Introduce evt trigger

[geyslan]

Close: #4412

1. Explain what the PR does

699b50c chore: add events triggers (scripts)
8db6814 chore(cmd): introduce evt program

8db6814 chore(cmd): introduce evt program

Initially, the evt program is able to trigger events in the system by
the use of the `trigger` command.

2. Explain how to test it

• Start by getting the flags you should use:

./dist/evt trigger -b -e magic_write
Tracee bypass flags: -s comm!=sh -s comm!=zsh -s comm!=evt -s comm!=magic_write.sh
If running trigger from this shell, also use: -s tree=2937387

• Now, in other terminal, run tracee setting the desired event and adding the provided bypass flags

sudo ./dist/tracee -e magic_write -s comm!=sh -s comm!=zsh -s comm!=evt -s comm!=magic_write.sh -s tree=2937387

• In the initial shell, trigger magic_write with 2 ops and sleep between them of 100ns

./dist/evt trigger -e magic_write -o 2 -s 100ns
Starting triggering 2 ops with 100ns sleep time at 11:08:03.755370282
Finished triggering 2 ops at 11:08:03.757269405 after 1.899113ms

• The output of Tracee should be (with your env not generating more noise than expected):

09:59:49:791270  1000   fake-comm
       2995076 2995076 10               magic_write               pathname: /proc/2995076/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6907030
09:59:49:791293  1000   fake-comm
       2995076 2995076 10               magic_write               pathname: /proc/2995076/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6907030
09:59:49:792101  1000   fake-comm
       2995078 2995078 10               magic_write               pathname: /proc/2995078/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6911277
09:59:49:792120  1000   fake-comm
       2995078 2995078 10               magic_write               pathname: /proc/2995078/comm, bytes: [102 97 107 101 45 99 111 109 109 10], dev: 22, inode: 6911277

You can notice that it generated 4 magic_writes (which is ok: 2 ops * 2 expected); for understand it, see:

Explanation about the bypass and estimation:
https://github.com/aquasecurity/tracee/pull/4414/files#diff-1664c0263b4c71b676102bd64079e88b4c15b8bed815b5b76afac20b7121f100R151-R155

magic_write trigger estimation:
https://github.com/aquasecurity/tracee/pull/4414/files#diff-ae44cc6ba58bcc55063526ebf3fb632bf1f5ec14fba3051ea09ff2a5014605c3R5-R8

---

One can set evt to only start to trigger the event after receive SIGUSR1:

./dist/evt trigger -e magic_write -o 2 -s 100ns -w & sleep 1 && kill -SIGUSR1 $(pgrep -x evt)
[1] 3002960
[trigger:3002960:magic_write] Waiting for start signal SIGUSR1
[trigger:3002960:magic_write] Starting triggering 2 ops with 100ns sleep time at 11:20:16.910878904                                                                    
[trigger:3002960:magic_write] Finished triggering 2 ops at 11:20:16.912646863 after 1.767949ms
[1]  + done       ./dist/evt trigger -e magic_write -o 2 -s 100ns -w

The wait signal will timeout after 1min.

3. Other comments

./dist/evt -h        
evt is a simple testing tool that generates events to stress the system

Usage:
  evt [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  help        Help about any command
  trigger     Trigger events to trigger

Flags:
  -h, --help   help for evt

Use "evt [command] --help" for more information about a command.

./dist/evt trigger -h               
Trigger events to trigger

Usage:
  evt trigger [flags]

Aliases:
  trigger, t

Flags:
  -b, --bypass-flags                            Print tracee bypass flags
  -e, --event string     <name>...              Select event to trigger
  -h, --help             help for trigger
  -o, --ops int32        <number>...            Number of operations to perform (default 1)
  -s, --sleep duration   <duration>...          Sleep time between operations (default 10ns)
  -w, --wait-signal                             Wait for start signal (SIGUSR1)

[NDStrahilevitz]

Just to note that at first I thought the PR refers to the uprobe triggering mechanism, we may want to rethink one of the names...
Anyway, promising tool.

[geyslan]

The current idea is to have this new binary evt with two main commands trigger and stress. The former would only run an underlying script related to a single Tracee event chosen. The former would accept multiple events or policies to run Tracee first and in the sequence the evt trigger itself for each event chosen.

How do you see the name conflicting with uname? What do you suggest then? I'm all ears.

[NDStrahilevitz]

Member

It's just that there is this package:
https://github.com/aquasecurity/tracee/tree/main/pkg/events/trigger
Which conflicts in name. So we need to rename on of them imo since we have the concept of "triggered events (through uprobes)" as a, rather underdeveloped, internal mechanism of tracee.

[geyslan]

Member

It's just that there is this package: https://github.com/aquasecurity/tracee/tree/main/pkg/events/trigger Which conflicts in name. So we need to rename on of them imo since we have the concept of "triggered events (through uprobes)" as a, rather underdeveloped, internal mechanism of tracee.

I don't think they conflict with each other, perhaps in resemblance only, see:

pkg/events/trigger - pkg
cmd/evt/cmd/trigger - cmd

They're in different hierarchies. Anyway, we might change one or both in the future if it starts to confuse us. 👍🏼

[geyslan]

@NDStrahilevitz @rscampos I believe this is ready to merge if you guys don't have anything against it.

[NDStrahilevitz]

LGTM.
This is arch specific though I guess? Different arches (probably even different dists), could result in different event sets being outputted. This is particularly relevant for the common set which you reuse across multiple events. Any plans or notes you have on that?

[geyslan]

This is arch specific though I guess? ... Any plans or notes you have on that?

Yes, it is. We have plans to make triggers run in containers, as we will likely abandon Tracee's tree scope and follow. Then, pinning the container image versions we'll certainly have the same set of events.

[geyslan]

/fast-forward