TIL - Tracing Syscalls using Aquasec Tracee
To check all the syscalls made from a container use the Tracee tool developed by Aqua Security.
Below docker run command will trace all the new syscalls made from new containers.
docker run --name tracee --rm --privileged \
-v /lib/modules/:/lib/modules/:ro \
-v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee -it \
aquasec/tracee:0.4.0 --trace container=new
GitHub - aquasecurity/tracee: Linux Runtime Security and Forensics using eBPF
Linux Runtime Security and Forensics using eBPF. Contribute to aquasecurity/tracee development by creating an account on GitHub.