chore(docs): rename args to data

aquasecurity · May 27, 2024 · 61244d8 · 61244d8
1 parent 656eb97
commit 61244d8
Show file tree

Hide file tree

Showing 12 changed files with 34 additions and 32 deletions.
diff --git a/docs/docs/advanced/data-sources/builtin/process-tree.md b/docs/docs/advanced/data-sources/builtin/process-tree.md
@@ -10,7 +10,7 @@ To switch on the `Process Tree` feature, run the command:
 sudo tracee --output option:sort-events --output json --output option:parse-arguments --proctree source=both --events <event_type>
 ```
 
-The underlying structure is populated using the core `sched_process_fork`, `sched_process_exec`, and `sched_process_exit` events and their args. There's also an option to bootstrap the process tree through a secondary route using internal signal events.
+The underlying structure is populated using the core `sched_process_fork`, `sched_process_exec`, and `sched_process_exit` events and their data. There's also an option to bootstrap the process tree through a secondary route using internal signal events.
 
 > Introducing this secondary event source is strategic: it reduces interference with actively traced events, leading to more accurate and granular updates in the process tree.
 

diff --git a/docs/docs/events/builtin/extra/symbols_collision.md b/docs/docs/events/builtin/extra/symbols_collision.md
@@ -34,7 +34,7 @@ Also, used to maintain the cache used by the event for performance improvement.
 Could be used for example to catch collision between a shared object and `libc.so`, overwriting libc symbols:
 
 ```console
-./dist/tracee -e symbols_collision.args.loaded_path=/usr/lib/libc.so.6
+./dist/tracee -e symbols_collision.data.loaded_path=/usr/lib/libc.so.6
 ```
 
 Running this line will give a lot of spam symbols collision, for example collisions of `libc` with `libm`:
@@ -48,13 +48,13 @@ To reduce the spam collisions, we can configure the event to not print the colli
 1. Whitelist the collided symbols:
 
 ```console
-./dist/tracee -e symbols_collision.args.loaded_path=/usr/lib/libc.so.6 -e symbols_collision.args.symbols!=finitel,__signbitf,finite,frexpl,frexp,scalbn,__finite,copysignl,scalbnf,__signbitl,scalbnl,copysign,copysignf,ldexpf,modff,modf,ldexp,ldexpl,finitef,frexpf,__finitel,modfl,__finitef,__signbit
+./dist/tracee -e symbols_collision.data.loaded_path=/usr/lib/libc.so.6 -e symbols_collision.data.symbols!=finitel,__signbitf,finite,frexpl,frexp,scalbn,__finite,copysignl,scalbnf,__signbitl,scalbnl,copysign,copysignf,ldexpf,modff,modf,ldexp,ldexpl,finitef,frexpf,__finitel,modfl,__finitef,__signbit
 ```
 
 2. Whitelist the library `libm`:
 
 ```console
-./dist/tracee -e symbols_collision.args.loaded_path=/usr/lib/libc.so.6 -e symbols_collision.args.collision_path!=/usr/lib/libm.so.6
+./dist/tracee -e symbols_collision.data.loaded_path=/usr/lib/libc.so.6 -e symbols_collision.data.collision_path!=/usr/lib/libm.so.6
 ```
 
 The first approach is recommended when dealing with common symbols like 'setup_', 'finish_' etc. because it will reduce

diff --git a/docs/docs/events/builtin/extra/symbols_loaded.md b/docs/docs/events/builtin/extra/symbols_loaded.md
@@ -40,7 +40,7 @@ To catch SO which tries to override the `fopen` function of `libc`, we can use t
 the following way:
 
 ```console
-./dist/tracee -e symbols_loaded.args.symbols=fopen -e symbols_loaded.args.library_path!=libc
+./dist/tracee -e symbols_loaded.data.symbols=fopen -e symbols_loaded.data.library_path!=libc
 ```
 
 ## Issues

diff --git a/docs/docs/events/builtin/network/index.md b/docs/docs/events/builtin/network/index.md
@@ -28,7 +28,7 @@ activity in common protocols.
 Trace all TCP packets sent to port 80 anywhere, from any process:
 
 ```console
-tracee --output json --events net_packet_tcp.args.dst_port=80
+tracee --output json --events net_packet_tcp.data.dst_port=80
 ```
 
