Skip to content

Tracee not working properly-Linux Guest #2705

New issue
New issue
Open
Open
Tracee not working properly-Linux Guest#2705
@jjilson

Description

@jjilson
jjilson
opened on Sep 22, 2025

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I did read the README!
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I have read and checked all configs (with all optional parts)

Expected Behavior

I am expecting that Tracee works properly and is able to analyze the malware file.

Current Behavior

What is the current behavior?
The current behavior is that docker is able to start with tracee but eventually there is a repeat of:
[modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

No meaningful signatures or information is gained and the submission is simply timed out. This is not the case when stracee is enabled by itself.

What I have made sure:

I've enabled tracee properly, made sure to install it correctly in the Linux VM, and properly configured it in the auxiliary.conf and processing.conf. Strace is also enabled. I'm not sure why I'm not getting back any signatures or meaningful data.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

  1. Submit a file intended for Linux guest
  2. Get a report back
  3. No data is gained and looks like no analysis of the malware

Failure Logs

Please include any relevant log snippets or files here:

2025-09-22 14:10:45,005 [root] DEBUG: Starting analyzer from: /cr8mee3r
2025-09-22 14:10:45,006 [root] DEBUG: Storing results at: /tmp/XFfABqotb
2025-09-22 14:10:45,013 [root] DEBUG: Importing auxiliary module "modules.auxiliary.filecollector"...
2025-09-22 14:10:45,096 [root] DEBUG: Importing auxiliary module "modules.auxiliary.human"...
2025-09-22 14:10:45,249 [root] DEBUG: Importing auxiliary module "modules.auxiliary.screenshots"...
2025-09-22 14:10:45,295 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-09-22 14:10:45,297 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2025-09-22 14:10:45,297 [lib.api.screenshot] INFO: Please upgrade Pillow to >= 5.4.1 for best performance
2025-09-22 14:10:45,349 [root] DEBUG: Importing auxiliary module "modules.auxiliary.sysmon"...
2025-09-22 14:10:45,351 [root] DEBUG: Importing auxiliary module "modules.auxiliary.tracee"...
2025-09-22 14:10:45,355 [modules.auxiliary.filecollector] INFO: FileCollector run started
2025-09-22 14:10:45,364 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir snap
2025-09-22 14:10:46,644 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir root
2025-09-22 14:10:46,692 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir s1p3_whz
2025-09-22 14:10:46,696 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir 6tsmu_9i
2025-09-22 14:10:46,700 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir mnt
2025-09-22 14:10:46,701 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir ahjr7_14
2025-09-22 14:10:46,704 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir media
2025-09-22 14:10:46,705 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir sbin.usr-is-merged
2025-09-22 14:10:46,705 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir cr8mee3r
2025-09-22 14:10:46,706 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir srv
2025-09-22 14:10:46,706 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir .Library
2025-09-22 14:10:46,707 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir boot
2025-09-22 14:10:46,709 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir d9w5qvow
2025-09-22 14:10:46,713 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir etc
2025-09-22 14:10:46,803 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir kpdzasrr
2025-09-22 14:10:46,807 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir home
2025-09-22 14:10:46,886 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir lib.usr-is-merged
2025-09-22 14:10:46,886 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir sbin
2025-09-22 14:10:46,886 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir bin.usr-is-merged
2025-09-22 14:10:46,887 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir cdrom
2025-09-22 14:10:46,887 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir bin
2025-09-22 14:10:46,887 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir lost+found
2025-09-22 14:10:46,888 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir xcz3xob1
2025-09-22 14:10:46,892 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tkgyvp3u
2025-09-22 14:10:46,897 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir opt
2025-09-22 14:10:46,898 [modules.auxiliary.filecollector] INFO: FileCollector trying to watch dir tmp
2025-09-22 14:10:46,900 [modules.auxiliary.filecollector] INFO: FileCollector setup complete
2025-09-22 14:10:47,356 [root] DEBUG: Initialized auxiliary module "FileCollector"
2025-09-22 14:10:47,358 [root] DEBUG: Trying to start auxiliary module "FileCollector"...
2025-09-22 14:10:47,359 [root] DEBUG: Started auxiliary module "FileCollector"
2025-09-22 14:10:47,362 [modules.auxiliary.human] DEBUG: Human init complete
2025-09-22 14:10:47,364 [root] DEBUG: Initialized auxiliary module "Human"
2025-09-22 14:10:47,366 [root] DEBUG: Trying to start auxiliary module "Human"...
2025-09-22 14:10:47,366 [root] DEBUG: Started auxiliary module "Human"
2025-09-22 14:10:47,367 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-09-22 14:10:47,368 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2025-09-22 14:10:47,371 [asyncio] DEBUG: Using selector: EpollSelector
2025-09-22 14:10:47,374 [root] DEBUG: Started auxiliary module "Screenshots"
2025-09-22 14:10:47,374 [root] DEBUG: Initialized auxiliary module "Sysmon"
2025-09-22 14:10:47,376 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2025-09-22 14:10:47,378 [root] DEBUG: Started auxiliary module "Sysmon"
2025-09-22 14:10:47,380 [modules.auxiliary.tracee] INFO: docker start
2025-09-22 14:10:47,390 [modules.auxiliary.tracee] INFO: True
2025-09-22 14:10:47,392 [modules.auxiliary.tracee] INFO: Tracee
2025-09-22 14:10:47,395 [root] DEBUG: Initialized auxiliary module "Docker"
2025-09-22 14:10:47,398 [root] DEBUG: Trying to start auxiliary module "Docker"...
2025-09-22 14:10:47,514 [modules.auxiliary.tracee] DEBUG: Starting docker container
2025-09-22 14:10:47,515 [modules.auxiliary.tracee] DEBUG: sudo docker run --name tracee -d --pid=host --cgroupns=host --privileged -v /etc/os-release:/etc/os-release-host:ro -v /cr8mee3r/tracee-artifacts/:/tmp/tracee/out/host -v /var/run:/var/run:ro -v /cr8mee3r/modules/auxiliary/tracee:/policy aquasec/tracee:latest --output json --output option:parse-arguments,exec-env,exec-hash --policy /policy/policy.yml --cache cache-type=mem --cache mem-cache-size=1024 --capture bpf --capture module
2025-09-22 14:10:48,152 [modules.auxiliary.tracee] DEBUG: Docker container started: 7ba9c5608d4a2868c0bc475b5f2ccca5cd25a335f44b68caa598f41f5bf9dd7f

