What is Tracee
Tracee is a runtime security and forensics tool for Linux. It uses Linux eBPF technology to track your systems and applications at run time and analyze collected events to detect suspicious behavior patterns. Tracee consists of the following sub-projects:
Tracee-ebpf – Linux trace and forensics program using eBPF
Tracee-rules – Run-time security rule detection engine
“Technical Data”
2. Install Tracee
Requirements for running Tracee
Linux kernel version >= 4.18
Linux kernel headers are available in normal locations
System libraries libelf and Zlib
Quick Start installation
docker run --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest trace
Copy the codeThis command will only enable raw trace (tracee-ebpf), no detection engine (tracee-rules), and the user will see a large amount of raw event output as follows: [root@localhost ~]# docker run --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest trace TIME UID COMM PID TID RET EVENT ARGS 06:16:20:529134 0 assist_daemon 719 759 0 security_file_open pathname: /proc/stat, flags: O_RDONLY|O_LARGEFILE, dev: 5, inode: 4026532025 06:16:20:529094 0 assist_daemon 719 759 7 open pathname: /proc/stat, flags: O_RDONLY|O_LARGEFILE|O_CLOEXEC, mode: 0 06:16:20:529244 0 assist_daemon 719 759 0 close fd: 7 06:16:20:529274 0 assist_daemon 719 759 0 security_file_open pathname: /proc/719/stat, flags: O_RDONLY|O_LARGEFILE, dev: 5, inode: 16789925 06:16:20:529267 0 assist_daemon 719 759 7 open pathname: /proc/719/stat, flags: O_RDONLY|O_LARGEFILE|O_CLOEXEC, mode: 0 06:16:20:529332 0 assist_daemon 719 759 0 close fd: 7 06:16:20:652683 0 systemd 1 1 0 security_file_open pathname: /proc/1/mountinfo, flags: O_RDONLY|O_LARGEFILE, dev: 5, inode: 387752 06:16:20:652646 0 systemd 1 1 21 openat dirfd: -100, pathname: /proc/self/mountinfo, flags: O_RDONLY|O_CLOEXEC, mode: 0 06:16:20:653013 0 systemd 1 1 0 lstat pathname: /proc, statbuf: 0x7FFE8EE051E0Copy the codeEach line is a single event collected by Tracee-EBPF and contains the following information:
TIME – Displays the event TIME in seconds relative to the system startup TIME
UID – The real user ID of the calling process (in the host user namespace)
COMM – The name of the calling process
PID – PID of the calling process
TID – The TID of the calling thread
RET – The value returned by the function
EVENT – Identifies events (such as system call names)
ARGS – List of arguments to a function
3. Use Tracee-rules to detect suspicious behaviors
Docker can be compiled from the source code (CD Tracee-rules && make) or downloaded from the release. To facilitate testing, choose to use the official Release package.
Wget https://github.com/aquasecurity/tracee/releases/download/v0.6.3/tracee.tar.gz CD dist sudo. / tracee ebpf - o format:gob | ./tracee-rules --input-tracee file:stdin --input-tracee format:gobCopy the codeThe above commands will execute the default tracee-rules detection rules, including the detection of the following suspicious behaviors:
| Name | Description | Tags |
|---|---|---|
| Standard Input/Output Over Socket | Redirection of process’s standard input/output to socket | “linux”, “container” |
| Anti-Debugging | Process uses anti-debugging technique to block debugger | “linux”, “container” |
| Code injection | Possible code injection into another process | “linux”, “container” |
| Dynamic Code Loading | Writing to executable allocated memory region | “linux”, “container” |
| Fileless Execution | Executing a process from memory, without a file in the disk | “linux”, “container” |
| kernel module loading | Attempt to load a kernel module detection | “linux”, “container” |
| LD_PRELOAD | Usage of LD_PRELOAD to allow hooks on process | “linux”, “container” |
| Container Host Mount | Mounting of the host filesystem into a container | “container” |
| Dropped Executable | Creation or dropping of an executable file from a container at runtime | “linux”, “container” |
| Illegitimate Shell | Spawning of a shell program | “linux”, “container” |
| K8S API Connection | Connection to the Kubernetes cluster API server | “container” |
| K8S Service Account Use | Reading of the Kubernetes service account token file in a container | “container” |
| K8S TLS Certificate Theft | Accessing of the TLS certificate used for secure communication between Kubernetes components | “linux”, “container” |
We can simply test Fileless Execution:
Wget https://github.com/abbat/elfexec/releases/download/v0.3/elfexec.x64.glibc.xz xz - d elfexec. X64. Glibc. Xz chmod u + x elfexec.x64.glibc && mv ./elfexec.x64.glibc ./elfexec echo ' #include <unistd.h> int main(int argc, char* argv[]) { write(STDOUT_FILENO, "Hello! \n", 7); return 0; } ' | cc -xc - -o /dev/stdout | elfexecCopy the codeAfter executing the command to print hello, Tracee-rules captures the following result:
Loaded 14 signature(s): [TRC-1 TRC-13 TRC-2 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7]
*** Detection ***
Time: 2021-11-04T07:55:05Z
Signature ID: TRC-5
Signature: Fileless Execution
Data: map[]
Command: elfexec
Hostname: localhost
Copy the codeYou can see from the return that this command triggers the TRC-5 rule.
4. Create custom rules
Tracee-rules allows you to customize rules in two ways: using the rule text of the. Rego language, or using the Go Signature interface. Here we use the reGO rule as an example of how to customize the rule to catch suspicious system behavior.
Mr. Rego rules
Based on the sample rule file, we need to write the following three locations:
__rego_metadoc__: Document rules that define rule metadata.tracee_selected_events: Defines collection rules for event selectors.tracee_match: Write matching logic that can have multiple trace_match blocks.
I write a monitorwhoamiCommands are used as an example. To monitor the whoami command, you need to monitor the execve kernel function, and the path argument to execute should be the file path to whoami. The full rule text is as follows:
Package trace. TCR_1 import data.trace. helpers __rego_metadoc__ := {" ID ": "tCR-1 ", "version": "1.0.0", "name": "cmd whoami", "description": "cmd whoami", "tags": ["linux", "container"], "properties": { "Severity": 2, "MITRE ATT&CK": "cmd", } } eventSelectors := [ { "source": "tracee", "name": "execve" } ] tracee_selected_events[eventSelector] { eventSelector := eventSelectors[_] } tracee_match { input.eventName == "execve" pathname = helpers.get_tracee_argument("pathname") startswith(pathname, "/usr/bin/whoami") }Copy the codeSave this rule file in the rules directory and restart tracee-rules to monitor the execution of the whoami command.
Loaded 1 signature(s): [TCR-1]
*** Detection ***
Time: 2021-11-08T06:50:52Z
Signature ID: TCR-1
Signature: cmd whoami
Data: map[]
Command: bash
Hostname: localhost
Copy the codeThe last
Click here to getNetwork security learning materials’ walkthrough”