Tracee — eBPF Runtime Security and Forensics for Linux

Introduction

Tracee is an open-source runtime security and forensics tool built by Aqua Security. It uses Linux eBPF technology to trace system and kernel events at runtime, detecting threats like fileless attacks, container escapes, and suspicious process behavior without requiring agents or kernel modules.

What Tracee Does

• Traces system calls, kernel functions, and network events using eBPF programs
• Detects runtime threats with built-in signature-based and behavioral rules
• Monitors containers and hosts for suspicious activity like privilege escalation or file access
• Captures forensic data for incident investigation and post-mortem analysis
• Outputs events as JSON for integration with SIEM and observability platforms

Architecture Overview

Tracee attaches eBPF programs to kernel tracepoints and kprobes to capture system events with minimal overhead. Events flow from kernel space to user space via perf buffers, where the Tracee engine enriches them with container metadata (from the container runtime) and evaluates them against detection rules written in Rego (OPA) or Go. Results are emitted as structured JSON to stdout, files, or webhook endpoints.

Self-Hosting & Configuration

• Run as a Docker container with --privileged and host PID namespace access
• Deploy on Kubernetes using the official Helm chart as a DaemonSet on every node
• Filter events with --events to trace only specific syscalls or security signatures
• Write custom detection rules in Rego (Open Policy Agent) or as Go signature plugins
• Forward output to Falco Sidekick, Elasticsearch, or any JSON-consuming pipeline

Key Features

• eBPF-based tracing with near-zero performance overhead and no kernel module needed
• 30+ built-in detection signatures for common attack patterns
• Container-aware event enrichment with image name, pod, and namespace metadata
• Forensic capture mode for recording detailed event streams during incidents
• Extensible rule engine supporting Rego policies and Go-based signatures

Comparison with Similar Tools

• Falco — kernel-module or eBPF-based runtime security with its own rule syntax; Tracee uses eBPF only and supports Rego policies
• Tetragon — Cilium eBPF security observability focused on network and process events; Tracee covers broader syscall tracing and forensics
• Sysdig — commercial runtime security platform; Tracee is fully open source with no paid tier for core features
• auditd — traditional Linux audit framework; Tracee provides richer container context and lower overhead via eBPF
• bpftrace — general-purpose eBPF tracing tool; Tracee adds security-specific detections and container awareness

FAQ

Q: Does Tracee require a specific Linux kernel version? A: Tracee requires Linux kernel 5.4 or later with eBPF support enabled. Most modern distributions meet this requirement.

Q: How much overhead does Tracee add? A: eBPF programs run in kernel space with minimal overhead. In typical deployments, CPU impact is under 1-2% depending on the number of traced events.

Q: Can Tracee detect container escape attempts? A: Yes. Built-in signatures detect common container escape techniques including privilege escalation, mount namespace manipulation, and kernel exploit patterns.

Q: How does Tracee compare to Falco for Kubernetes security? A: Both are strong choices. Tracee excels in forensic capture and Rego-based custom rules, while Falco has a larger community rule library and broader ecosystem integrations.

Sources

• https://github.com/aquasecurity/tracee
• https://aquasecurity.github.io/tracee/