[前言]
Tracee 是一個用 於 Linux 的執行時安全和取證工具。它使用 Linux eBPF 技術在執行時跟蹤系統和應用程式,並分析收集的事件以檢測可疑的行為模式。本篇對於Tracee這open source project進行了編譯與初步測試,在此做個筆記以防忘記。後續將針對源碼進行分析。
Github 位置為: https://github.com/aquasecurity/tracee
[Tracee相關文件資源]
網路上已經有不少的相關文件資源可以參考,在此不重覆贅述,如下所示:
- 裡面有提到 tracee 這種僅使用ebpf系統調用做入侵檢測的技術路線還不夠成熟~
[Tracee快速指南]
因為Tracee在Github上更新的很快,上述的文件對於Ubuntu 21.04上編譯原始碼編譯 eBPF 程式所提到的問題,並沒有出現,這邊提供快速指南做為參考:
編譯Tracee快速指南 ( 包含 Rules )
(Ubuntu 21.04 Linux Kernel 啟用了 BTF)
# 目前位置 ~/
$ git clone https://github.com/aquasecurity/tracee
$ cd tracee
$ make tracee-ebpf
$ make tracee-rules
$ make rules
查看編譯出來的tracee-ebpf 有甚麼輸入的參數
$ cd dist
$ ../tracee-ebpf --help
NAME:
Tracee - Trace OS events and syscalls using eBPF
USAGE:
tracee-ebpf [global options] command [command options] [arguments...]
VERSION:
"v0.7.0-rc-1-9-g0837519"
COMMANDS:
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--list, -l just list tracable events (default: false)
--trace value, -t value select events to trace by defining trace expressions. run '--trace help' for more info.
--capture value, -c value capture artifacts that were written, executed or found to be suspicious. run '--capture help' for more info.
--output value, -o value Control how and where output is printed. run '--output help' for more info. (default: "format:table")
--cache value, -a value Control event caching queues. run '--cache help' for more info. (default: "none")
--perf-buffer-size value, -b value size, in pages, of the internal perf ring buffer used to submit events from the kernel (default: 1024)
--blob-perf-buffer-size value size, in pages, of the internal perf ring buffer used to send blobs from the kernel (default: 1024)
--debug write verbose debug messages to standard output and retain intermediate artifacts (default: false)
--install-path value path where tracee will install or lookup it's resources (default: "/tmp/tracee")
--metrics enable metrics endpoint (default: false)
--metrics-addr value listening address of the metrics endpoint server (default: ":3366")
--help, -h show help (default: false)
--version, -v print the version (default: false)
測試Tracee快速指南 (使用Docker)
(Ubuntu 21.04 Linux Kernel 啟用了 BTF)
# 目前位置 ~/tracee
$ sudo docker run --name tracee --rm --privileged -it --pid=host -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest
測試Tracee快速指南 (直接啟動,不使用Docker)
(Ubuntu 21.04 Linux Kernel 啟用了 BTF)
# 目前位置 ~/tracee
$ cd dist
$ sudo ./tracee-ebpf -o format:gob | ./tracee-rules --input-tracee file:stdin --input-tracee format:gob
#同時開另一個terminal
$ cd tracee/tests/tracee-tester
$ sudo ./trc12.sh
結果如下,可以偵測到來自於測試script造成的異常:
Loaded 14 signature(s): [TRC-1 TRC-13 TRC-2 TRC-14 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7]
*** Detection ***
Time: 2022-03-25T01:03:29Z
Signature ID: TRC-12
Signature: Illegitimate Shell
Data: map[]
Command: apache
Hostname: ubuntu21-danny
No comments:
Post a Comment