tracee icon indicating copy to clipboard operation
tracee copied to clipboard
verified publisher icon aquasecurity

Selecting event output fields

Open itaysk opened this issue 2 years ago • 4 comments

Users should be able to select which event fields are printed or not. The motivation is to minimize event size. This surfaced in https://github.com/aquasecurity/tracee/issues/2870#issuecomment-1468743262 and in https://github.com/aquasecurity/tracee/discussions/2640. We already allow conditional printing of some fields (stack traces, syscall, exec env) through output options. The same control should be available for all metadata and context fields in a consistent way.

itaysk avatar Mar 14 '23 20:03 itaysk

@yanivagman also suggested to automatically configure the "enrichment" of events based on selected context fields. For example, if I selected .context.kubernetes.pod then the k8s enrichment would be turned on, even if I didn't set it's flag

itaysk avatar Mar 16 '23 11:03 itaysk

Idea for implementation:

  1. Tracee will have a well defined default output, which will be exposed to the user in a clear way. This default output is actually a subset of the fields we have in the Event struct.
  2. Relative to this default output, the user can add or remove fields, considering the full Event definition is exposed to the user.
  3. Considering the fields the user chose to have in its output, tracee will automatically enable the relevant functionality. For example, if stack_trace was chosen, tracee will collect stack traces in bpf code, and if container image was selected, tracee will enable container enrichment.

Note: This will also allow us to remove the table-verbose printer

The same idea can be implemented for event arguments using the output flag and providing the event name and which arguments to add or remove

yanivagman avatar Apr 02 '23 15:04 yanivagman

@yanivagman also suggested to automatically configure the "enrichment" of events based on selected context fields. For example, if I selected .context.kubernetes.pod then the k8s enrichment would be turned on, even if I didn't set it's flag

3. Considering the fields the user chose to have in its output, tracee will automatically enable the relevant functionality. For example, if stack_trace was chosen, tracee will collect stack traces in bpf code, and if container image was selected, tracee will enable container enrichment.

Seems that this is not something that we will want to implement considering that Tracee now supports GRPC streams. Using streams, the user is able to choose fields of interest, however, not selecting a field in one stream shouldn't have an impact on another stream that might require it.

yanivagman avatar Sep 28 '23 08:09 yanivagman

One more note to make here - there are actually two seperate problems to solve here:

  1. Selecting fields out of the event structure (e.g. context.k8s.pod)
  2. Selecting fields of a specific event (from the "data" section of the event structure)

While the first problem is general for all events (and so can be more easilly solved by configuring the event fields as part of the stream configuration) the second problem is event specific.

yanivagman avatar Sep 28 '23 08:09 yanivagman