2025-09-22 14:10:58,220 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:10:58,274 [modules.auxiliary.tracee] INFO:
2025-09-22 14:11:08,312 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:11:08,366 [modules.auxiliary.tracee] INFO:
2025-09-22 14:11:18,387 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:11:18,449 [modules.auxiliary.tracee] INFO:
2025-09-22 14:11:28,478 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:11:28,524 [modules.auxiliary.tracee] INFO:
2025-09-22 14:11:38,533 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:11:38,579 [modules.auxiliary.tracee] INFO:
2025-09-22 14:11:48,591 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:11:48,654 [modules.auxiliary.tracee] INFO:
2025-09-22 14:11:58,707 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:11:58,756 [modules.auxiliary.tracee] INFO:
2025-09-22 14:12:08,768 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:12:08,816 [modules.auxiliary.tracee] INFO:
2025-09-22 14:12:18,825 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:12:18,869 [modules.auxiliary.tracee] INFO:
2025-09-22 14:12:28,880 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:12:28,925 [modules.auxiliary.tracee] INFO:
2025-09-22 14:12:38,936 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:12:38,990 [modules.auxiliary.tracee] INFO:
2025-09-22 14:12:49,006 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:12:49,053 [modules.auxiliary.tracee] INFO:
2025-09-22 14:12:59,074 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:12:59,126 [modules.auxiliary.tracee] INFO:
2025-09-22 14:13:09,157 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:13:09,217 [modules.auxiliary.tracee] INFO:
2025-09-22 14:13:19,267 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:13:19,313 [modules.auxiliary.tracee] INFO:
2025-09-22 14:13:29,324 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:13:29,377 [modules.auxiliary.tracee] INFO:
2025-09-22 14:13:39,390 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:13:39,440 [modules.auxiliary.tracee] INFO:
2025-09-22 14:13:49,464 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:13:49,509 [modules.auxiliary.tracee] INFO:
2025-09-22 14:13:59,559 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:13:59,611 [modules.auxiliary.tracee] INFO:
2025-09-22 14:14:09,616 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:14:09,656 [modules.auxiliary.tracee] INFO:
2025-09-22 14:14:19,677 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:14:19,736 [modules.auxiliary.tracee] INFO:
2025-09-22 14:14:29,768 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:14:29,819 [modules.auxiliary.tracee] INFO:
2025-09-22 14:14:39,861 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:14:39,913 [modules.auxiliary.tracee] INFO:
2025-09-22 14:14:49,950 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:14:50,006 [modules.auxiliary.tracee] INFO:
2025-09-22 14:15:00,011 [modules.auxiliary.tracee] INFO: tracee-health-check-1903ae

2025-09-22 14:15:00,056 [modules.auxiliary.tracee] INFO:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions