From f9f0e24af43f31d9f3ff4ba2578920d524d6fc52 Mon Sep 17 00:00:00 2001
From: Raphael Campos <raphaelcampos.rp@gmail.com>
Date: Sun, 17 Mar 2024 16:16:10 +0200
Subject: [PATCH] feat(events): create tracee_info event

Create an event that export Tracee's data upon startup.

Co-authored-by: Alon Zivony <alon.zivony@aquasec.com>
---
 docs/docs/events/builtin/extra/tracee_info.md | 27 +++++++++++++++++++
 pkg/ebpf/tracee.go                            |  8 ++++++
 pkg/events/core.go                            | 14 ++++++++++
 pkg/events/usermode.go                        | 23 ++++++++++++++++
 4 files changed, 72 insertions(+)
 create mode 100644 docs/docs/events/builtin/extra/tracee_info.md

diff --git a/docs/docs/events/builtin/extra/tracee_info.md b/docs/docs/events/builtin/extra/tracee_info.md
new file mode 100644
index 000000000000..509ecef07ea9
--- /dev/null
+++ b/docs/docs/events/builtin/extra/tracee_info.md
@@ -0,0 +1,27 @@
+# tracee_info
+
+## Intro
+
+tracee_info - An event that exports some relevant data of Tracee upon startup.
+
+## Description
+
+This event, created in user-mode during Tracee's initialization, is typically the first event emitted. It provides valuable metadata about Tracee's configuration and runtime environment, which can be helpful for event processing and troubleshooting.
+
+The event was created also with Tracee's File Source in mind, to provide information about how Tracee ran during the original capture.
+
+## Arguments
+
+* `boot_time`:`u64`[U] - the boot time of the system that Tracee is running on, relative to the Unix epoch.
+* `start_time`:`u64`[U] - the time the Tracee process started relative to system boot time.
+* `version`:`const char*`[U] - Tracee version.
+
+## Hooks
+
+## Example Use Case
+
+The event could be used to calculate the relative time of events since Tracee's start.
+
+## Related Events
+
+`init_namespaces`
\ No newline at end of file
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
index 328e248f71fd..b0fea7c98b96 100644
--- a/pkg/ebpf/tracee.go
+++ b/pkg/ebpf/tracee.go
@@ -1731,6 +1731,14 @@ func (t *Tracee) invokeInitEvents(out chan *trace.Event) {
 
 	// Initial namespace events
 
+	matchedPolicies = policiesMatch(t.eventsState[events.TraceeInfo])
+	if matchedPolicies > 0 {
+		traceeDataEvent := events.TraceeInfoEvent(t.bootTime, t.startTime)
+		setMatchedPolicies(&traceeDataEvent, matchedPolicies, t.policyManager)
+		out <- &traceeDataEvent
+		_ = t.stats.EventCount.Increment()
+	}
+
 	matchedPolicies = policiesMatch(t.eventsState[events.InitNamespaces])
 	if matchedPolicies > 0 {
 		systemInfoEvent := events.InitNamespacesEvent()
diff --git a/pkg/events/core.go b/pkg/events/core.go
index 43fa4ab88c51..61244a167af1 100644
--- a/pkg/events/core.go
+++ b/pkg/events/core.go
@@ -144,6 +144,7 @@ const (
 	SymbolsCollision
 	HiddenKernelModule
 	FtraceHook
+	TraceeInfo
 	MaxUserSpace
 )
 
@@ -11916,6 +11917,19 @@ var CoreEvents = map[ID]Definition{
 			{Type: "u32", Name: "uts"},
 		},
 	},
+	TraceeInfo: {
+		id:           TraceeInfo,
+		id32Bit:      Sys32Undefined,
+		name:         "tracee_info",
+		version:      NewVersion(1, 0, 0),
+		sets:         []string{},
+		dependencies: Dependencies{},
+		params: []trace.ArgMeta{
+			{Type: "u64", Name: "boot_time"},
+			{Type: "u64", Name: "start_time"},
+			{Type: "const char*", Name: "version"},
+		},
+	},
 	SocketDup: {
 		id:      SocketDup,
 		id32Bit: Sys32Undefined,
diff --git a/pkg/events/usermode.go b/pkg/events/usermode.go
index 58ac17f7bf8d..fd1065021b38 100644
--- a/pkg/events/usermode.go
+++ b/pkg/events/usermode.go
@@ -26,6 +26,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/containers"
 	"github.com/aquasecurity/tracee/pkg/containers/runtime"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	traceeversion "github.com/aquasecurity/tracee/pkg/version"
 	"github.com/aquasecurity/tracee/types/trace"
 )
 
@@ -49,6 +50,28 @@ func InitNamespacesEvent() trace.Event {
 	return initNamespacesEvent
 }
 
+// TraceeInfoEvent exports data related to Tracee's initialization
+func TraceeInfoEvent(bootTime uint64, startTime uint64) trace.Event {
+	def := Core.GetDefinitionByID(TraceeInfo)
+	params := def.GetParams()
+	args := []trace.Argument{
+		{ArgMeta: params[0], Value: bootTime},
+		{ArgMeta: params[1], Value: startTime},
+		{ArgMeta: params[2], Value: traceeversion.GetVersion()},
+	}
+
+	traceeInfoEvent := trace.Event{
+		Timestamp:   int(time.Now().UnixNano()),
+		ProcessName: "tracee",
+		EventID:     int(def.GetID()),
+		EventName:   def.GetName(),
+		ArgsNum:     len(args),
+		Args:        args,
+	}
+
+	return traceeInfoEvent
+}
+
 // getInitNamespaceArguments fetches the namespaces of the init process and
 // parse them into event arguments.
 func getInitNamespaceArguments() []trace.Argument {