Proto commits in aquasecurity/tracee

These 73 commits are when the Protocol Buffers files have changed:

Commit:92a77ec
Author:Thales Paiva
Committer:Thales Paiva

feat(grpc): add GetDetectorsCatalog RPC Add a read-only gRPC endpoint that exposes detector catalog entries from Tracee event definitions. Consumers can sync detectors metadata without mutating shared caches, enabling a safe replacement for cache-enrichment workflows. The catalog includes events tagged with detectors, supports optional filtering by detector ID or event name, and sanitizes property values for protobuf transport. Also adds traceectl `detectors list` and `detectors describe` for manual validation and unit tests for the server handler.

Commit:8d5d46a
Author:Yaniv Agman
Committer:Yaniv Agman

feat(datastores): Add IP reputation store reference implementation Add reference implementation of WritableStore for IP reputation tracking. - Implement IPReputationStore with type-safe and generic methods - Support three conflict resolution policies (LastWriteWins, MaxSeverity, PriorityBased) - Source partitioning for multi-feed aggregation - Thread-safe operations with proper locking - Comprehensive test suite (15 tests, 78% coverage) - Type-safe methods: GetReputation, IsBlacklisted, WriteReputation, WriteBatch - Generic methods: WriteValue, WriteBatchValues, Delete, ClearSource, ListSources

The documentation is generated from this commit.

Commit:8145a24
Author:Yaniv Agman
Committer:Yaniv Agman

feat(datastores): Add WritableStore interface Add WritableStore interface for detectors/extensions to store custom data. - Add WritableStore interface (WriteValue, WriteBatchValues, Delete, ClearSource, ListSources) - Add RegisterWritableStore() to Registry - Define protobuf schemas for DataEntry and gRPC DataSourceService - Source isolation for data provenance tracking - Update Makefile for subdirectory protobuf generation - Ownership model: registrant controls store behavior - Fix test mocks to return valid health/metrics objects

Commit:3787226
Author:Geyslan Gregório
Committer:Geyslan Gregório

fix(api): align event definitions across proto and core Event Name Alignment: - Rename security_post_read_file to security_kernel_post_read_file to match the actual hook name - Rename security_inode_symlink_event_id to security_inode_symlink to align with naming conventions (remove redundant _event_id suffix) - Fix event name mismatches: __kernel_write, call_usermodehelper, net_packet_flow_base, and security_task_setrlimit Event Definition Alignment: - Add missing events: net_packet_raw, tracee_info - Remove undefined event: net_flow_end - Convert marker events (max_net_id, max_user_net_id) to reserved IDs - Reorder event IDs to maintain consistency Updates proto definitions and all references across core events, translation tables, and parsers.

Commit:4dd8619
Author:Yaniv Agman
Committer:Yaniv Agman

api: add dedicated pointer type to EventValue Add explicit pointer field (field 31) to EventValue protobuf oneof to distinguish pointers from regular uint64 values. - Update protobuf definition with pointer type - Convert trace.Pointer to EventValue_Pointer - Add reverse conversion for round-trip support - Regenerate protobuf Go code This enables type-safe pointer handling and proper hex formatting.

Commit:09cc7bd
Author:Yaniv Agman
Committer:Geyslan Gregório

feat(detectors): implement recursive DetectedFrom chain tracking Add parent field to DetectedFrom for complete detection provenance through multi-level chains. (cherry picked from commit d74a67bd5b0c77afb9a2767b7c5e0399cb059f78)

Commit:d74a67b
Author:Yaniv Agman
Committer:Yaniv Agman

feat(detectors): implement recursive DetectedFrom chain tracking Add parent field to DetectedFrom for complete detection provenance through multi-level chains.

