From 1519a5fef0384b7bc8a4f538551f33191abcd06b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Geyslan=20Greg=C3=B3rio?= Date: Wed, 28 Jun 2023 14:07:05 -0300 Subject: [PATCH] wip6 --- cmd/tracee/cmd/analyze.go | 4 +-- .../events/builtin/extra/hooked_syscalls.md | 4 ++- docs/docs/events/overview.md | 8 ++--- docs/docs/filters/filtering.md | 4 +-- pkg/cmd/flags/filter.go | 18 +++++----- pkg/cmd/flags/policy.go | 3 +- pkg/ebpf/c/common/filtering.h | 6 ++-- pkg/ebpf/events_pipeline.go | 5 +-- pkg/ebpf/tracee.go | 2 +- tests/e2e-inst-test.sh | 2 +- tests/integration/event_filters_test.go | 34 +++++++++++++++++++ 11 files changed, 64 insertions(+), 26 deletions(-) diff --git a/cmd/tracee/cmd/analyze.go b/cmd/tracee/cmd/analyze.go index e5ae1020e5f1..c5e4a2a4fd05 100644 --- a/cmd/tracee/cmd/analyze.go +++ b/cmd/tracee/cmd/analyze.go @@ -96,8 +96,8 @@ var analyze = &cobra.Command{ Tracee can be used to collect events and store it in a file. This file can be used as input to analyze. eg: -tracee --filter event=ptrace --output=json:events.json -tracee analyze --event=anti_debugging events.json`, +tracee --event ptrace --output=json:events.json +tracee analyze --event anti_debugging events.json`, Run: func(cmd *cobra.Command, args []string) { inputFile, err := os.Open(args[0]) if err != nil { diff --git a/docs/docs/events/builtin/extra/hooked_syscalls.md b/docs/docs/events/builtin/extra/hooked_syscalls.md index 873daba5a28f..21d545424e27 100644 --- a/docs/docs/events/builtin/extra/hooked_syscalls.md +++ b/docs/docs/events/builtin/extra/hooked_syscalls.md @@ -60,7 +60,9 @@ Detection of syscall hooking. The `hooked_syscalls` event could be used as part of a broader system integrity monitoring solution. For example, a security engineer could use it to raise alerts or run further investigations if unexpected syscall hooking activities are detected. This could aid in the early detection and mitigation of malware or rootkit infections. Example: -`tracee -f e=hooked_syscalls -f hooked_syscalls.args.check_syscalls=,,...` +```console +tracee -e hooked_syscalls -e hooked_syscalls.args.check_syscalls=,,...` +``` ## Issues The `check_syscalls` argument is used as a parameter to specify the syscalls to be checked. This will change in the future to be an event parameter. diff --git a/docs/docs/events/overview.md b/docs/docs/events/overview.md index 6c9aaf6d8b5b..fbc717694962 100644 --- a/docs/docs/events/overview.md +++ b/docs/docs/events/overview.md @@ -116,13 +116,13 @@ net_packet_http_response | [default network_events] | Events can be part of a set, for example on the table above we can see a few sets like `default`, `network_events`, `syscalls`. We can ask tracee to trace a full set, or sets, instead of passing event by event, for example: -``` -tracee --scope set=syscalls +```console +tracee --event syscalls ``` or -``` -tracee --scope set=syscalls,network_events +```console +tracee --event syscalls,network_events ``` diff --git a/docs/docs/filters/filtering.md b/docs/docs/filters/filtering.md index 8ead020fbeae..23797ab7d6c1 100644 --- a/docs/docs/filters/filtering.md +++ b/docs/docs/filters/filtering.md @@ -109,8 +109,8 @@ expected. 1. **Event Sets** `(Operators: =, !=)` ```text - 1) --scope set=fs - 2) --scope set=lsm_hooks,network_events + 1) --event fs + 2) --event lsm_hooks,network_events ``` !!! Note diff --git a/pkg/cmd/flags/filter.go b/pkg/cmd/flags/filter.go index 9059ed60e40e..1240ed0d113c 100644 --- a/pkg/cmd/flags/filter.go +++ b/pkg/cmd/flags/filter.go @@ -64,21 +64,21 @@ Examples: --scope pidns!