Feature/event context filter #2229

NDStrahilevitz · 2022-10-11T15:59:16Z

Initial Checklist

There is an issue describing the need for this PR.
Git log contains summary of the change.
Git log contains motivation and context of the change.
If part of an EPIC, PR git log contains EPIC number.
If part of an EPIC, PR was added to EPIC description.

Description (git log)

commit 617c4f9

    shouldProcessEvent: merge context filter
    
    1. Move the function to the event pipeline.
    2. Merge the context filter into the logic, short circuiting it before
    argument filtering.

commit cbe4c3c (BREAKING CHANGE @yanivagman)

    filter: parse args filter with .args

commit 9b02477

    filters: add event context filter
    
    The context filter takes filter expressions based on trace.Event
    non argument values.
    
    For example one can trace only for openat events if they originate in a
    the ls process with `-t openat.context.processName=ls`.

Fixes: #1830

Type of change

Bug fix (non-breaking change fixing an issue, preferable).
Quick fix (minor non-breaking change requiring no issue, use with care)
Code refactor (code improvement and/or code removal)
New feature (non-breaking change adding functionality).
Breaking change (cause existing functionality not to work as expected).

How Has This Been Tested?

Currently manually, unit tests should be added soon
Run tracee-ebpf -t e=openat -t openat.context.processName=ls
then run ls
This should be equivalent to
tracee-ebpf -t e=openat -t comm=ls
Further confirmation can be done using the case presented in the issue.
Another interesting usecase is with -t eventname.context.container
For example -t security_file_open.context.container then start a running container and notice no security_file_open events beforehands should be displayed.

Final Checklist:

Pick "Bug Fix" or "Feature", delete the other and mark appropriate checks.

I have made corresponding changes to the documentation.
My code follows the style guidelines (C and Go) of this project.
I have performed a self-review of my own code.
I have commented all functions/methods created explaining what they do.
I have commented my code, particularly in hard-to-understand areas.
My changes generate no new warnings.
I have added tests that prove my fix, or feature, is effective.
New and existing unit tests pass locally with my changes.
Any dependent changes have been merged and published before.

Git Log Checklist:

My commits logs have:

Subject starts with "subsystem|file: description".
Do not end the subject line with a period.
Limit the subject line to 50 characters.
Separate subject from body with a blank line.
Use the imperative mood in the subject line.
Wrap the body at 72 characters.
Use the body to explain what and why instead of how.

yanivagman

I love it!
Any info about how does it affects performance?

yanivagman · 2022-11-19T20:17:46Z

cmd/tracee-ebpf/flags/filter.go

+Event context fields can be accessed using 'event_name.context.field', this can be used to filter an event by its standard fields.
+Refer to the json field values in github.com/aquasecurity/tracee/blob/main/types/trace/trace.go and the standard filter fields for valid context fields.


It's not so clear what are the "standard fields".
I would also refer to the types/trace package instead of giving the full url (which might change) and be more specific about where to look - e.g. the Event struct.

Actually, refering (and updating) the docs would have been even better

I meant existing fields in the examples (except the arguments), so maybe that's what I should write here.
And yes I'll refer to the package and struct instead I understand your point on the URL.

I included a docs update as part of this PR, but only an example, so I'll double check where I can also write more about the filter itself (though i'm not sure we have this for other filters).

The context filter takes filter expressions based on trace.Event non argument values. For example one can trace only for openat events if they originate in a the ls process with `-t openat.context.processName=ls`.

1. Move the function to the event pipeline. 2. Merge the context filter into the logic, short circuiting it before argument filtering.

yanivagman

LGTM

NDStrahilevitz added this to the v0.9.0-rc1 milestone Oct 11, 2022

NDStrahilevitz force-pushed the feature/event_context_filter branch from 1768bb0 to b400a9c Compare October 11, 2022 16:23

NDStrahilevitz requested a review from yanivagman October 11, 2022 17:46

yanivagman modified the milestones: v0.9.0-rc1, v.0.10.0 Oct 26, 2022

NDStrahilevitz requested a review from rafaeldtinoco November 15, 2022 12:53

NDStrahilevitz added PR/needs-review labels Nov 15, 2022

NDStrahilevitz force-pushed the feature/event_context_filter branch 3 times, most recently from 0c8c668 to 9c69eb3 Compare November 17, 2022 14:01

yanivagman reviewed Nov 19, 2022

View reviewed changes

NDStrahilevitz added 4 commits November 22, 2022 16:02

filters: add event context filter

1a97c55

The context filter takes filter expressions based on trace.Event non argument values. For example one can trace only for openat events if they originate in a the ls process with `-t openat.context.processName=ls`.

filter: parse args filter with .args

9338d80

shouldProcessEvent: merge context filter

cd38c60

1. Move the function to the event pipeline. 2. Merge the context filter into the logic, short circuiting it before argument filtering.

docs: add section for context filter

2063aef

NDStrahilevitz force-pushed the feature/event_context_filter branch from 9c69eb3 to 2063aef Compare November 22, 2022 16:03

yanivagman approved these changes Nov 22, 2022

View reviewed changes

NDStrahilevitz merged commit c9b25de into aquasecurity:main Nov 22, 2022

NDStrahilevitz deleted the feature/event_context_filter branch November 22, 2022 20:47

yanivagman removed this from the v0.10.0 milestone Jan 2, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Feature/event context filter #2229

Feature/event context filter #2229

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

		Event context fields can be accessed using 'event_name.context.field', this can be used to filter an event by its standard fields.
		Refer to the json field values in github.com/aquasecurity/tracee/blob/main/types/trace/trace.go and the standard filter fields for valid context fields.

Feature/event context filter #2229

Feature/event context filter #2229

Uh oh!

Conversation

Initial Checklist

Description (git log)

Type of change

How Has This Been Tested?

Final Checklist:

Git Log Checklist:

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!