Tracee - eBPF Runtime Security & Forensics Cheatsheet

Tracee - eBPF Runtime Security & Forensics Cheatsheet

Tracee is an open-source eBPF-based runtime security and forensics tool from Aqua Security. It uses eBPF to trace operating-system events — syscalls, process and network activity, file operations — at the kernel level with low overhead, then applies a library of behavioral signatures to detect suspicious or malicious activity at runtime. It is built for Linux hosts, containers, and Kubernetes, and is a strong complement to Falco and Tetragon in the eBPF runtime-security space.

Requirements

• Linux kernel ≥ 5.4 (BTF / CO-RE support recommended; most modern distros)
• Root / privileged container (eBPF needs elevated capabilities)

Installation

Method	Command
Docker (quickest)	docker run --name tracee -it --rm --pid=host --cgroupns=host --privileged -v /etc/os-release:/etc/os-release-host:ro aquasec/tracee:latest
Kubernetes (Helm)	helm repo add aqua https://aquasecurity.github.io/helm-charts/ && helm install tracee aqua/tracee -n tracee --create-namespace
Binary	download from GitHub Releases, run sudo ./tracee
Verify	tracee version

Basic Usage

Command	Description
sudo tracee	Start tracing with default detection signatures
sudo tracee --output json	Emit events as JSON
sudo tracee --scope comm=nginx	Trace only a specific process
sudo tracee --events execve,open	Trace specific events
tracee --help	Full option list

Event Selection (--events)

Selector	Matches
--events execve	Process executions
--events open,openat	File opens
--events net_packet_dns	DNS traffic
--events security_file_open	LSM file-open hook
--events 'fs'	A whole event set (filesystem)
--events 'signatures'	Only signature detections
--events execve.args.pathname=/usr/bin/*	Filter by argument value

Scope Filtering (--scope)

Selector	Matches
--scope comm=bash	By command name
--scope pid=1234	By PID
--scope container	Only container events
--scope container=new	Only newly started containers
--scope uid=0	Root activity
--scope pid=new	Newly created processes
--scope not-container	Host-only events

Detection Signatures

Tracee ships behavioral signatures (Go and Rego) that flag known attack techniques.

Example detection	Technique
Anti-debugging	Evasion via ptrace
Dynamic code loading	Memory-resident payloads
LD_PRELOAD	Library injection
Privilege escalation	setuid/capability abuse
Container escape	Namespace/host access
Kernel module loading	Rootkit installation

Command	Description
sudo tracee --events signatures	Run only detection signatures
--rego- flags	Load custom Rego signatures
--signatures-dir DIR	Load signatures from a directory

Output & Capture

Option	Description
--output json	JSON events (pipe to a SIEM)
--output table	Human-readable table
--output gotemplate=FILE.tmpl	Custom templated output
--capture exec	Capture executed binaries to disk
--capture mem	Capture memory regions (forensics)
--capture net	Capture network traffic per event
--output forward:tcp://host:port	Forward events to a collector

Common Workflows

# Watch only container activity, JSON for a SIEM
sudo tracee --scope container --output json | tee tracee-events.json

# Detect threats only (signatures), table output
sudo tracee --events signatures --output table

# Investigate a specific process and capture executed binaries
sudo tracee --scope comm=suspicious --capture exec

# Surface DNS made by new containers (exfiltration hunting)
sudo tracee --scope container=new --events net_packet_dns

Tracee vs Falco vs Tetragon

Aspect	Tracee	Falco	Tetragon
Engine	eBPF (Aqua)	eBPF (CNCF)	eBPF (Cilium)
Focus	Forensics + detection + capture	Alerting/detection	Observability + in-kernel enforcement
Enforcement	Detection-focused	Detection	Yes (kill/override)
Forensic capture	Strong (exec/mem/net)	Limited	Event-focused
Best for	Threat forensics & capture	Mature rule library	Prevention + deep visibility

Resources

• GitHub Repository
• Official Documentation
• Signatures Reference