Commit:76355ac
Author:Geyslan Gregório
Committer:Geyslan Gregório

feat(events): add extended events infrastructure Add parseArgsExtended() stub for non-extended builds that can be replaced in extended builds for custom event argument parsing. Use X-macros for tail call IDs in types.h to enable extension in extended builds. Export MaxTail constant via definition_dependencies_core.go for proper bounds checking. Reserve API event ID ranges for extended events (1500-1999, 3000-3999). Co-authored-by: Raphael Campos <raphaelcampos.rp@gmail.com>

Commit:f39337e
Author:Yaniv Agman
Committer:Yaniv Agman

api: rename Container.is_running to Container.started The field 'is_running' was semantically incorrect as it represents whether a container has started (executed its entrypoint), not whether it is currently running. A paused container has 'started' but is not 'running'. Changes: - Rename proto field: is_running → started - Update tracee.go to use Started field - Update tracee_test.go test cases - Add test coverage for Started field (both true/false cases) - Regenerate protobuf code This is a breaking API change but acceptable during active development.

Commit:7b9fd67
Author:Geyslan Gregório
Committer:Geyslan Gregório

refactor(metrics): consolidate BPF perf event stats API Changes: - Replace separate BPFPerfEventSubmitAttempts/Failures fields with unified BPFEventStats - Add BPFEventStats message containing id, name, internal flag, attempts, and failures - Optimize gRPC metrics collection to use single BPF map iteration instead of two eBPF Changes: - Create reusable update_event_stats() to deduplicate metrics code - Add metrics tracking to signal_perf_submit() for signal events - Move #ifdef METRICS guards inside update_event_stats() for cleaner code - Update cgroup_skb_submit() and events_perf_submit() to use new function Prometheus Integration: - Maintain existing Prometheus metrics structure (separate attempts/failures metrics) Code Organization: - Consolidate BPF map setup logic into initializeBPFEventsStatsMap() - Remove deprecated EventCount message and associated helper functions Performance: - Reduce BPF map iterations from 2 to 1 for gRPC metrics collection - Maintain on-demand metrics collection for both Prometheus and gRPC

Commit:3302734
Author:Yaniv Agman
Committer:Yaniv Agman

api: rename TriggeredBy to DetectedFrom Rename for better semantic clarity. 'DetectedFrom' more clearly indicates that this is the source event that led to a detection, better aligning with detection and signature terminology. This change renames the concept consistently across all layers: Protobuf changes: - Message TriggeredBy renamed to DetectedFrom - Event.triggered_by field renamed to detected_from Internal argument name changes: - Argument name 'triggeredBy' renamed to 'detectedFrom' everywhere - Updated in findings.go, event_data.go, printer.go, and all tests Go code changes: - getTriggerBy() function renamed to getDetectedFrom() - Variable names updated for consistency (sourceEvent, sourceEventArgs, etc.) - Updated all comments and test fixtures BREAKING CHANGE: TriggeredBy renamed to DetectedFrom in API and internal code. Any code creating or reading the 'triggeredBy' argument must update to 'detectedFrom'.

Commit:760c19b
Author:Yaniv Agman
Committer:Yaniv Agman

api: remove Threat field from EventDefinition EventDefinition describes the structure and schema of an event type, not whether it represents a threat. Event definitions should be neutral descriptors. Threat assessment belongs on Event instances (which already have an optional Threat field), not on the type definition itself. This change removes: - optional Threat threat field (was field 6) - import of threat.proto from definition.proto - getThreat() call in convertDefinitionToProto() The fields member has moved from field 7 to field 6. BREAKING CHANGE: EventDefinition.threat field removed

Commit:caebf46
Author:Yaniv Agman
Committer:Yaniv Agman

api: add event field schema to EventDefinition Add EventField message containing name and type fields, and include a repeated fields member in EventDefinition (field 7). This enables API consumers to dynamically discover the schema of events. The type field uses DecodeAs.String() to provide user-friendly type names (e.g., 'string', 'int32', '[]byte') rather than internal Go types, since these are the actual types users see in events. The convertDefinitionToProto() function now populates the fields array by converting from the internal events.Definition.GetFields(). This change is additive and maintains backward compatibility. Files modified: - api/v1beta1/definition.proto: Added EventField message - pkg/server/grpc/tracee.go: Updated conversion logic - go.mod: Added replace directive for local api module

Commit:3e47b0c
Author:Geyslan Gregório
Committer:Geyslan Gregório

fix(api): add missing event ids Rearranged event IDs in event.proto at the same order of their definitions. Removal of api replace (go.mod) will be done in a sequential PR.

