Detect cloud native security threats with Tracee

Open source Tracee uses Linux eBPF technology to trace system and applications at runtime, and analyzes collected events to detect suspicious behavioral patterns.

Detect cloud native security threats with Tracee
Koto Feja / Getty Images

The cloud native threat landscape is constantly evolving. Research from Aqua’s Team Nautilus in 2021 revealed higher levels of sophistication in attacks and an increase in volume of attacks targeting container infrastructure. The study showed that vulnerable containers could be exploited in less than an hour, underscoring the importance of visibility and real-time threat detection in cloud native environments. 

To be effective, threat detection must include the breadth of workloads for a cloud native environment, including containers, VMs, and serverless functions with the ability to detect the tactics used in attacks that target cloud native environments. Importantly, detection must occur in real time and be minimally disruptive to production. 

These key attributes were important factors behind the creation of Tracee, Aqua Security’s open source cloud native runtime security and forensics tool for Linux. Tracee uses eBPF technology to trace systems and applications at runtime and analyze collected events to detect suspicious behavioral patterns. As a result, teams can protect their containers, ensuring that applications remain online and secure. Tracee is quickly gaining adoption and now has nearly 2K stars on GitHub and an active community of users and contributors. 

A brief primer on eBPF

eBPF is a relatively new approach for introducing extensibility into the Linux kernel in a safe, performant, and flexible way. eBPF programs can be loaded into the kernel and triggered by many different types of events including network, security, and basic lifecycle events in the kernel.

An example of eBPF’s strengths is identifying applications’ anomalous behavior such as writing files into important system directories. eBPF code can run in response to file events to check if those are expected for the specific workload. Because it’s your code, you can collect any kind of meaningful data that would be hard or inefficient to obtain otherwise. This opens the door for many sophisticated detection techniques.

The evolution of Tracee

Tracee began as an internal tool that enabled Aqua’s research unit, Team Nautilus, to collect events in running containers. The goal was to develop a powerful tracing tool that was designed from the ground up for security. The first version was focused on basic event collection. The team started to incrementally add features, building Tracee into a holistic security tool, and released it to the community as an open source project in September 2019. This allowed practitioners and researchers to benefit from Tracee’s capabilities, while Aqua gained helpful insights from the community to improve the tool. New features were added along the way, such as the ability to capture forensic evidence, a precise filtering mechanism, and additional integrations.

In February 2021, Aqua released version 0.5.0 of Tracee, which marked the beginning of Tracee's evolution from a system tracing CLI tool into a runtime security solution with behavioral analysis capabilities, thanks to the introduction of a rules engine and a rules library that detects the different suspicious behavioral patterns that Aqua identifies.

Tracee today: A powerful OSS security tool

Since its creation in 2019, Tracee has evolved from an open source system tracing tool into a robust runtime security solution that includes a CLI tool, a Go library for writing eBPF programs, and a rules engine to process tracee-ebpf events and detect suspicious activities. Tracee is delivered as a Docker image that is easy to run. A Kubernetes installer makes it easy to use Tracee to secure clusters and consume the detections in a convenient manner. 

Tracee comes with a basic set of rules (called signatures) out of the box that covers a variety of attacks and evasion techniques. Users can extend Tracee by writing their own signatures. Signatures are written in Rego, which is the language behind the popular Cloud Native Computing Foundation project Open Policy Agent. This allows users to reuse their existing skills and tools and to author expressive signatures in a mature language. 

In addition to open source signatures, paying customers get access to a comprehensive database of signatures created and maintained by Aqua’s research team Nautilus, which continuously evaluates real world advancements in cybersecurity and creates mitigations in the form of Tracee signatures.

Unlike many other detection engines, Tracee has used eBPF since inception and collects all syscalls (around 330) as well as other security-oriented events right out of the box. While other solutions are built on kernel modules that can impact system stability and leave gaps with syscall tracing, Tracee’s use of eBPF is safe and performant, and Tracee has thoughtful features that prevent evasion by attackers.

For example, by default Tracee encourages tracing LSM (Linux Security Module) events instead of syscalls when applicable. Linux Security Modules is a set of pluggable hooks that are meant to be used by security tools. For example, instead of tracing the open/openat syscall, Tracee can trace the security_file_open LSM event, which is more accurate, reliable, and safe to use for security purposes.

Recent updates to Tracee include portability across kernel versions using the Compile Once:Run Everywhere approach, which eliminates the need to compile the eBPF probe or supply kernel headers. The original approach requires a recent Linux kernel with BTF (BPF Type Format) support. But Tracee solves this and supports older kernels using a novel approach that is open sourced and partly upstreamed to the Linux project itself. This is covered in the open source project btfhub

Tracee’s role in cloud native detection and response

Tracee is the foundation of Aqua’s Dynamic Threat Analysis (DTA) product, a sandboxed scanner that scans containers by running them. Able to detect malicious containers that cannot be found with traditional scanning tools, DTA is a vital part of Aqua’s industry-leading Cloud Native Detection and Response (CNDR) solution. CNDR uses a growing body of hundreds of behavioral indicators to identify attacks from low-level eBPF events, which are surfaced by Tracee. DTA, CNDR, and Tracee combine behavioral indicators from a dedicated cloud native security research team with eBPF events for real-time threat detection in runtime.

Tracee’s role in Aqua’s OSS ecosystem

Tracee is part of Aqua’s family of open source, cloud native security projects. Aqua views open source as a way to democratize security and educate engineering, security, and devops teams through accessible tools, reducing the barrier of entry to cloud native security. Aqua’s other open source project is Trivy, the most popular open source vulnerability scanner in the world. Trivy helps teams “shift left” to incorporate security into the build pipeline. Trivy scans code repositories and artifacts for vulnerabilities, infrastructure-as-code misconfigurations, and secrets, and generates SBOM (sofware bills of materials), among other capabilities.

These projects integrate with Aqua’s Cloud Native Application Protection Platform (CNAPP) and with many commonly used devops ecosystem tools to help drive faster adoption of cloud native technologies and processes, while maintaining security. Aqua’s OSS projects are built and maintained by Aqua’s open source team, which operates separately from commercial engineering in order to sustain the company’s commitment to providing reliable open source solutions, continuing to develop new features and address user feedback, and continually contributing to other projects within the open source community.

Itay Shakury is director of open source at Aqua Security, where he leads the development of industry leading, open source, cloud native security solutions. Itay has almost 20 years of experience in various development, architecture and product roles. Itay is also a CNCF Cloud Native Ambassador and is leading community initiatives such tech meetups and conferences.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to

Copyright © 2022 IDG Communications, Inc.