TRACEE_EBPF_ONLY=1 deprecated

[dorkamotorka]

Through the commit I figured out that tracee ebpf only was deprecated.

Neither does make -f builder/Makefile.tracee-container run-tracee-ebpf or running the container with TRACEE_EBPF_ONLY=1 env variable. It just runs it with tracee-rules as well.

Can someone update the documentation, how one can run tracee without tracee-rules.

Or demonstrate it here, and I can open a PR for that.

[yanivagman]

Hi, Not sure I understand the question. The docs site doesn't mention tracee-ebpf nor tracee-rules at all. It is all about using the tracee binary, which includes the functionality of both tracee-ebpf and tracee-rules. What is missing? https://aquasecurity.github.io/tracee/v0.22/docs/overview/

About the env var and build environment - we will remove all of this stuff once tracee-ebpf and tracee-rules will be fully removed from the repo

[dorkamotorka]

Oh I see, I've read the legacy version of the docs - sorry for that. Still I'm fine with the tracee single binary, but is there a way to run it to output all events. I guess it's a feature that only events with signatures are logged, but what if I just want to observe the system as a whole, independent if there's signature for it or not.

[yanivagman]

You can do that with tracee as well. The new tracee binary allows you to define which events you want, exactly the same way as with tracee-ebpf. The signatures now became "events" as well, so you can simply select the signatures you want to have combined with "low-level" events. The tracee binary also supports policies, for example: https://github.com/aquasecurity/tracee/blob/main/examples/policies/signature_events.yaml https://github.com/aquasecurity/tracee/blob/main/examples/policies/openat_data_pahtname.yaml

[dorkamotorka]

Thank you 🙌