// the find
aquasecurity/tracee
Linux Runtime Security and Forensics using eBPF
Tracee is Aqua Security's eBPF-based runtime security tool for Linux. It hooks into the kernel to emit structured events — syscalls, file ops, network activity, process execution — and ships built-in detection rules for suspicious behavior patterns. It's aimed at teams running containerized workloads on Kubernetes who want visibility without kernel module shenanigans.
The eBPF approach is the right call: no kernel modules, no patching, works on stock kernels back to 4.18. The event model is well-thought-out — they separate raw system events from derived security detections, so you can consume either layer. The Helm chart + gRPC API (traceectl) makes integration into existing observability pipelines straightforward rather than forcing you into their specific output format. The test infrastructure is genuinely serious: kernel matrix testing across distributions, integration tests, e2e tests with real event triggers — not just unit tests on mock interfaces.
It requires --privileged in Docker, which is the exact threat model it's supposed to protect against — if you're worried about container escapes, running a privileged daemon is a real tradeoff to acknowledge. The multi-module Go layout (api/, common/, cmd/traceectl/ all have separate go.mod) creates dependency management friction that will bite you when you try to vendor or pin versions. Detection rule customization appears to require writing Go and recompiling rather than loading rules at runtime, which limits operational flexibility. At 4.5k stars for a project this mature and backed by Aqua, adoption seems narrower than the technical quality warrants — likely because the operational complexity (eBPF kernel compatibility, privileged access, event volume tuning) has a steep setup cliff.