wip6

cmd/tracee/cmd/analyze.go

@@ -96,8 +96,8 @@ var analyze = &cobra.Command{
 Tracee can be used to collect events and store it in a file. This file can be used as input to analyze.
 
 eg:
-tracee --filter event=ptrace --output=json:events.json
-tracee analyze --event=anti_debugging events.json`,
+tracee --event ptrace --output=json:events.json
+tracee analyze --event anti_debugging events.json`,
 	Run: func(cmd *cobra.Command, args []string) {
 		inputFile, err := os.Open(args[0])
 		if err != nil {

docs/docs/events/builtin/extra/hooked_syscalls.md

@@ -60,7 +60,9 @@ Detection of syscall hooking.
 The `hooked_syscalls` event could be used as part of a broader system integrity monitoring solution. For example, a security engineer could use it to raise alerts or run further investigations if unexpected syscall hooking activities are detected. This could aid in the early detection and mitigation of malware or rootkit infections.
 Example:
 
-`tracee -f e=hooked_syscalls -f hooked_syscalls.args.check_syscalls=<syscall>,<syscall>,...`
+```console
+tracee -e hooked_syscalls -e hooked_syscalls.args.check_syscalls=<syscall>,<syscall>,...`
+```
 
 ## Issues
 The `check_syscalls` argument is used as a parameter to specify the syscalls to be checked. This will change in the future to be an event parameter.

docs/docs/events/overview.md

@@ -116,13 +116,13 @@ net_packet_http_response | [default network_events] |
 Events can be part of a set, for example on the table above we can see a few sets like `default`, `network_events`, `syscalls`. 
 We can ask tracee to trace a full set, or sets, instead of passing event by event, for example:
 
-```
-tracee --scope set=syscalls
+```console
+tracee --event syscalls
 ```
 or 
 
-```
-tracee --scope set=syscalls,network_events
+```console
+tracee --event syscalls,network_events
 ```
 
 

docs/docs/filters/filtering.md

@@ -109,8 +109,8 @@ expected.
 1. **Event Sets** `(Operators: =, !=)`
 
     ```text
-    1) --scope set=fs
-    2) --scope set=lsm_hooks,network_events
+    1) --event fs
+    2) --event lsm_hooks,network_events
     ```
 
     !!! Note

pkg/cmd/flags/filter.go

@@ -64,21 +64,21 @@ Examples:
   --scope pidns!=4026531836                                    | only trace events from pidns id not equal to 4026531840
   --scope tree=476165                                          | only trace events that descend from the process with pid 476165
   --scope tree!=5023                                           | only trace events if they do not descend from the process with pid 5023
-  --scope tree=3213,5200 --scope tree!=3215                   | only trace events if they descend from 3213 or 5200, but not 3215
+  --scope tree=3213,5200 --scope tree!=3215                    | only trace events if they descend from 3213 or 5200, but not 3215
   --scope 'uid>0'                                              | only trace events from uids greater than 0
-  --scope 'pid>0' --scope 'pid<1000'                          | only trace events from pids between 0 and 1000
-  --scope 'u>0' --scope u!=1000                               | only trace events from uids greater than 0 but not 1000
+  --scope 'pid>0' --scope 'pid<1000'                           | only trace events from pids between 0 and 1000
+  --scope 'u>0' --scope u!=1000                                | only trace events from uids greater than 0 but not 1000
   --scope uts!=ab356bc4dd554                                   | don't trace events from uts name ab356bc4dd554
   --scope comm=ls                                              | only trace events from ls command
   --scope binary=/usr/bin/ls                                   | only trace events from /usr/bin/ls binary
   --scope binary=host:/usr/bin/ls                              | only trace events from /usr/bin/ls binary in the host mount namespace
   --scope binary=4026532448:/usr/bin/ls                        | only trace events from /usr/bin/ls binary in 4026532448 mount namespace
-  --scope comm=bash --scope follow                            | trace all events that originated from bash or from one of the processes spawned by bash
-  --event execve,open                                    | only trace execve and open events
-  --event 'open*'                                        | only trace events prefixed by "open"
-  --event '-open*,-dup*'                                  | don't trace events prefixed by "open" or "dup"
-  ??? --scope set=fs                                               | trace all file-system related events
-  ??? --scope s=fs --scope e!=open,openat                         | trace all file-system related events, but not open(at)
+  --scope comm=bash --scope follow                             | trace all events that originated from bash or from one of the processes spawned by bash
+  --event execve,open                                          | only trace execve and open events
+  --event 'open*'                                              | only trace events prefixed by "open"
+  --event '-open*,-dup*'                                       | don't trace events prefixed by "open" or "dup"
+  --event fs                                                   | trace all file-system related events
+  --event fs --event -open,-openat                             | trace all file-system related events, but not open(at)
   --event close.args.fd=5                                      | only trace 'close' events that have 'fd' equals 5
   --event openat.args.pathname='/tmp*'                         | only trace 'openat' events that have 'pathname' prefixed by /tmp
   --event openat.args.pathname='*shadow'                       | only trace 'openat' events that have 'pathname' suffixed by shadow