Commit:41eca41
Author:Geyslan Gregório
Committer:Geyslan Gregório

Revert "feat(events): add open_file_ns and open_file_mount events" This partially reverts three commits: ** cd951841668323370ba8c52ddb08d267e469377c: * "feat(events): add open_file_ns and open_file_mount events" - vmlinux.h was preserved since the changes are improving the types. - filesystem.h and task.h were preserved since the change improves existent API. ** c11b5724061fad21d925cc0253001d14d9905084: * "chore(grpc): update translation table (#4668)" ** ecadc0c7c567c2aef61cc117761556a1017c03fb: * "chore(api): add missing event ids"

Commit:ff36c55
Author:Ofek Shaked
Committer:Nadav Strahilevitz

chore(api): add security_task_prctl event ID

Commit:ecadc0c
Author:Nadav Strahilevitz
Committer:Nadav Strahilevitz

chore(api): add missing event ids Missing events begin from commit 9356795.

Commit:0fbac6d
Author:Raphael Campos
Committer:Raphael Campos

chore: rename event to zeroed_inode The event hidden_inodes was renamed top zeroed_inode in order to be generic. According to this ref "https://www.kernel.org/doc/html/ latest/filesystems/ext4/directory.html", Unused directory entries are signified by inode = 0.

Commit:6968a8b
Author:Geyslan Gregório
Committer:Gregório G.

chore(api): add EventCounts to GetMetricsResponse commit: 1f796cb (main), cherry-pick

Commit:b95f206
Author:Yaniv Agman
Committer:Gregório G.

Refactor: Restructure event and rename context This commit introduces two key changes to the Tracee event structure: - Renames the `context` field to `workload` to provide a more specific and clear description of the execution environment. - Moves the `triggeredBy` field from the `data` section to the root of the event structure. This ensures the `data` section is strictly defined by the event-specific schema, improving consistency and clarity. These changes constitute a breaking change to the API. However, as `traceectl` is not yet merged, it is acceptable to introduce this breaking change now to avoid future complications. commit: 0757020 (main), cherry-pick

Commit:1f796cb
Author:Geyslan Gregório
Committer:Geyslan Gregório

chore(api): add EventCounts to GetMetricsResponse

Commit:0757020
Author:Yaniv Agman
Committer:Yaniv Agman

Refactor: Restructure event and rename context This commit introduces two key changes to the Tracee event structure: - Renames the `context` field to `workload` to provide a more specific and clear description of the execution environment. - Moves the `triggeredBy` field from the `data` section to the root of the event structure. This ensures the `data` section is strictly defined by the event-specific schema, improving consistency and clarity. These changes constitute a breaking change to the API. However, as `traceectl` is not yet merged, it is acceptable to introduce this breaking change now to avoid future complications.

Commit:704e6e2
Author:Ori Glassman
Committer:Raphael Campos

feat(ebpf): make process_execute_failed not rely on sys_enter/exit commit: 77d04ef (main), cherry-pick

Commit:77d04ef
Author:Ori Glassman
Committer:Gregório G.

feat(ebpf): make process_execute_failed not rely on sys_enter/exit

Commit:873f896
Author:Raphael Campos
Committer:Raphael Campos

chore(api): event definitions api renaming commit: 89d2d4f (main), cherry-pick

Commit:89d2d4f
Author:Raphael Campos
Committer:Raphael Campos

chore(api): event definitions api renaming

Commit:ab1c72f
Author:Raphael Campos
Committer:GitHub

feature: add enum EventId to event definition (#4085) (#4101) commit: a237ddf (main), cherry-pick

