Tracee v0.4.0 released!

[itaysk]

Release: https://github.com/aquasecurity/tracee/releases/tag/v0.4.0

Notable changes:

• The entire CLI User Experience has been revised. We have unified most of the existing flags into few categorical flags for better usability. The new flags --output, --capture and --trace now each control their related options. For complete documentation see tracee --help and specifically tracee --output help, tracee --capture help and tracee --trace help.
• Many new "filters" were added. The new --trace flag tells Tracee what to trace, and by extension, what to filter out. Almost any field you see in Tracee's output can now be used for filtering.
• New trace modes added (now under --trace flag) to let you filter for container/non-container/specific namespaces in addition to the existing new processes and new containers modes.
• Another new trace mode, follow lets you follow traced processes to also trace their descendants.
• The default trace mode is now ALL processes rather than NEW processes. You can still ask Tracee to trace new processes using tracee --trace pid:new.
• Tracee can now run on ARM processors. We do not release ARM artifacts at the moment, but you can build Tracee yourself on an ARM machine.
• TRACEE_BPF_FILE environment variable now points to a file, not a directory as before. Also, the file it points to doesn't have to be named similar to Tracee's generated bpf.o file, it can have any name.
• Tracee can now show stack addresses associated with each event (thanks @pathtofile ).
• When processing Tracee's output with another tool, you can ask Tracee to send a special final event to signal end of transmission, using --output option:eot.
• When capturing written files, Tracee now adds an index file that maps which file was written under which name (thanks @jan0ski ).
• added support for new syscalls from recent kernel (thanks @mtcherni95 ).

Notable fixes:

• ptrace's request was incorrectly printed as number, and now prints the decoded textual values.
• fix issue with kernels earlier than 4.14.17.
• fixed an issue that prevented Tracee from being used as a go library.

Related videos:
https://youtu.be/ddkTX9vAHqE