Photo by Brett Jordan / Unsplash

TIL - Tracing Syscalls using Aquasec Tracee

Today I Learned Nov 12, 2022

To check all the syscalls made from a container use the Tracee tool developed by Aqua Security.

Below docker run command will trace all the new syscalls made from new containers.

docker run --name tracee --rm --privileged \
  -v /lib/modules/:/lib/modules/:ro \
  -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it \
  aquasec/tracee:0.4.0 --trace container=new
GitHub - aquasecurity/tracee: Linux Runtime Security and Forensics using eBPF
Linux Runtime Security and Forensics using eBPF. Contribute to aquasecurity/tracee development by creating an account on GitHub.

Tags