Commit:a237ddf
Author:Raphael Campos
Committer:GitHub

feature: add enum EventId to event definition (#4085)

Commit:d4b717c
Author:josedonizetti
Committer:Jose Donizetti

fix event definitions api

Commit:ea2c242
Author:josedonizetti
Committer:Jose Donizetti

grpc: add direction to packet metadata

Commit:07e087b
Author:Jose Donizetti
Committer:Jose Donizetti

chore: add protoc-gen-go-json for better json marshal

Commit:bac06dc
Author:Jose Donizetti
Committer:Jose Donizetti

feature: add dynamic struct to event_data

Commit:a631c31
Author:Jose Donizetti
Committer:Jose Donizetti

feature: add threat to event definition

Commit:cd6759e
Author:Jose Donizetti
Committer:Jose Donizetti

feature: add properties to threat

Commit:a486584
Author:Jose Donizetti
Committer:Jose Donizetti

feature: add name to threat

Commit:6d3c562
Author:Jose Donizetti
Committer:Jose Donizetti

refactor: extract threat.proto

Commit:f6f40e0
Author:Nadav Strahilevitz
Committer:Nadav Strahilevitz

chore(api): fix typo

Commit:ee6fba4
Author:Nadav Strahilevitz
Committer:Nadav Strahilevitz

feature(api): add data source grpc service

Commit:9d72a92
Author:Rafael David Tinoco
Committer:Rafael David Tinoco

chore(signatures): remove outdated and broken celsig support

Commit:e708f9a
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: use new api module commit: 2ada83fc9 (main), backport [backport] Types version updates together with the commit were removed.

Commit:2b31041
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: add api root dir commit: f3bc7d1e9 (main), cherry-pick

Commit:32c8307
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: parse arguments base on the value type commit: 7a240c442 (main), backport [backport] There was a types version update together with this commit that was removed in the release branch. The types version change should have their own commit (as the release branch might use a different types version).

Commit:2ea7a70
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: add missing types commit: 782fb4d72 (main), cherry-pick

Commit:242b36b
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: add path to executable (#3542) commit: f7e7a2026 (main), cherry-pick

Commit:4c506f7
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: add path to executable commit: 2eca675f4 (main), cherry-pick

Commit:2ada83f
Author:Jose Donizetti
Committer:Jose Donizetti

fix: use new api module

Commit:f3bc7d1
Author:Jose Donizetti
Committer:Jose Donizetti

fix: add api root dir

Commit:7a240c4
Author:Jose Donizetti
Committer:Jose Donizetti

fix: parse arguments base on the value type

Commit:782fb4d
Author:Jose Donizetti
Committer:Jose Donizetti

fix: add missing types

Commit:f7e7a20
Author:Jose Donizetti
Committer:GitHub

fix: add path to executable (#3542)

Commit:2eca675
Author:Jose Donizetti
Committer:Rafael David Tinoco

fix: add path to executable

Commit:8ef6335
Author:Jose Donizetti
Committer:Jose Donizetti

fix: fix tactic, and int32_array names

Commit:44ec77c
Author:Jose Donizetti
Committer:Jose Donizetti

fix: fix Threat proto

Commit:012f092
Author:Jose Donizetti
Committer:Jose Donizetti

fix: make types uniform with wrappers

Commit:d78233f
Author:Jose Donizetti
Committer:Jose Donizetti

fix: fix uint and string types

Commit:62b3f68
Author:Alon Zivony
Committer:Rafael David Tinoco

feat(types): add thread entity id to protobuf As it is now available, add the thread entity id to the protobuf.

