpc: add direction to packet metadata
| Commit: | 07e087b | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
chore: add protoc-gen-go-json for better json marshal
| Commit: | bac06dc | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feature: add dynamic struct to event_data
| Commit: | a631c31 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feature: add threat to event definition
| Commit: | cd6759e | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feature: add properties to threat
| Commit: | a486584 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feature: add name to threat
| Commit: | 6d3c562 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
refactor: extract threat.proto
| Commit: | f6f40e0 | |
|---|---|---|
| Author: | Nadav Strahilevitz | |
| Committer: | Nadav Strahilevitz | |
chore(api): fix typo
| Commit: | ee6fba4 | |
|---|---|---|
| Author: | Nadav Strahilevitz | |
| Committer: | Nadav Strahilevitz | |
feature(api): add data source grpc service
| Commit: | 9d72a92 | |
|---|---|---|
| Author: | Rafael David Tinoco | |
| Committer: | Rafael David Tinoco | |
chore(signatures): remove outdated and broken celsig support
| Commit: | e708f9a | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: use new api module commit: 2ada83fc9 (main), backport [backport] Types version updates together with the commit were removed.
| Commit: | 2b31041 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: add api root dir commit: f3bc7d1e9 (main), cherry-pick
| Commit: | 32c8307 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: parse arguments base on the value type commit: 7a240c442 (main), backport [backport] There was a types version update together with this commit that was removed in the release branch. The types version change should have their own commit (as the release branch might use a different types version).
| Commit: | 2ea7a70 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: add missing types commit: 782fb4d72 (main), cherry-pick
| Commit: | 242b36b | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: add path to executable (#3542) commit: f7e7a2026 (main), cherry-pick
| Commit: | 4c506f7 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: add path to executable commit: 2eca675f4 (main), cherry-pick
| Commit: | 2ada83f | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: use new api module
| Commit: | f3bc7d1 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: add api root dir
| Commit: | 7a240c4 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: parse arguments base on the value type
| Commit: | 782fb4d | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: add missing types
| Commit: | f7e7a20 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | GitHub | |
fix: add path to executable (#3542)
| Commit: | 2eca675 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Rafael David Tinoco | |
fix: add path to executable
| Commit: | 8ef6335 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: fix tactic, and int32_array names
| Commit: | 44ec77c | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: fix Threat proto
| Commit: | 012f092 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: make types uniform with wrappers
| Commit: | d78233f | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: fix uint and string types
| Commit: | 62b3f68 | |
|---|---|---|
| Author: | Alon Zivony | |
| Committer: | Rafael David Tinoco | |
feat(types): add thread entity id to protobuf As it is now available, add the thread entity id to the protobuf.
| Commit: | cbb1159 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add event_data to event proto
| Commit: | eb2945f | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: stackaddress needs to have symbol name
| Commit: | 0bdc73b | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add StreamEvents rpc
| Commit: | b9619f9 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: Add new event structure
| Commit: | bc6f603 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: remove params from event definition proto
| Commit: | 76b28d0 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add enable/disable event rpc
| Commit: | 693c973 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add version proto
| Commit: | b0a7b7e | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add GetEventDefinition rpc call
| Commit: | 9ec273b | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add EventDefinition proto
| Commit: | bfc4451 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix: log level should match zap log priority
| Commit: | 7d4b8c2 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add diagnostic rpc
| Commit: | 4182875 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
fix(protobuf): tracee.proto go_package
| Commit: | 7c72262 | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | Jose Donizetti | |
feat: add tracee rpc service Adds tracee rpc service with a first endpoint to return tracee's version
| Commit: | 6f4de28 | |
|---|---|---|
| Author: | Nadav Strahilevitz | |
| Committer: | Nadav Strahilevitz | |
go.mod: bump types Bump includes Container and Kubernetes context seperation in `trace.Event`. Apply the change across the codebase.
| Commit: | 7ef509a | |
|---|---|---|
| Author: | Jose Donizetti | |
| Committer: | GitHub | |
refactor: rules renamed to signatures (#2715)
| Commit: | b6af22a | |
|---|---|---|
| Author: | Rafael David Tinoco | |
| Committer: | Rafael David Tinoco | |
go-cel: adjust comments and add mode_t to wrapper
| Commit: | 9cc0ad8 | |
|---|---|---|
| Author: | Daniel Pacak | |
| Committer: | GitHub | |
tracee-rules: introduce CEL signatures (#1766) This patch introduces new type of Tracee-Rules signatures that can be written as Common Expression Language (CEL). This feature is enabled by placing CEL signature definition files (.cel, .yaml, .yml) in the the --rules-dir directory. Sample definition files can be found in the pkg/rules/celsig/testdata/rules/ directory. The following snippet shows how you define the Anti-Debugging signature using CEL: # pkg/rules/celsig/testdata/rules/anti_debugging_ptraceme.yml kind: SignaturesConfig apiVersion: tracee.aquasecurity.github.io/v1alpha1 signatures: - metadata: id: "CEL-2" version: "0.1.0" name: "Anti-Debugging" tags: - "linux" - "containers" properties: "Severity": 3 "MITRE ATT&CK": "Defense Evasion: Execution Guardrails" eventSelectors: - source: tracee name: ptrace expression: |- input.eventName == 'ptrace' && input.stringArg('request') == 'PTRACE_TRACEME' You can use the following commands to compile Tracee and load CEL-2, CEL-5, and CEL-12 signatures from pkg/rules/celsig/testdata/rules/anti_debuggin_ptraceme.yml and pkg/rules/celsig/testdata/rules/signatures.yaml. vagrant up && vagrant ssh make cp -v pkg/rules/celsig/testdata/rules/*.y*ml dist/rules sudo ./dist/tracee-ebpf \ --output=format:gob \ --output=option:parse-arguments \ | ./dist/tracee-rules \ --input-tracee=file:stdin \ --input-tracee=format:gob Notice that CEL-2, CEL-5, and CEL-12 correspond to TRC-2, TRC-5, and TRC-12 signatures written as OPA Rego policies. With Helm installer you can define CEL signatures in Helm values.yaml as follows: # deploy/helm/tracee/values.yaml signatures: # config defines Common Expression Language (CEL) signatures that are loaded # by Tracee-Rules from the --rules-dir directory. If the config object is not # empty, the configuration file is automatically mounted at # /tracee/rules/signatures.yaml. config: kind: SignaturesConfig apiVersion: tracee.aquasecurity.github.io/v1alpha1 signatures: - metadata: id: "CEL-2" version: "0.1.0" name: "Anti-Debugging" tags: - "linux" - "containers" properties: Severity: 3 "MITRE ATT&CK": "Defense Evasion: Execution Guardrails" eventSelectors: - source: tracee name: ptrace expression: |- input.eventName == 'ptrace' && input.stringArg('request') == 'PTRACE_TRACEME' Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>