feat(events): create tracee_info event

Create an event that export Tracee's data upon startup. Co-authored-by: Alon Zivony <[email protected]>
aquasecurity · Jul 4, 2024 · f9f0e24 · f9f0e24
1 parent 96ebc05
commit f9f0e24
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 0 deletions.
diff --git a/docs/docs/events/builtin/extra/tracee_info.md b/docs/docs/events/builtin/extra/tracee_info.md
@@ -0,0 +1,27 @@
+# tracee_info
+
+## Intro
+
+tracee_info - An event that exports some relevant data of Tracee upon startup.
+
+## Description
+
+This event, created in user-mode during Tracee's initialization, is typically the first event emitted. It provides valuable metadata about Tracee's configuration and runtime environment, which can be helpful for event processing and troubleshooting.
+
+The event was created also with Tracee's File Source in mind, to provide information about how Tracee ran during the original capture.
+
+## Arguments
+
+* `boot_time`:`u64`[U] - the boot time of the system that Tracee is running on, relative to the Unix epoch.
+* `start_time`:`u64`[U] - the time the Tracee process started relative to system boot time.
+* `version`:`const char*`[U] - Tracee version.
+
+## Hooks
+
+## Example Use Case
+
+The event could be used to calculate the relative time of events since Tracee's start.
+
+## Related Events
+
+`init_namespaces`
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -1731,6 +1731,14 @@ func (t *Tracee) invokeInitEvents(out chan *trace.Event) {
 
 	// Initial namespace events
 
+	matchedPolicies = policiesMatch(t.eventsState[events.TraceeInfo])
+	if matchedPolicies > 0 {
+		traceeDataEvent := events.TraceeInfoEvent(t.bootTime, t.startTime)
+		setMatchedPolicies(&traceeDataEvent, matchedPolicies, t.policyManager)
+		out <- &traceeDataEvent
+		_ = t.stats.EventCount.Increment()
+	}
+
 	matchedPolicies = policiesMatch(t.eventsState[events.InitNamespaces])
 	if matchedPolicies > 0 {
 		systemInfoEvent := events.InitNamespacesEvent()

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -144,6 +144,7 @@ const (
 	SymbolsCollision
 	HiddenKernelModule
 	FtraceHook
+	TraceeInfo
 	MaxUserSpace
 )
 
@@ -11916,6 +11917,19 @@ var CoreEvents = map[ID]Definition{
 			{Type: "u32", Name: "uts"},
 		},
 	},
+	TraceeInfo: {
+		id:           TraceeInfo,
+		id32Bit:      Sys32Undefined,
+		name:         "tracee_info",
+		version:      NewVersion(1, 0, 0),
+		sets:         []string{},
+		dependencies: Dependencies{},
+		params: []trace.ArgMeta{
+			{Type: "u64", Name: "boot_time"},
+			{Type: "u64", Name: "start_time"},
+			{Type: "const char*", Name: "version"},
+		},
+	},
 	SocketDup: {
 		id:      SocketDup,
 		id32Bit: Sys32Undefined,

diff --git a/pkg/events/usermode.go b/pkg/events/usermode.go
@@ -26,6 +26,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/containers"
 	"github.com/aquasecurity/tracee/pkg/containers/runtime"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	traceeversion "github.com/aquasecurity/tracee/pkg/version"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
@@ -49,6 +50,28 @@ func InitNamespacesEvent() trace.Event {
 	return initNamespacesEvent
 }
 
+// TraceeInfoEvent exports data related to Tracee's initialization
+func TraceeInfoEvent(bootTime uint64, startTime uint64) trace.Event {
+	def := Core.GetDefinitionByID(TraceeInfo)
+	params := def.GetParams()
+	args := []trace.Argument{
+		{ArgMeta: params[0], Value: bootTime},
+		{ArgMeta: params[1], Value: startTime},
+		{ArgMeta: params[2], Value: traceeversion.GetVersion()},
+	}
+
+	traceeInfoEvent := trace.Event{
+		Timestamp:   int(time.Now().UnixNano()),
+		ProcessName: "tracee",
+		EventID:     int(def.GetID()),
+		EventName:   def.GetName(),
+		ArgsNum:     len(args),
+		Args:        args,
+	}
+
+	return traceeInfoEvent
+}
+
 // getInitNamespaceArguments fetches the namespaces of the init process and
 // parse them into event arguments.
 func getInitNamespaceArguments() []trace.Argument {