Changing the default set of events

[yanivagman]

We got feedback from some users saying that today's default set is too noisy, and a suggestion for a new default set that we can use. I would like to get any other feedback about this new default set of events:

containers

container_create
container_remove

files

creat
chmod
fchmod
fchmodat
chown
fchown
lchown
fchownat
memfd_create
security_inode_unlink
security_sb_mount

network

security_socket_bind
security_socket_connect
security_socket_accept

code injection

process_vm_writev
process_vm_readv
ptrace

execution

sched_process_exec

process privileges

setuid
setgid
setpgid
setsid
setreuid
setregid
setresuid
setresgid
setfsuid
setfsgid
setns

kernel module

init_module
finit_module

In the future, we will add more user-friendly events to this set as described here: #1310

In addition to that, after we will complete the new "everything is an event" experience (#2355) we will also add some (or all?) of tracee rules to this default list

[itaysk]

personally I would try to keep the default to just the minimum valuable events, also keeping #1310 in mind and also assuming this doesn't affect signatures. just my opinion:

containers - I would keep just start (not sure what existing is)
files - maybe skip security_file_open
network - maybe omit low level interactions, for example keep just ip and dns (connect and dns response)
execution - sched_process_exec need to specify which output options by default

WDYT?

[yanivagman]

I think the above list is already quite minimal, and contains useful events.
We can start with that and modify if it will be too noisy or as we will add new user-friendly events.
I'm thinking about applying this new set for the next release, v0.11.0, WDYT?

[geyslan]

main merged (#2636, #2645) with these events as default:

creat                          [default syscalls fs fs_file_ops]
chmod                          [default syscalls fs fs_file_attr]
fchmod                         [default syscalls fs fs_file_attr]
chown                          [default syscalls fs fs_file_attr]
fchown                         [default syscalls fs fs_file_attr]
lchown                         [default syscalls fs fs_file_attr]
ptrace                         [default syscalls proc]
setuid                         [default syscalls proc proc_ids]
setgid                         [default syscalls proc proc_ids]
setpgid                        [default syscalls proc proc_ids]
setsid                         [default syscalls proc proc_ids]
setreuid                       [default syscalls proc proc_ids]
setregid                       [default syscalls proc proc_ids]
setresuid                      [default syscalls proc proc_ids]
setresgid                      [default syscalls proc proc_ids]
setfsuid                       [default syscalls proc proc_ids]
setfsgid                       [default syscalls proc proc_ids]
init_module                    [default syscalls system system_module]
fchownat                       [default syscalls fs fs_file_attr]
fchmodat                       [default syscalls fs fs_file_attr]
setns                          [default syscalls proc]
process_vm_readv               [default syscalls proc]
process_vm_writev              [default syscalls proc]
finit_module                   [default syscalls system system_module]
memfd_create                   [default syscalls fs fs_file_ops]
move_mount                     [default syscalls fs]
sched_process_exec             [default proc]
security_inode_unlink          [default lsm_hooks fs fs_file_ops]
security_socket_connect        [default lsm_hooks net net_sock]
security_socket_accept         [default lsm_hooks net net_sock]
security_socket_bind           [default lsm_hooks net net_sock]
security_sb_mount              [default lsm_hooks fs]
net_packet_icmp                [default network_events]
net_packet_icmpv6              [default network_events]
net_packet_dns_request         [default network_events]
net_packet_dns_response        [default network_events]
net_packet_http_request        [default network_events]
net_packet_http_response       [default network_events]

[NDStrahilevitz]

container_create and container_remove were reintroduced in #2647