Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce evt trigger #4414

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Introduce evt trigger #4414

wants to merge 2 commits into from

Conversation

geyslan
Copy link
Member

@geyslan geyslan commented Dec 5, 2024
edited
Loading

Close: #4412

1. Explain what the PR does

7d5668e chore: add events triggers (scripts)
2eed9e2 chore(cmd): introduce evt program

2eed9e2 chore(cmd): introduce evt program

Initially, the evt program is able to trigger events in the system by
the use of the `trigger` command.

2. Explain how to test it

  • Start by getting the flags you should use:
./dist/evt trigger -b -e magic_write
Tracee bypass flags: -s comm!=sh -s comm!=zsh -s comm!=evt -s comm!=magic_write.sh
If running trigger from this shell, also use: -s tree=2937387
  • Now, in other terminal, run tracee setting the desired event and adding the provided bypass flags
sudo ./dist/tracee -e magic_write -s comm!=sh -s comm!=zsh -s comm!=evt -s comm!=magic_write.sh -s tree=2937387
  • In the initial shell, trigger magic_write with 2 ops and sleep between them of 100ns
./dist/evt trigger -e magic_write -o 2 -s 100ns
Starting triggering 2 ops with 100ns sleep time at 11:08:03.755370282
Finished triggering 2 ops at 11:08:03.757269405 after 1.899113ms
  • The output of Tracee should be (with your env is not generating more noise than expected):
09:59:49:791270  1000   fake-comm
       2995076 2995076 10               magic_write               pathname: /proc/2995076/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6907030
09:59:49:791293  1000   fake-comm
       2995076 2995076 10               magic_write               pathname: /proc/2995076/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6907030
09:59:49:792101  1000   fake-comm
       2995078 2995078 10               magic_write               pathname: /proc/2995078/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6911277
09:59:49:792120  1000   fake-comm
       2995078 2995078 10               magic_write               pathname: /proc/2995078/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6911277

You can notice that it generated 4 magic_writes (which is ok: 2 ops * 2 expected); for understand it, see:

Explanation about the bypass and estimation:
https://github.com/aquasecurity/tracee/pull/4414/files#diff-1664c0263b4c71b676102bd64079e88b4c15b8bed815b5b76afac20b7121f100R151-R155

magic_write trigger estimation:
https://github.com/aquasecurity/tracee/pull/4414/files#diff-ae44cc6ba58bcc55063526ebf3fb632bf1f5ec14fba3051ea09ff2a5014605c3R5-R8

One can set evt to only start to trigger the event after receive SIGUSR1:

./dist/evt trigger -e magic_write -o 2 -s 100ns -w & sleep 1 && kill -SIGUSR1 $(pgrep -x evt)
[1] 3002960
[trigger:3002960:magic_write] Waiting for start signal SIGUSR1
[trigger:3002960:magic_write] Starting triggering 2 ops with 100ns sleep time at 11:20:16.910878904                                                                    
[trigger:3002960:magic_write] Finished triggering 2 ops at 11:20:16.912646863 after 1.767949ms
[1]  + done       ./dist/evt trigger -e magic_write -o 2 -s 100ns -w

The wait signal will timeout after 1min.

3. Other comments

./dist/evt -h        
evt is a simple testing tool that generates events to stress the system

Usage:
  evt [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  trigger     Trigger events to trigger

Flags:
  -h, --help   help for evt

Use "evt [command] --help" for more information about a command.

./dist/evt trigger -h               
Trigger events to trigger

Usage:
  evt trigger [flags]

Aliases:
  trigger, t

Flags:
  -b, --bypass-flags                            Print tracee bypass flags
  -e, --event string     <name>...              Select event to trigger
  -h, --help             help for trigger
  -o, --ops int32        <number>...            Number of operations to perform (default 1)
  -s, --sleep duration   <duration>...          Sleep time between operations (default 10ns)
  -w, --wait-signal                             Wait for start signal (SIGUSR1)

@geyslan geyslan self-assigned this Dec 5, 2024
@yanivagman yanivagman mentioned this pull request Dec 5, 2024
Closed
@NDStrahilevitz
Copy link
Collaborator

Just to note that at first I thought the PR refers to the uprobe triggering mechanism, we may want to rethink one of the names...
Anyway, promising tool.

@geyslan
Copy link
Member Author

geyslan commented Dec 9, 2024

The current idea is to have this new binary evt with two main commands trigger and stress. The former would only run an underlying script related to a single Tracee event chosen. The former would accept multiple events or policies to run Tracee first and in the sequence the evt trigger itself for each event chosen.

How do you see the name conflicting with uname? What do you suggest then? I'm all ears.

@NDStrahilevitz
Copy link
Collaborator

Member

It's just that there is this package:
https://github.com/aquasecurity/tracee/tree/main/pkg/events/trigger
Which conflicts in name. So we need to rename on of them imo since we have the concept of "triggered events (through uprobes)" as a, rather underdeveloped, internal mechanism of tracee.

@geyslan
Copy link
Member Author

geyslan commented Jan 7, 2025
edited
Loading

Member

It's just that there is this package: https://github.com/aquasecurity/tracee/tree/main/pkg/events/trigger Which conflicts in name. So we need to rename on of them imo since we have the concept of "triggered events (through uprobes)" as a, rather underdeveloped, internal mechanism of tracee.

I don't think they conflict with each other, perhaps in resemblance only, see:

pkg/events/trigger - pkg
cmd/evt/cmd/trigger - cmd

They're in different hierarchies. Anyway, we might change one or both in the future if it starts to confuse us. 👍🏼

@geyslan geyslan force-pushed the evt-trigger branch 4 times, most recently from 5bd63e3 to 892fcc6 Compare January 10, 2025 14:01
@geyslan geyslan marked this pull request as ready for review January 10, 2025 14:02
@geyslan
Copy link
Member Author

geyslan commented Jan 10, 2025

I'm going to provide documentation after reviews.

@geyslan
chore(cmd): introduce evt program
2eed9e2 
Initially, the evt program is able to trigger events in the system by
the use of the `trigger` command.
@geyslan
chore: add events triggers (scripts)
7d5668e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman Awaiting requested review from yanivagman

@NDStrahilevitz NDStrahilevitz Awaiting requested review from NDStrahilevitz

At least 1 approving review is required to merge this pull request.

Assignees

@geyslan geyslan

Labels
area/build area/UX kind/feature milestone/v0.24.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

evt trigger
2 participants
@geyslan @NDStrahilevitz