Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/aquasecurity/tracee/tracee-ebpf
In some cases, you might want to leverage Tracee's eBPF event collection capabilities directly, without involving the detection engine. This might be useful for debugging/troubleshooting/analysis/research/education. In this case you can use Tracee's eBPF collector component, which will start dumping raw data directly into standard output.
Watch a quick video demo of Tracee's eBPF tracing capabilities
The full documentation of Tracee's eBPF tracing is available at https://aquasecurity.github.io/tracee/dev/tracee-ebpf/. You can use the version selector on top to view documentation for a specific version of Tracee.
Before you proceed, make sure you follow the minimum requirements for running Tracee.
docker run --name tracee --rm --pid=host --cgroupns=host --privileged -v /tmp/tracee:/tmp/tracee -it aquasec/tracee:latest trace
Here we are running the same aquasec/tracee
container, but with the trace
sub-command, which will start just a raw trace (Tracee-eBPF), without the detection engine (Tracee-Rules). Here's a sample output of running with no additional arguments:
TIME(s) UID COMM PID TID RET EVENT ARGS
176751.746515 1000 zsh 14726 14726 0 execve pathname: /usr/bin/ls, argv: [ls]
176751.746772 1000 zsh 14726 14726 0 security_bprm_check pathname: /usr/bin/ls, dev: 8388610, inode: 777
176751.747044 1000 ls 14726 14726 -2 access pathname: /etc/ld.so.preload, mode: R_OK
176751.747077 1000 ls 14726 14726 0 security_file_open pathname: /etc/ld.so.cache, flags: O_RDONLY|O_LARGEFILE, dev: 8388610, inode: 533737
...
Each line is a single event collected by Tracee-eBPF, with the following information:
Use the --help
flag to see a full description of available options. Some flags has specific help sections that can be accessed by passing help
to the flag, for example --output help
.
This section covers some of the more common options.
You can obtain Tracee-eBPF in any of the following ways:
tracee.tar.gz
).aquasec/tracee
with the trace
sub-command.make build
. For that you will need additional development tooling.make build DOCKER=1
.All of the other setup options and considerations listed under Tracee's Installation section applies to Tracee-eBPF as well.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.