=4026531836 | only trace events from pidns id not equal to 4026531840 --scope tree=476165 | only trace events that descend from the process with pid 476165 --scope tree!=5023 | only trace events if they do not descend from the process with pid 5023 - --scope tree=3213,5200 --scope tree!=3215 | only trace events if they descend from 3213 or 5200, but not 3215 + --scope tree=3213,5200 --scope tree!=3215 | only trace events if they descend from 3213 or 5200, but not 3215 --scope 'uid>0' | only trace events from uids greater than 0 - --scope 'pid>0' --scope 'pid<1000' | only trace events from pids between 0 and 1000 - --scope 'u>0' --scope u!=1000 | only trace events from uids greater than 0 but not 1000 + --scope 'pid>0' --scope 'pid<1000' | only trace events from pids between 0 and 1000 + --scope 'u>0' --scope u!=1000 | only trace events from uids greater than 0 but not 1000 --scope uts!=ab356bc4dd554 | don't trace events from uts name ab356bc4dd554 --scope comm=ls | only trace events from ls command --scope binary=/usr/bin/ls | only trace events from /usr/bin/ls binary --scope binary=host:/usr/bin/ls | only trace events from /usr/bin/ls binary in the host mount namespace --scope binary=4026532448:/usr/bin/ls | only trace events from /usr/bin/ls binary in 4026532448 mount namespace - --scope comm=bash --scope follow | trace all events that originated from bash or from one of the processes spawned by bash - --event execve,open | only trace execve and open events - --event 'open*' | only trace events prefixed by "open" - --event '-open*,-dup*' | don't trace events prefixed by "open" or "dup" - ??? --scope set=fs | trace all file-system related events - ??? --scope s=fs --scope e!=open,openat | trace all file-system related events, but not open(at) + --scope comm=bash --scope follow | trace all events that originated from bash or from one of the processes spawned by bash + --event execve,open | only trace execve and open events + --event 'open*' | only trace events prefixed by "open" + --event '-open*,-dup*' | don't trace events prefixed by "open" or "dup" + --event fs | trace all file-system related events + --event fs --event -open,-openat | trace all file-system related events, but not open(at) --event close.args.fd=5 | only trace 'close' events that have 'fd' equals 5 --event openat.args.pathname='/tmp*' | only trace 'openat' events that have 'pathname' prefixed by /tmp --event openat.args.pathname='*shadow' | only trace 'openat' events that have 'pathname' suffixed by shadow diff --git a/pkg/cmd/flags/policy.go b/pkg/cmd/flags/policy.go index 15938a461e36..7da1036c6574 100644 --- a/pkg/cmd/flags/policy.go +++ b/pkg/cmd/flags/policy.go @@ -121,8 +121,7 @@ func CreatePolicies(policyScopeMap PolicyScopeMap, policyEventsMap PolicyEventMa } } - // todo: remove all occurances of "--scope" - // change all --scope event something to --scope something + // todo: change all --scope event something to --scope something policies := policy.NewPolicies() for policyIdx, policyScopeFilters := range policyScopeMap { diff --git a/pkg/ebpf/c/common/filtering.h b/pkg/ebpf/c/common/filtering.h index 817339b42965..277c55acc550 100644 --- a/pkg/ebpf/c/common/filtering.h +++ b/pkg/ebpf/c/common/filtering.h @@ -95,7 +95,8 @@ statfunc u64 equality_filter_matches(u64 filter_out_scopes, void *filter_map, vo { // check compute_scopes() for initial info // - // e.g.: cmdline: -f 2:comm=who -f 3:comm=ping -f 4:comm!