tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

[FEAT] Janitor Events Consumer Interface

Open NDStrahilevitz opened this issue 3 years ago • 2 comments

Prerequisites

  • [x] This issue is an EPIC issue (add label: EPIC).
  • [ ] This issue is an EPIC TASK (add issue to EPIC description).

Select one OR another:

  • [ ] I'll create a PR to implement this feature (assign to yourself).
  • [ ] Someone else should implement this (describe it well).

Feature description

Many features in tracee use the existing events and consume them as sources of info for later use in enrichment or configuration changes. Existing examples in the code currently are the the Containers and ProcInfo structs. We should formalize this concept for future use in similar features for example:

  1. Network interfaces being attached and detached responding to events
  2. Devices being added
  3. CPU and memory growth and reduction, tuning parameters
  4. Probes responding to events (for example new containers could make tcProbes attach to them)

In addition, we could add new event sources that track the OS to create these janitor events into the pipeline.

@rafaeldtinoco

Additional Information (feature drawings, files, logs, etc)

NDStrahilevitz avatar Jun 27 '22 12:06 NDStrahilevitz

@NDStrahilevitz I believe this case is not directly related to #1922, but if we decide to go with a side channel for janitor events, then it could be related.

rafaeldtinoco avatar Jul 06 '22 13:07 rafaeldtinoco

I think this was more for general system monitoring which doesn't come from eBPF. But most of it could come. For the moment #1931 can suffice so i'll mention it here.

NDStrahilevitz avatar Jul 06 '22 14:07 NDStrahilevitz

Closing in favor of #3086

yanivagman avatar May 28 '23 14:05 yanivagman