Deploy Tracee on a Kubernetes cluster to detect containers attempting privilege escalation or unexpected system calls.
Monitor a Linux server in real time for suspicious file access patterns or unusual process behavior.
Route Tracee security events into your existing monitoring stack like Prometheus or a SIEM.
Run Tracee during a security audit to observe exactly what system calls a process makes.
| aquasecurity/tracee | six-ddc/plow | nikolaydubina/go-recipes | |
|---|---|---|---|
| Stars | 4,482 | 4,482 | 4,485 |
| Language | Go | Go | Go |
| Setup difficulty | moderate | easy | easy |
| Complexity | 3/5 | 2/5 | 1/5 |
| Audience | ops devops | developer | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a Linux host with a compatible kernel version, Kubernetes deployment needs Helm and cluster admin permissions.
Tracee is a runtime security and observability tool for Linux. It monitors what happens on a running system in real time, recording details about process activity, system calls, file access, and network connections. Based on these observations, it can also detect patterns that indicate suspicious behavior, such as a process attempting privileged actions it would not normally take, or a container behaving unexpectedly. The tool operates using eBPF, a feature built into the Linux kernel that allows programs to attach monitoring logic to kernel events without changing or replacing kernel code. This gives Tracee access to detailed, low-level system information while keeping performance impact low. Events can range from simple records of system activity to higher-level security signals assembled from multiple observations over time. Running Tracee on a single machine requires a single Docker command and works on most common Linux distributions. For organizations running containerized infrastructure, a Helm chart is available for deploying it across a Kubernetes cluster as a DaemonSet, which places an instance on every node in the cluster. Logs produced by Tracee flow through standard Kubernetes logging and can be routed to existing monitoring and alerting systems. Tracee is developed and maintained by Aqua Security, a company focused on securing containerized applications, and is released as open source under a permissive license. The project has documentation, contribution guidelines, and community channels through GitHub Discussions and Slack. It is written in Go. Users with compatibility questions or hardware-specific concerns can consult the prerequisites page in the project documentation.
An open-source tool that monitors everything happening on a running Linux system in real time using eBPF, tracking processes, file access, and network connections, and automatically flags suspicious behavior.
Mainly Go. The stack also includes Go, eBPF, Linux.
Use and distribute freely for any purpose, including commercial, as long as you keep the copyright notice.
Setup difficulty is rated moderate, with roughly 5min to a first successful run.
Mainly ops devops.
This repo across BitVibe Labs
Verify against the repo before relying on details.