Commit:cbb1159
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add event_data to event proto

Commit:eb2945f
Author:Jose Donizetti
Committer:Jose Donizetti

fix: stackaddress needs to have symbol name

Commit:0bdc73b
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add StreamEvents rpc

Commit:b9619f9
Author:Jose Donizetti
Committer:Jose Donizetti

feat: Add new event structure

Commit:bc6f603
Author:Jose Donizetti
Committer:Jose Donizetti

fix: remove params from event definition proto

Commit:76b28d0
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add enable/disable event rpc

Commit:693c973
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add version proto

Commit:b0a7b7e
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add GetEventDefinition rpc call

Commit:9ec273b
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add EventDefinition proto

Commit:bfc4451
Author:Jose Donizetti
Committer:Jose Donizetti

fix: log level should match zap log priority

Commit:7d4b8c2
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add diagnostic rpc

Commit:4182875
Author:Jose Donizetti
Committer:Jose Donizetti

fix(protobuf): tracee.proto go_package

Commit:7c72262
Author:Jose Donizetti
Committer:Jose Donizetti

feat: add tracee rpc service Adds tracee rpc service with a first endpoint to return tracee's version

Commit:6f4de28
Author:Nadav Strahilevitz
Committer:Nadav Strahilevitz

go.mod: bump types Bump includes Container and Kubernetes context seperation in `trace.Event`. Apply the change across the codebase.

Commit:7ef509a
Author:Jose Donizetti
Committer:GitHub

refactor: rules renamed to signatures (#2715)

Commit:b6af22a
Author:Rafael David Tinoco
Committer:Rafael David Tinoco

go-cel: adjust comments and add mode_t to wrapper

Commit:9cc0ad8
Author:Daniel Pacak
Committer:GitHub

tracee-rules: introduce CEL signatures (#1766) This patch introduces new type of Tracee-Rules signatures that can be written as Common Expression Language (CEL). This feature is enabled by placing CEL signature definition files (.cel, .yaml, .yml) in the the --rules-dir directory. Sample definition files can be found in the pkg/rules/celsig/testdata/rules/ directory. The following snippet shows how you define the Anti-Debugging signature using CEL: # pkg/rules/celsig/testdata/rules/anti_debugging_ptraceme.yml kind: SignaturesConfig apiVersion: tracee.aquasecurity.github.io/v1alpha1 signatures: - metadata: id: "CEL-2" version: "0.1.0" name: "Anti-Debugging" tags: - "linux" - "containers" properties: "Severity": 3 "MITRE ATT&CK": "Defense Evasion: Execution Guardrails" eventSelectors: - source: tracee name: ptrace expression: |- input.eventName == 'ptrace' && input.stringArg('request') == 'PTRACE_TRACEME' You can use the following commands to compile Tracee and load CEL-2, CEL-5, and CEL-12 signatures from pkg/rules/celsig/testdata/rules/anti_debuggin_ptraceme.yml and pkg/rules/celsig/testdata/rules/signatures.yaml. vagrant up && vagrant ssh make cp -v pkg/rules/celsig/testdata/rules/*.y*ml dist/rules sudo ./dist/tracee-ebpf \ --output=format:gob \ --output=option:parse-arguments \ | ./dist/tracee-rules \ --input-tracee=file:stdin \ --input-tracee=format:gob Notice that CEL-2, CEL-5, and CEL-12 correspond to TRC-2, TRC-5, and TRC-12 signatures written as OPA Rego policies. With Helm installer you can define CEL signatures in Helm values.yaml as follows: # deploy/helm/tracee/values.yaml signatures: # config defines Common Expression Language (CEL) signatures that are loaded # by Tracee-Rules from the --rules-dir directory. If the config object is not # empty, the configuration file is automatically mounted at # /tracee/rules/signatures.yaml. config: kind: SignaturesConfig apiVersion: tracee.aquasecurity.github.io/v1alpha1 signatures: - metadata: id: "CEL-2" version: "0.1.0" name: "Anti-Debugging" tags: - "linux" - "containers" properties: Severity: 3 "MITRE ATT&CK": "Defense Evasion: Execution Guardrails" eventSelectors: - source: tracee name: ptrace expression: |- input.eventName == 'ptrace' && input.stringArg('request') == 'PTRACE_TRACEME' Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>