Tracee-Rules is a rule engine that helps you detect suspicious behavioral patterns in streams of events. It is primarily made to leverage events collected with Tracee-eBPF into a Runtime Security solution.
There are 3 basic concepts for Tracee-Rules:
- Inputs - Event sources to be processed. Currently only Tracee-eBPF is a supported event source.
- Rules (a.k.a Signatures) - The particular behavioral pattern to detect in the input source. Signatures can be authored in Golang, or Rego (OPA).
- Outputs - How to communicate detections. Print to stdout, post to a webhook, or integrate with external systems.
Tracee-Rules doesn't have any requirement, but in order to run with Tracee-eBPF, make sure you follow the minimum requirements for running Tracee.
Getting Tracee-Rules:
Currently you need to build from source. cd tracee-rules && make
will build the executable as well as all built-in signatures into the local dist
directory.
Running with Tracee-eBPF:
sudo tracee-ebpf -o format:gob | tracee-rules --input-tracee file:stdin --input-tracee format:gob
This will:
- Start
tracee-ebpf
with the default tracing mode (see Tracee-eBPF's help for more info). - Configure Tracee-eBPF to output events into stdout as gob format, and add a terminating event to signal end of stream.
- Start
tracee-rules
with all built-in rules enabled.