feat: Add list-events flag for listing events (#1071)

* feat: Add list-events flag for listing events Signed-off-by: Simar <[email protected]> * feat: Use only relevant events to trace Signed-off-by: Simar <[email protected]>
aquasecurity · Oct 13, 2021 · 7a46f53 · 7a46f53
1 parent 4262182
commit 7a46f53
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 2 deletions.
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -26,4 +26,5 @@ for arg in "$@"; do
 done
 
 # start, and pass all remaining flags to tracee-rules
-$TRACEE_EBPF_EXE --output=format:gob --security-alerts | $TRACEE_RULES_EXE --input-tracee=file:stdin --input-tracee=format:gob $@
+EVENTS=$($TRACEE_RULES_EXE --list-events)
+$TRACEE_EBPF_EXE --output=format:gob --security-alerts --trace event=$EVENTS | $TRACEE_RULES_EXE --input-tracee=file:stdin --input-tracee=format:gob $@
diff --git a/tracee-rules/main.go b/tracee-rules/main.go
@@ -73,6 +73,12 @@ func main() {
 				}
 				loadedSigIDs = append(loadedSigIDs, m.ID)
 			}
+
+			if c.Bool("list-events") {
+				listEvents(os.Stdout, sigs)
+				return nil
+			}
+
 			fmt.Printf("Loaded %d signature(s): %s\n", len(loadedSigIDs), loadedSigIDs)
 
 			if c.Bool("list") {
@@ -163,6 +169,10 @@ func main() {
 				Usage: "select which runtime target to use for evaluation of rego rules: rego, wasm",
 				Value: "rego",
 			},
+			&cli.BoolFlag{
+				Name:  "list-events",
+				Usage: "print a list of events that currently loaded signatures require",
+			},
 		},
 	}
 	err := app.Run(os.Args)
@@ -183,6 +193,17 @@ func listSigs(w io.Writer, sigs []types.Signature) error {
 	return nil
 }
 
+func listEvents(w io.Writer, sigs []types.Signature) {
+	var events []string
+	for _, sig := range sigs {
+		es, _ := sig.GetSelectedEvents()
+		for _, e := range es {
+			events = append(events, e.Name)
+		}
+	}
+	fmt.Fprintln(w, strings.Join(events, ","))
+}
+
 func sigHandler() chan bool {
 	sigs := make(chan os.Signal, 1)
 	done := make(chan bool, 1)

diff --git a/tracee-rules/main_test.go b/tracee-rules/main_test.go
@@ -51,3 +51,38 @@ FOO-1      foo signature                       1.2.3   foo signature helps with
 BAR-1      bar signature                       4.5.6   bar signature helps with bar
 `, buf.String())
 }
+
+func Test_listEvents(t *testing.T) {
+	fakeSigs := []fakeSignature{
+		{
+			getSelectedEvents: func() ([]types.SignatureEventSelector, error) {
+				return []types.SignatureEventSelector{
+					{
+						Source: "tracee",
+						Name:   "execve",
+						Origin: "foobar",
+					},
+					{
+						Source: "tracee",
+						Name:   "ptrace",
+						Origin: "bazfoo",
+					},
+				}, nil
+			},
+		},
+		{
+			getSelectedEvents: func() ([]types.SignatureEventSelector, error) {
+				return nil, errors.New("failed to list sigs")
+			},
+		},
+	}
+
+	var inputSigs []types.Signature
+	for _, fs := range fakeSigs {
+		inputSigs = append(inputSigs, fs)
+	}
+
+	buf := bytes.Buffer{}
+	listEvents(&buf, inputSigs)
+	assert.Equal(t, "execve,ptrace\n", buf.String())
+}
diff --git a/tracee-rules/output_test.go b/tracee-rules/output_test.go
@@ -20,7 +20,8 @@ import (
 
 type fakeSignature struct {
 	types.Signature
-	getMetadata func() (types.SignatureMetadata, error)
+	getMetadata       func() (types.SignatureMetadata, error)
+	getSelectedEvents func() ([]types.SignatureEventSelector, error)
 }
 
 func (f fakeSignature) GetMetadata() (types.SignatureMetadata, error) {
@@ -35,6 +36,25 @@ func (f fakeSignature) GetMetadata() (types.SignatureMetadata, error) {
 	}, nil
 }
 
+func (f fakeSignature) GetSelectedEvents() ([]types.SignatureEventSelector, error) {
+	if f.getSelectedEvents != nil {
+		return f.getSelectedEvents()
+	}
+
+	return []types.SignatureEventSelector{
+		{
+			Source: "tracee",
+			Name:   "execve",
+			Origin: "foobar",
+		},
+		{
+			Source: "tracee",
+			Name:   "ptrace",
+			Origin: "bazfoo",
+		},
+	}, nil
+}
+
 func Test_setupOutput(t *testing.T) {
 	var testCases = []struct {
 		name           string