tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

Tracee docker container wrapper for simple usage

Open rafaeldtinoco opened this issue 3 years ago • 1 comments

  • [x] I'll create a PR to implement this feature (assign to yourself).

Feature description

Currently, in order for an end user to use tracee as a docker container image, they need to know about all peculiarities needed by tracee (bind mount from the host, environment variables needed to be set) in order to use it:

https://aquasecurity.github.io/tracee/v0.8.0/tracing/#using-tracee-ebpf

There should be a wrapper script that runs docker tracee image with all needed steps, taking care of setting needed docker commandline flags depending on the running environment.

Additional Information (feature drawings, files, logs, etc)

Example of things sorted out by this:

  • bind mounting /etc/os-release into /etc/os-release-host
  • existence of /proc/kconfig.gz or /boot/config-$(uname -r) (https://github.com/aquasecurity/tracee/issues/2011#issuecomment-1201159457)
  • setting tracee features (parse args, caching size, sort events feature) in a simple way
  • etc...

rafaeldtinoco avatar Aug 02 '22 02:08 rafaeldtinoco

Just noting that container enrichment setup is also relevant here.

NDStrahilevitz avatar Aug 09 '22 08:08 NDStrahilevitz

I believe this was recently discussed and we ended up saying a wrapper was not the way to go.

rafaeldtinoco avatar May 16 '23 12:05 rafaeldtinoco

true but we still wanted to simplify the docker run command as much as possible. IDK if it's same issue or new one but can we keep it in current milestone?

itaysk avatar May 18 '23 13:05 itaysk