=who + // hypothetical cmdline where the prefix numbers specify the scopes, e.g.: + // -s 2:comm=who -s 3:comm=ping -s 4:comm!=who // // filter_out_scopes = 0000 1000, since scope 4 has "not equal" for comm filter // filter_map = comm_filter @@ -146,7 +147,8 @@ statfunc u64 bool_filter_matches(u64 filter_out_scopes, bool val) { // check compute_scopes() for initial info // - // e.g.: cmdline: -f 5:container + // hypothetical cmdline where the prefix numbers specify the scopes, e.g.: + // -s 5:container // // considering an event from a container // diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go index 9b8308a4242a..06095838d736 100644 --- a/pkg/ebpf/events_pipeline.go +++ b/pkg/ebpf/events_pipeline.go @@ -332,8 +332,9 @@ func (t *Tracee) matchPolicies(event *trace.Event) uint64 { // An event with a matched policy for global min/max range might not match all // policies with UID and PID filters with different min/max ranges. // - // e.g.: -f 59:comm=who -f '59:pid>100' -f '59:pid<1257738' \ - // -f 30:comm=who -f '30:pid>502000' -f '30:pid<505000' + // hypothetical cmdline where the prefix numbers specify the scopes, e.g.: + // -s 59:comm=who -s '59:pid>100' -s '59:pid<1257738' \ + // -s 30:comm=who -s '30:pid>502000' -s '30:pid<505000' // // For kernel filtering, the flags from the example would compute: // diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go index 9d5ce8867abc..9f5f1ffaad04 100644 --- a/pkg/ebpf/tracee.go +++ b/pkg/ebpf/tracee.go @@ -1649,7 +1649,7 @@ func (t *Tracee) triggerSyscallsIntegrityCheck(event trace.Event) error { hookedSyscallsFilters := p.ArgFilter.GetEventFilters(events.HookedSyscalls) if len(hookedSyscallsFilters) == 0 { logger.Debugw("policy %d: no syscalls were provided to hooked_syscall event. "+ - "using default configuration. please provide it via -f hooked_syscalls.args.check_syscalls=,", p.ID) + "using default configuration. please provide it via -s hooked_syscalls.args.check_syscalls=,", p.ID) derive.SyscallsToCheck = events.DefaultSyscallsToCheck() } diff --git a/tests/e2e-inst-test.sh b/tests/e2e-inst-test.sh index 2516ffd90098..2b949065a6d1 100755 --- a/tests/e2e-inst-test.sh +++ b/tests/e2e-inst-test.sh @@ -92,7 +92,7 @@ for TEST in $TESTS; do --log file:$SCRIPT_TMP_DIR/tracee-log-$$ \ --signatures-dir $SIG_DIR \ --scope comm=echo,mv,ls,tracee \ - --scope set=signatures & + --event signatures & # wait tracee-ebpf to be started (30 sec most) times=0 diff --git a/tests/integration/event_filters_test.go b/tests/integration/event_filters_test.go index 87f17c887362..366a6a7db910 100644 --- a/tests/integration/event_filters_test.go +++ b/tests/integration/event_filters_test.go @@ -493,6 +493,40 @@ func Test_EventFilters(t *testing.T) { useSyscaller: false, test: ExpectAllInOrder, }, + { + name: "comm: trace filesystem events from ls command", + policyFiles: []policyFileWithID{ + { + id: 1, + policyFile: policy.PolicyFile{ + Name: "event_fs", + Description: "trace filesystem events from ls command", + Scope: []string{ + "comm=ls", + }, + DefaultActions: []string{"log"}, + Rules: []policy.Rule{ + { + Event: "fs", + Filters: []string{}, + }, + }, + }, + }, + }, + cmdEvents: []cmdEvents{ + newCmdEvents( + "ls", + 1*time.Second, + []trace.Event{ + expectEvent(anyHost, "ls", cpu.CPUForTests, anyPID, 0, anyEventID, orPolNames("event_fs"), orPolIDs(1)), + }, + []string{"fs"}, + ), + }, + useSyscaller: false, + test: ExpectAllEqualTo, + }, { name: "bin: event: trace only setns events from \"/usr/bin/dockerd\" binary", policyFiles: []policyFileWithID{