 ```json
@@ -41,7 +41,7 @@ tracee --output json --events net_packet_tcp.args.dst_port=80
 Trace all DNS packets received ONLY from Google DNS server '8.8.8.8':
 
 ```console
-tracee --output json --events net_packet_dns.args.src=8.8.8.8
+tracee --output json --events net_packet_dns.data.src=8.8.8.8
 
 ```
 

diff --git a/docs/docs/events/builtin/network/net_packet_ipv4.md b/docs/docs/events/builtin/network/net_packet_ipv4.md
@@ -49,7 +49,7 @@ fields`.
 Example:
 
 ``` console
-tracee --output json --events net_packet_ipv4 --events net_packet_ipv4.args.src=10.10.11.2
+tracee --output json --events net_packet_ipv4 --events net_packet_ipv4.data.src=10.10.11.2
 ```
 
 ```json

diff --git a/docs/docs/events/builtin/network/net_packet_tcp.md b/docs/docs/events/builtin/network/net_packet_tcp.md
@@ -62,7 +62,7 @@ for the default run"). As arguments for this event you will find: `src`, `dst`,
 Example:
 
 ```console
-tracee --output json --events net_packet_tcp --events net_packet_tcp.args.src=fd12:3456:789a::2
+tracee --output json --events net_packet_tcp --events net_packet_tcp.data.src=fd12:3456:789a::2
 ```
 
 ```json

diff --git a/docs/docs/events/builtin/network/net_packet_udp.md b/docs/docs/events/builtin/network/net_packet_udp.md
@@ -35,7 +35,7 @@ for the default run"). As arguments for this event you will find: `src`, `dst`,
 Example:
 
 ```console
-tracee --output json --events net_packet_udp --events net_packet_udp.args.src=fd12:3456:789a::2
+tracee --output json --events net_packet_udp --events net_packet_udp.data.src=fd12:3456:789a::2
 ```
 
 ```json

diff --git a/docs/docs/flags/events.1.md b/docs/docs/flags/events.1.md
@@ -2,7 +2,7 @@
 title: TRACEE-EVENTS
 section: 1
 header: Tracee Events Flag Manual
-date: 2023/10
+date: 2024/05
 ...
 
 ## NAME
@@ -11,7 +11,7 @@ tracee **\-\-events** - Select which events to trace
 
 ## SYNOPSIS
 
-tracee **\-\-events** [<event-name1(,[-]event-name2...)\> | <[-]event-name1(,set1...)\> | <set1(,[-]event-name1,[-]event-name2...)\> | <event1.args.arg-field[=|!=]value\> | <event1.retval[=|!=|<|\>|<=|\>=]value\> | <event1.scope.field[=|!=|<|\>|<=|\>=]value\> | <event.scope.container\>] ...
+tracee **\-\-events** [<event-name1(,[-]event-name2...)\> | <[-]event-name1(,set1...)\> | <set1(,[-]event-name1,[-]event-name2...)\> | <event1.data.data-field[=|!=]value\> | <event1.retval[=|!=|<|\>|<=|\>=]value\> | <event1.scope.field[=|!=|<|\>|<=|\>=]value\> | <event.scope.container\>] ...
 
 ## DESCRIPTION
 
@@ -21,7 +21,7 @@ The **\-\-events** flag allows you to select which events to trace by defining f
 
 - Event or set name: Select specific events using 'event-name1,event-name2...' or predefined event sets using 'event_set_name1,event_set_name2...'. To exclude events, prepend the event name with a dash '-': '-event-name'.
 
-- Event arguments: Filter events based on their arguments using 'event-name.args.event_arg'. The event argument expression follows the syntax of a string expression.
+- Event data: Filter events based on their data using 'event-name.data.event_data'. The event data expression follows the syntax of a string expression.
 
 - Event return value: Filter events based on their return value using 'event-name.retval'. The event return value expression follows the syntax of a numerical expression.
 
@@ -101,25 +101,25 @@ Available only for:
 - To trace only 'close' events that have 'fd' equal to 5, use the following flag:
 
   ```console
-  --events close.args.fd=5
+  --events close.data.fd=5
   ```
 
 - To trace only 'openat' events that have 'pathname' prefixed by '/tmp', use the following flag:
 
   ```console
-  --events openat.args.pathname='/tmp*'
+  --events openat.data.pathname='/tmp*'
   ```
 
 - To trace only 'openat' events that have 'pathname' suffixed by 'shadow', use the following flag:
 
   ```console
-  --events openat.args.pathname='*shadow'
+  --events openat.data.pathname='*shadow'
   ```
 
 - To exclude 'openat' events that have 'pathname' equal to '/tmp/1' or '/bin/ls', use the following flag:
 
   ```console
-  --events openat.args.pathname!=/tmp/1,/bin/ls
+  --events openat.data.pathname!=/tmp/1,/bin/ls
   ```
 
 - To trace only 'openat' events that have 'processName' equal to 'ls', use the following flag:

diff --git a/docs/docs/policies/index.md b/docs/docs/policies/index.md
@@ -20,10 +20,10 @@ spec:
 	  - event: dropped_executable
 	  - event: security_file_open
 	    filters:
-		- args.pathname=/tmp/*
+		- data.pathname=/tmp/*
 ```
 
