search

aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF
https://aquasecurity.github.io/tracee/latest
Apache License 2.0
3.63k stars 419 forks source link

Changing the default set of events #2631

Closed rafaeldtinoco closed 1 year ago

rafaeldtinoco commented 1 year ago

Discussed in https://github.com/aquasecurity/tracee/discussions/2611

Originally posted by **yanivagman** January 22, 2023 We got feedback from some users saying that today's default set is too noisy, and a suggestion for a new default set that we can use. After discussion, these were defined as default: `sudo ./dist/tracee --list | grep '\[default'` ```shell creat [default syscalls fs fs_file_ops] chmod [default syscalls fs fs_file_attr] fchmod [default syscalls fs fs_file_attr] chown [default syscalls fs fs_file_attr] fchown [default syscalls fs fs_file_attr] lchown [default syscalls fs fs_file_attr] ptrace [default syscalls proc] setuid [default syscalls proc proc_ids] setgid [default syscalls proc proc_ids] setpgid [default syscalls proc proc_ids] setsid [default syscalls proc proc_ids] setreuid [default syscalls proc proc_ids] setregid [default syscalls proc proc_ids] setresuid [default syscalls proc proc_ids] setresgid [default syscalls proc proc_ids] setfsuid [default syscalls proc proc_ids] setfsgid [default syscalls proc proc_ids] mount [default syscalls fs] init_module [default syscalls system system_module] fchownat [default syscalls fs fs_file_attr] fchmodat [default syscalls fs fs_file_attr] setns [default syscalls proc] process_vm_readv [default syscalls proc] process_vm_writev [default syscalls proc] finit_module [default syscalls system system_module] memfd_create [default syscalls fs fs_file_ops] move_mount [default syscalls fs] sched_process_exec [default proc] security_inode_unlink [default lsm_hooks fs fs_file_ops] security_socket_connect [default lsm_hooks net net_sock] security_socket_accept [default lsm_hooks net net_sock] security_socket_bind [default lsm_hooks net net_sock] security_sb_mount [default lsm_hooks fs] net_packet_icmp [default network_events] net_packet_icmpv6 [default network_events] net_packet_dns_request [default network_events] net_packet_dns_response [default network_events] net_packet_http_request [default network_events] net_packet_http_response [default network_events] ``` In the future, we will add more user-friendly events to this set as described here: https://github.com/aquasecurity/tracee/issues/1310 In addition to that, after we will complete the new "everything is an event" experience (https://github.com/aquasecurity/tracee/issues/2355) we will also add some (or all?) of tracee rules to this default list
rafaeldtinoco commented 1 year ago

@geyslan mind taking a look at this one if you have time tomorrow ? Thanks!

geyslan commented 1 year ago

List above updated.

NDStrahilevitz commented 1 year ago

Closed in #2636