Express YourSelf !

 Tracee (uses eBPF) :monitors system call and kernel events. 

- It captures :  (1) precise time stamp, (2) uts_name, (3) UID, (4) Command COMM (5) PID, (6) TID/host (7) return code, RET (8) event, and (9) arguments.

- At least 3 volume locations needed. (1) /lib/modules , (2) /usr/src , (3) /tmp/tracee Tracee provides in-depth tracing of container or pod. 

list: list of system calls and other events. 

trace: events. specific pid, uid, uts, mntns, pidns, command (comm), system call etc. We can use comparison operator to filer. 

Examples:

  --trace pid=new                                              | only trace events from new processes

  --trace pid=510,1709                                         | only trace events from pid 510 or pid 1709

  --trace p=510 --trace p=1709                                 | only trace events from pid 510 or pid 1709 (same as above)

  --trace container=new                                        | only trace events from newly created containers

  --trace container                                            | only trace events from containers

  --trace c                                                    | only trace events from containers (same as above)

  --trace '!container'                                         | only trace events from the host

  --trace uid=0                                                | only trace events from uid 0

  --trace mntns=4026531840                                     | only trace events from mntns id 4026531840

  --trace pidns!=4026531836                                    | only trace events from pidns id not equal to 4026531840

  --trace 'uid>0'                                              | only trace events from uids greater than 0

  --trace 'pid>0' --trace 'pid<1000'                           | only trace events from pids between 0 and 1000

  --trace 'u>0' --trace u!=1000                                | only trace events from uids greater than 0 but not 1000

  --trace event=execve,open                                    | only trace execve and open events

  --trace set=fs                                               | trace all file-system related events

  --trace s=fs --trace e!=open,openat                          | trace all file-system related events, but not open(at)

  --trace uts!=ab356bc4dd554                                   | don't trace events from uts name ab356bc4dd554

  --trace comm=ls                                              | only trace events from ls command

  --trace close.fd=5                                           | only trace 'close' events that have 'fd' equals 5

  --trace openat.pathname=/tmp*                                | only trace 'openat' events that have 'pathname' prefixed by "/tmp"

  --trace openat.pathname!=/tmp/1,/bin/ls                      | don't trace 'openat' events that have 'pathname' equals /tmp/1 or /bin/ls

  --trace comm=bash --trace follow                             | trace all events that originated from bash or from one of the processes spawned by bash

  --trace container=new  | all the events from container created after issuing this command