8000 feat(events): create tracee_info event by rscampos · Pull Request #4166 · aquasecurity/tracee · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat(events): create tracee_info event #4166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 4, 2024
Merged

feat(events): create tracee_info event #4166

merged 1 commit into from
Jul 4, 2024

Conversation

rscampos
Copy link
Collaborator
@rscampos rscampos commented Jul 2, 2024
edited
Loading

fix: #4174

1. Explain what the PR does

5c02ebf feat(events): create tracee_info event

Create an event that export Tracee's data upon startup.

Co-authored-by: Alon Zivony <alon.zivony@aquasec.com>

2. Explain how to test it

3. Other comments

Credits to @AlonZivony, who did the work.

@rscampos rscampos requested a review from yanivagman July 2, 2024 17:47
yanivagman
yanivagman approved these changes Jul 3, 2024
View reviewed changes
Copy link
Collaborator
@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

yanivagman
yanivagman reviewed Jul 3, 2024
View reviewed changes
yanivagman
yanivagman reviewed Jul 3, 2024
View reviewed changes
docs/docs/events/builtin/extra/tracee_info.md Outdated
8000

## Arguments

* `boot_time`:`u64`[U] - the boot time of the system Tracee run in since epoch.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* `boot_time`:`u64`[U] - the boot time of the system Tracee run in since epoch.
* `boot_time`:`u64`[U] - the boot time of the system that Tracee is running on, relative to the Unix epoch.

@NDStrahilevitz
Copy link
Collaborator
NDStrahilevitz commented Jul 3, 2024
edited
Loading

@yanivagman @rscampos Doesn't this fit the datastore framework much more? Static data which should be accessible over time shouldn't be exposed as a transient event. As this data fits under the traceectl status future command, shouldn't this be statically held and exposed under a gRPC method? And a signature could access it through the datastore API.

@yanivagman
Copy link
Collaborator

@yanivagman @rscampos Doesn't this fit the datastore framework much more? Static data which should be accessible over time shouldn't be exposed as a transient event. As this data fits under the traceectl status future command, shouldn't this be statically held and exposed under a gRPC method? And a signature could access it through the datastore API.

The first reason for creating this event is to be used by the file source (aka "analyze mode"). Since we only expose events in the output file, I don't think data store would fit for this purpose

@NDStrahilevitz
Copy link
Collaborator

I think we should invest in a more robust way to convert datastores in general into sources for the analyze mode in this case, rather than adding directly as a pipeline event (although it could be a solution that datastores emit events).

An example for such a design could be that each datastore would implement a "commitlog" interface. So changes can only be done through commits, which the datastore needs to keep track of (if its designed to be used in analyze mode later - maybe some datastore authors in plugins will not have this intention). Then, we could set a flag that dumps the commit-log after tracee's run. Maybe we would have CommitDataStore which inherits DataStore, and only CommitDataStores can work in analyze mode.

geyslan
geyslan reviewed Jul 3, 2024
View reviewed changes
@rscampos @AlonZivony
feat(events): create tracee_info event
5c02ebf 
Create an event that export Tracee's data upon startup.

Co-authored-by: Alon Zivony <alon.zivony@aquasec.com>
@rscampos rscampos force-pushed the pr_4120_commit_1_event_tracee_info branch from b78524b to 5c02ebf Compare July 3, 2024 13:26
@yanivagman
Copy link
Collaborator

I think we should invest in a more robust way to convert datastores in general into sources for the analyze mode in this case, rather than adding directly as a pipeline event (although it could be a solution that datastores emit events).

An example for such a design could be that each datastore would implement a "commitlog" interface. So changes can only be done through commits, which the datastore needs to keep track of (if its designed to be used in analyze mode later - maybe some datastore authors in plugins will not have this intention). Then, we could set a flag that dumps the commit-log after tracee's run. Maybe we would have CommitDataStore which inherits DataStore, and only CommitDataStores can work in analyze mode.

I agree that we should invest in data stores and to keep its state for later analysis. This will require a careful design and implementation though. So for now, I think we can continue with the approach of having the "tracee_info" event, which can also signal the start of the event stream (thus it can be seen as an event on its own)

@rscampos rscampos merged commit f9f0e24 into aquasecurity:main Jul 4, 2024
32 checks passed
This was referenced Jul 4, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geyslan geyslan geyslan left review comments

@yanivagman yanivagman yanivagman approved these changes

Assignees

@rscampos rscampos

Labels
area/ebpf area/events kind/documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add tracee_info event
4 participants
@rscampos @NDStrahilevitz @yanivagman @geyslan
0