tracee icon indicating copy to clipboard operation
tracee copied to clipboard
verified publisher icon aquasecurity

Add higher level events

Open AsafEitani opened this issue 4 years ago • 3 comments

For a user using tracee as a monitoring or threat hunting tool to be able to understand the outputted events there is a need for a deep understanding of linux internals and syscalls. Because the events are a reflection of the actual syscalls and lsm hooks it's really hard for a user to understand the meaning behind them.

Adding a higher level events which will symbolize common actions performed on the system will enable monitoring, threat hunting and writing tracee-rules rules much easier. For example:

  • [ ] Processes:
    • [ ] Process creation (#2725)
    • [ ] Process termination (#2725)
    • [ ] Process creation failed
    • [x] SO load (#1631)
    • [ ] Thread creation (clone/fork)
  • [ ] Network connections:
    • [ ] accept
    • [ ] connect
    • [ ] DNS
  • [ ] Files:
    • [ ] File creation
    • [ ] File modification
    • [ ] File deletion (#2725)
  • [ ] IPC:
    • [ ] Pipe creation
    • [ ] Pipe connect
    • [ ] Signals
  • [ ] Kernel:
    • [ ] Kernel module loaded
    • [ ] Kernel module unloaded
  • [ ] Misc:
    • [ ] System login
    • [ ] Container create/run/stop

Those events can be part of a new set which will contain the events that are human (not linux experts) readable.

AsafEitani avatar Dec 27 '21 10:12 AsafEitani

#1105

yanivagman avatar Dec 27 '21 11:12 yanivagman

Pushing to v0.12.0 where we should at least merge #2186

yanivagman avatar Jan 27 '23 16:01 yanivagman

closely related: https://schema.ocsf.io/

itaysk avatar Jun 14 '23 10:06 itaysk