feat: Add list-events flag for listing events #1071

simar7 · 2021-10-12T23:59:11Z

 ./dist/tracee-rules --list-events
security_socket_connect,dup,dup2,dup3,close,sched_process_exit,execve,security_socket_connect,ptrace,ptrace,security_file_open,process_vm_writev,security_sb_mount,magic_write,mem_prot_alert,security_bprm_check,security_bprm_check,security_file_open,init_module,security_kernel_read_file,security_file_open,execve,security_file_open

docker run --name tracee --rm --pid=host --privileged -v /tmp/tracee:/tmp/tracee -it tracee:latest 
+ TRACEE_EBPF_EXE=/tracee/tracee-ebpf
+ TRACEE_RULES_EXE=/tracee/tracee-rules
+ '['  '=' trace ]
+ /tracee/tracee-rules --list-events
+ EVENTS=security_socket_connect,dup,dup2,dup3,close,sched_process_exit,execve,security_socket_connect,ptrace,ptrace,security_file_open,process_vm_writev,security_sb_mount,magic_write,mem_prot_alert,security_bprm_check,security_bprm_check,security_file_open,init_module,security_kernel_read_file,security_file_open,execve,security_file_open
+ /tracee/tracee-ebpf '--output=format:gob' --security-alerts --trace 'event=security_socket_connect,dup,dup2,dup3,close,sched_process_exit,execve,security_socket_connect,ptrace,ptrace,security_file_open,process_vm_writev,security_sb_mount,magic_write,mem_prot_alert,security_bprm_check,security_bprm_check,security_file_open,init_module,security_kernel_read_file,security_file_open,execve,security_file_open'
+ /tracee/tracee-rules '--input-tracee=file:stdin' '--input-tracee=format:gob'
Loaded 14 signature(s): [TRC-1 TRC-13  TRC-2 TRC-3 TRC-11 TRC-9 TRC-4 TRC-5 TRC-12 TRC-8 TRC-6 TRC-10 TRC-7]

*** Detection ***
Time: 2021-10-13T05:13:46Z
Signature ID: TRC-8
Signature: K8S Service Account Token Use Detected
Data: map[]
Command: local-path-prov
Hostname: local-path-prov

Signed-off-by: Simar simar@linux.com

itaysk · 2021-10-13T00:09:13Z

Just noting that this doesn't address the linked issue.

simar7 · 2021-10-13T02:45:54Z

Just noting that this doesn't address the linked issue.

Could you explain why? Or what's missing from what's expected?

itaysk · 2021-10-13T13:55:24Z

the issue is about Tracee tracing just the events that the rules needed. this PR doesn't implement the requested feature, does it?

Signed-off-by: Simar <simar@linux.com>

simar7 · 2021-10-13T16:11:58Z

the issue is about Tracee tracing just the events that the rules needed. this PR doesn't implement the requested feature, does it?

I believe this was what you were thinking that was missing: e3a7171

This commit runs tracee-rules to gather the required events and then passes that output to tracee-ebpf to only trace relevant events.

simar7 requested review from itaysk and danielpacak October 12, 2021 23:59

simar7 self-assigned this Oct 12, 2021

feat: Add list-events flag for listing events

b5055b8

Signed-off-by: Simar <simar@linux.com>

simar7 force-pushed the list-events branch from 00cb61d to 077ae05 Compare October 13, 2021 16:09

feat: Use only relevant events to trace

e3a7171

Signed-off-by: Simar <simar@linux.com>

simar7 force-pushed the list-events branch from 077ae05 to e3a7171 Compare October 13, 2021 16:10

itaysk approved these changes Oct 13, 2021

View reviewed changes

simar7 merged commit 7a46f53 into aquasecurity:main Oct 13, 2021

itaysk mentioned this pull request Oct 13, 2021

trace only relevant events for available signatures #1045

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add list-events flag for listing events #1071

feat: Add list-events flag for listing events #1071

feat: Add list-events flag for listing events #1071

feat: Add list-events flag for listing events #1071

Conversation