pkg/cmd/flags/policy.go

@@ -121,8 +121,7 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa
 		}
 	}
 
-	// todo: remove all occurances of "--scope"
-	// change all --scope event something to --scope something
+	// todo: change all --scope event something to --scope something
 
 	policies := policy.NewPolicies()
 	for policyIdx, policyScopeFilters := range policyScopeMap {

pkg/ebpf/c/common/filtering.h

@@ -95,7 +95,8 @@ statfunc u64 equality_filter_matches(u64 filter_out_scopes, void *filter_map, vo
 {
     // check compute_scopes() for initial info
     //
-    // e.g.: cmdline: -f 2:comm=who -f 3:comm=ping -f 4:comm!=who
+    // hypothetical cmdline where the prefix numbers specify the scopes, e.g.:
+    //   -s 2:comm=who -s 3:comm=ping -s 4:comm!=who
     //
     // filter_out_scopes = 0000 1000, since scope 4 has "not equal" for comm filter
     // filter_map        = comm_filter
@@ -146,7 +147,8 @@ statfunc u64 bool_filter_matches(u64 filter_out_scopes, bool val)
 {
     // check compute_scopes() for initial info
     //
-    // e.g.: cmdline: -f 5:container
+    // hypothetical cmdline where the prefix numbers specify the scopes, e.g.:
+    //   -s 5:container
     //
     // considering an event from a container
     //

pkg/ebpf/events_pipeline.go

@@ -332,8 +332,9 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 {
 			// An event with a matched policy for global min/max range might not match all
 			// policies with UID and PID filters with different min/max ranges.
 			//
-			// e.g.: -f 59:comm=who -f '59:pid>100' -f '59:pid<1257738' \
-			//       -f 30:comm=who -f '30:pid>502000' -f '30:pid<505000'
+			// hypothetical cmdline where the prefix numbers specify the scopes, e.g.:
+			//   -s 59:comm=who -s '59:pid>100' -s '59:pid<1257738' \
+			//   -s 30:comm=who -s '30:pid>502000' -s '30:pid<505000'
 			//
 			// For kernel filtering, the flags from the example would compute:
 			//

pkg/ebpf/tracee.go

@@ -1649,7 +1649,7 @@ func (t *Tracee) triggerSyscallsIntegrityCheck(event trace.Event) error {
 		hookedSyscallsFilters := p.ArgFilter.GetEventFilters(events.HookedSyscalls)
 		if len(hookedSyscallsFilters) == 0 {
 			logger.Debugw("policy %d: no syscalls were provided to hooked_syscall event. "+
-				"using default configuration. please provide it via -f hooked_syscalls.args.check_syscalls=<syscall>,<syscall>", p.ID)
+				"using default configuration. please provide it via -s hooked_syscalls.args.check_syscalls=<syscall>,<syscall>", p.ID)
 			derive.SyscallsToCheck = events.DefaultSyscallsToCheck()
 		}
 

tests/e2e-inst-test.sh

@@ -92,7 +92,7 @@ for TEST in $TESTS; do
         --log file:$SCRIPT_TMP_DIR/tracee-log-$$ \
         --signatures-dir $SIG_DIR \
         --scope comm=echo,mv,ls,tracee \
-        --scope set=signatures &
+        --event signatures &
 
     # wait tracee-ebpf to be started (30 sec most)
     times=0

tests/integration/event_filters_test.go

@@ -493,6 +493,40 @@ func Test_EventFilters(t *testing.T) {
 			useSyscaller: false,
 			test:         ExpectAllInOrder,
 		},
+		{
+			name: "comm: trace filesystem events from ls command",
+			policyFiles: []policyFileWithID{
+				{
+					id: 1,
+					policyFile: policy.PolicyFile{
+						Name:        "event_fs",
+						Description: "trace filesystem events from ls command",
+						Scope: []string{
+							"comm=ls",
+						},
+						DefaultActions: []string{"log"},
+						Rules: []policy.Rule{
+							{
+								Event:   "fs",
+								Filters: []string{},
+							},
+						},
+					},
+				},
+			},
+			cmdEvents: []cmdEvents{
+				newCmdEvents(
+					"ls",
+					1*time.Second,
+					[]trace.Event{
+						expectEvent(anyHost, "ls", cpu.CPUForTests, anyPID, 0, anyEventID, orPolNames("event_fs"), orPolIDs(1)),
+					},
+					[]string{"fs"},
+				),
+			},
+			useSyscaller: false,
+			test:         ExpectAllEqualTo,
+		},
 		{
 			name: "bin: event: trace only setns events from \"/usr/bin/dockerd\" binary",
 			policyFiles: []policyFileWithID{