explaingit

aquasecurity/tracee

4,482GoAudience · ops devopsComplexity · 3/5LicenseSetup · moderate

TLDR

An open-source tool that monitors everything happening on a running Linux system in real time using eBPF, tracking processes, file access, and network connections, and automatically flags suspicious behavior.

Mindmap

mindmap
  root((Tracee))
    What it does
      Runtime monitoring
      Threat detection
      eBPF-powered
    Deployment
      Single Docker command
      Kubernetes DaemonSet
      Helm chart
    Events tracked
      System calls
      File access
      Network connections
    Audience
      Security teams
      DevOps engineers
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Deploy Tracee on a Kubernetes cluster to detect containers attempting privilege escalation or unexpected system calls.

USE CASE 2

Monitor a Linux server in real time for suspicious file access patterns or unusual process behavior.

USE CASE 3

Route Tracee security events into your existing monitoring stack like Prometheus or a SIEM.

USE CASE 4

Run Tracee during a security audit to observe exactly what system calls a process makes.

Tech stack

GoeBPFLinuxDockerKubernetesHelm

Getting it running

Difficulty · moderate Time to first run · 5min

Requires a Linux host with a compatible kernel version, Kubernetes deployment needs Helm and cluster admin permissions.

Use and distribute freely for any purpose, including commercial, as long as you keep the copyright notice.

In plain English

Tracee is a runtime security and observability tool for Linux. It monitors what happens on a running system in real time, recording details about process activity, system calls, file access, and network connections. Based on these observations, it can also detect patterns that indicate suspicious behavior, such as a process attempting privileged actions it would not normally take, or a container behaving unexpectedly. The tool operates using eBPF, a feature built into the Linux kernel that allows programs to attach monitoring logic to kernel events without changing or replacing kernel code. This gives Tracee access to detailed, low-level system information while keeping performance impact low. Events can range from simple records of system activity to higher-level security signals assembled from multiple observations over time. Running Tracee on a single machine requires a single Docker command and works on most common Linux distributions. For organizations running containerized infrastructure, a Helm chart is available for deploying it across a Kubernetes cluster as a DaemonSet, which places an instance on every node in the cluster. Logs produced by Tracee flow through standard Kubernetes logging and can be routed to existing monitoring and alerting systems. Tracee is developed and maintained by Aqua Security, a company focused on securing containerized applications, and is released as open source under a permissive license. The project has documentation, contribution guidelines, and community channels through GitHub Discussions and Slack. It is written in Go. Users with compatibility questions or hardware-specific concerns can consult the prerequisites page in the project documentation.

Copy-paste prompts

Prompt 1
Show me the Docker command to run Tracee on my Linux machine and explain the key fields in its output.
Prompt 2
How do I deploy Tracee across my entire Kubernetes cluster using the Helm chart and route its alerts to PagerDuty?
Prompt 3
What does it mean when Tracee flags a container for privilege escalation, give me 3 concrete examples of events it would detect.
Prompt 4
I want a Tracee policy that alerts me when any process in a specific namespace tries to read /etc/passwd, show me how to write it.
Prompt 5
How does Tracee use eBPF to monitor kernel events and what are the performance implications of running it in production?
Open on GitHub → Explain another repo

← aquasecurity on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.