Proto commits in aquasecurity/tracee

These 58 commits are when the Protocol Buffers files have changed:

2025-03-24

chore(api): add security_task_prctl event ID

The documentation is generated from this commit.

2025-03-13

chore(api): add missing event ids Missing events begin from commit 9356795.

2025-02-28

chore: rename event to zeroed_inode The event hidden_inodes was renamed top zeroed_inode in order to be generic. According to this ref "https://www.kernel.org/doc/html/ latest/filesystems/ext4/directory.html", Unused directory entries are signified by inode = 0.

2024-12-09

chore(api): add EventCounts to GetMetricsResponse commit: 1f796cb (main), cherry-pick

2024-12-06

Refactor: Restructure event and rename context This commit introduces two key changes to the Tracee event structure: - Renames the `context` field to `workload` to provide a more specific and clear description of the execution environment. - Moves the `triggeredBy` field from the `data` section to the root of the event structure. This ensures the `data` section is strictly defined by the event-specific schema, improving consistency and clarity. These changes constitute a breaking change to the API. However, as `traceectl` is not yet merged, it is acceptable to introduce this breaking change now to avoid future complications. commit: 0757020 (main), cherry-pick

2024-12-03

chore(api): add EventCounts to GetMetricsResponse

2024-11-29

Refactor: Restructure event and rename context This commit introduces two key changes to the Tracee event structure: - Renames the `context` field to `workload` to provide a more specific and clear description of the execution environment. - Moves the `triggeredBy` field from the `data` section to the root of the event structure. This ensures the `data` section is strictly defined by the event-specific schema, improving consistency and clarity. These changes constitute a breaking change to the API. However, as `traceectl` is not yet merged, it is acceptable to introduce this breaking change now to avoid future complications.

2024-09-10

feat(ebpf): make process_execute_failed not rely on sys_enter/exit commit: 77d04ef (main), cherry-pick

2024-09-05

feat(ebpf): make process_execute_failed not rely on sys_enter/exit

2024-06-13

chore(api): event definitions api renaming commit: 89d2d4f (main), cherry-pick

chore(api): event definitions api renaming

2024-06-03

feature: add enum EventId to event definition (#4085) (#4101) commit: a237ddf (main), cherry-pick

2024-05-31

feature: add enum EventId to event definition (#4085)

2024-04-26

fix event definitions api

2024-02-19

grpc: add direction to packet metadata

2024-01-18

chore: add protoc-gen-go-json for better json marshal

2023-12-22

feature: add dynamic struct to event_data

2023-12-19

feature: add threat to event definition

feature: add properties to threat

feature: add name to threat

refactor: extract threat.proto

2023-12-13

chore(api): fix typo

feature(api): add data source grpc service

2023-10-30

chore(signatures): remove outdated and broken celsig support

2023-10-06

fix: use new api module commit: 2ada83fc9 (main), backport [backport] Types version updates together with the commit were removed.

fix: add api root dir commit: f3bc7d1e9 (main), cherry-pick

fix: parse arguments base on the value type commit: 7a240c442 (main), backport [backport] There was a types version update together with this commit that was removed in the release branch. The types version change should have their own commit (as the release branch might use a different types version).

fix: add missing types commit: 782fb4d72 (main), cherry-pick

fix: add path to executable (#3542) commit: f7e7a2026 (main), cherry-pick

fix: add path to executable commit: 2eca675f4 (main), cherry-pick

fix: use new api module

fix: add api root dir

fix: parse arguments base on the value type

fix: add missing types

2023-10-03

fix: add path to executable (#3542)

fix: add path to executable

2023-09-27

fix: fix tactic, and int32_array names

fix: fix Threat proto

fix: make types uniform with wrappers

fix: fix uint and string types

2023-09-26

feat(types): add thread entity id to protobuf As it is now available, add the thread entity id to the protobuf.

2023-09-25

feat: add event_data to event proto

2023-09-23

fix: stackaddress needs to have symbol name

2023-09-20

feat: add StreamEvents rpc

feat: Add new event structure

2023-09-19

fix: remove params from event definition proto

2023-09-18

feat: add enable/disable event rpc

2023-09-12

feat: add version proto

2023-09-07

feat: add EventDefinition proto

feat: add GetEventDefinition rpc call

2023-08-23

fix: log level should match zap log priority

2023-08-17

fix(protobuf): tracee.proto go_package

feat: add diagnostic rpc

2023-08-16

feat: add tracee rpc service Adds tracee rpc service with a first endpoint to return tracee's version

2023-03-27

go.mod: bump types Bump includes Container and Kubernetes context seperation in `trace.Event`. Apply the change across the codebase.

2023-02-20

refactor: rules renamed to signatures (#2715)

2022-07-14

go-cel: adjust comments and add mode_t to wrapper

2022-06-30

tracee-rules: introduce CEL signatures (#1766) This patch introduces new type of Tracee-Rules signatures that can be written as Common Expression Language (CEL). This feature is enabled by placing CEL signature definition files (.cel, .yaml, .yml) in the the --rules-dir directory. Sample definition files can be found in the pkg/rules/celsig/testdata/rules/ directory. The following snippet shows how you define the Anti-Debugging signature using CEL: # pkg/rules/celsig/testdata/rules/anti_debugging_ptraceme.yml kind: SignaturesConfig apiVersion: tracee.aquasecurity.github.io/v1alpha1 signatures: - metadata: id: "CEL-2" version: "0.1.0" name: "Anti-Debugging" tags: - "linux" - "containers" properties: "Severity": 3 "MITRE ATT&CK": "Defense Evasion: Execution Guardrails" eventSelectors: - source: tracee name: ptrace expression: |- input.eventName == 'ptrace' && input.stringArg('request') == 'PTRACE_TRACEME' You can use the following commands to compile Tracee and load CEL-2, CEL-5, and CEL-12 signatures from pkg/rules/celsig/testdata/rules/anti_debuggin_ptraceme.yml and pkg/rules/celsig/testdata/rules/signatures.yaml. vagrant up && vagrant ssh make cp -v pkg/rules/celsig/testdata/rules/*.y*ml dist/rules sudo ./dist/tracee-ebpf \ --output=format:gob \ --output=option:parse-arguments \ | ./dist/tracee-rules \ --input-tracee=file:stdin \ --input-tracee=format:gob Notice that CEL-2, CEL-5, and CEL-12 correspond to TRC-2, TRC-5, and TRC-12 signatures written as OPA Rego policies. With Helm installer you can define CEL signatures in Helm values.yaml as follows: # deploy/helm/tracee/values.yaml signatures: # config defines Common Expression Language (CEL) signatures that are loaded # by Tracee-Rules from the --rules-dir directory. If the config object is not # empty, the configuration file is automatically mounted at # /tracee/rules/signatures.yaml. config: kind: SignaturesConfig apiVersion: tracee.aquasecurity.github.io/v1alpha1 signatures: - metadata: id: "CEL-2" version: "0.1.0" name: "Anti-Debugging" tags: - "linux" - "containers" properties: Severity: 3 "MITRE ATT&CK": "Defense Evasion: Execution Guardrails" eventSelectors: - source: tracee name: ptrace expression: |- input.eventName == 'ptrace' && input.stringArg('request') == 'PTRACE_TRACEME' Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>