Open
Description
### Tasks
- [ ] Implement `file-write` flag
- [ ] Implement `file-read` flag
- [ ] Implement `executable` flag
- [ ] Implement `kernel-modules` flag
- [ ] Implement `bpf-programs` flags
- [ ] Implement `memory-regions` flags
- [ ] Implement `dir` flags
- [ ] Update configuration file parsing to support the new capture section
- [ ] Document new flag design
- [ ] Test new flag design
The following design describes the CLI flag:
Capture (Deprecated)
--capture file-write.enabled=<true/false>
--capture file-write.filters=<filters> (multiple allowed)
--capture file-read.enabled=<true/false>
--capture file-read.filters=<filters> (multiple allowed)
--capture executable.enabled=<true/false>
--capture kernel-modules.enabled=<true/false>
--capture bpf-programs.enabled=<true/false>
--capture memory-regions.enabled=<true/false>
--capture network.enabled=<true/false>
--capture network.pcap=<split_mode>
--capture network.pcap-options=<options>
--capture network.pcap-snaplen=<snaplen>
--capture dir.path=<path> (default: /tmp/tracee)
--capture dir.clear=<true/false> (default: false)
The following design describes the config:
capture:
file-write:
enabled: false # Capture written files (default: false)
filters: "" # List of filters (can include multiple types)
file-read:
enabled: false # Capture read files (default: false)
filters: "" # List of filters (can include multiple types)
executable: # Captured executed files
enabled: false # Enable capture of executed files (default: false)
kernel-modules:
enabled: false # Capture loaded kernel modules (default: false)
bpf-programs:
enabled: false # Capture loaded BPF programs (default: false)
memory-regions:
enabled: false # Capture memory regions with changed protection (default: false)
network:
enabled: false # Enable network capture (default: false)
pcap: "" # How pcap files are split (process, command, container) (default: none)
pcap-options: "none" # none or filtered (default: none)
pcap-snaplen: "headers" # max, headers or size (default: headers)
dir:
clear: false # clear the captured artifacts output dir before starting
path: "" # path where tracee will save produced artifacts.
Implementation Notes
- Multiple values: Ensure the implementation correctly handles flags that can accept multiple values.
- Regular expressions: Implement proper parsing and handling of regular expressions in filter flags.
- Capture level validation: Validate capture values to ensure they are valid.
- Configuration merging: Define how CLI flags and configuration file settings will be merged, with CLI flags potentially overriding config file values.