-This policy applies to any workload (`global`) and will log the `dropped_executable`, and `security_file_open` events. An argument filter (`args.pathname`) is set on the `security_file_open` event to log only files which were opened from the `/tmp` directory.
+This policy applies to any workload (`global`) and will log the `dropped_executable`, and `security_file_open` events. A data filter (`data.pathname`) is set on the `security_file_open` event to log only files which were opened from the `/tmp` directory.
 
 !!! Note TODO
     Note that currently each event type can only be defined once in a policy

diff --git a/docs/docs/policies/rules.md b/docs/docs/policies/rules.md
@@ -256,10 +256,12 @@ spec:
 	rules:
 	    event: security_file_open
 	    filters:
-		- args.pathname=/tmp*
+		- data.pathname=/tmp*
 ```
 
-Arguments can be found on the respective event definition, in this case [security_file_open](https://github.com/aquasecurity/tracee/blob/main/pkg/events/events.goL5293-L529), or the user can test the event output in CLI before defining a policy, e.g:
+Data fields can be found on the respective event definition, in this case [security_file_open](https://github.com/aquasecurity/tracee/blob/656eb976fbb66aba54c5f306019258e436d4814a/pkg/events/core.go#L11502-L11533) - be aware of possible changes to the definition linked above, so always check the main branch.
+
+ Or the user can test the event output in CLI before defining a policy, e.g:
 
 ```console
 tracee -e security_file_open --output json

diff --git a/docs/docs/policies/usage/cli.md b/docs/docs/policies/usage/cli.md
@@ -151,7 +151,7 @@ spec:
     - event: openat
       filters:
         - comm=cat
-        - args.pathname=/tmp*
+        - data.pathname=/tmp*
     # trace all container creations and removals
     - event: container_create
     - event: container_remove

diff --git a/docs/man/events.1 b/docs/man/events.1
@@ -24,10 +24,10 @@ tracee \f[B]--events\f[R] - Select which events to trace
 tracee \f[B]--events\f[R] [<event-name1(,[-]event-name2\&...)> |
 <[-]event-name1(,set1\&...)> |
 <set1(,[-]event-name1,[-]event-name2\&...)> |
-<event1.args.arg-field[=|!=]value> |
+<event1.data.data-field[=|!=]value> |
 <event1.retval[=|!=|<|>|<=|>=]value> |
-<event1.scope.scope-field[=|!=|<|>|<=|>=]value> |
-<event.scope.container>] \&...
+<event1.scope.field[=|!=|<|>|<=|>=]value> | <event.scope.container>]
+\&...
 .SS DESCRIPTION
 .PP
 The \f[B]--events\f[R] flag allows you to select which events to trace
@@ -40,9 +40,9 @@ Event or set name: Select specific events using
 To exclude events, prepend the event name with a dash `-':
 `-event-name'.
 .IP \[bu] 2
-Event arguments: Filter events based on their arguments using
-`event-name.args.event_arg'.
-The event argument expression follows the syntax of a string expression.
+Event data: Filter events based on their data using
+`event-name.data.event_data'.
+The event data expression follows the syntax of a string expression.
 .IP \[bu] 2
 Event return value: Filter events based on their return value using
 `event-name.retval'.
@@ -158,7 +158,7 @@ following flag:
 .IP
 .nf
 \f[C]
---events close.args.fd=5
+--events close.data.fd=5
 \f[R]
 .fi
 .RE
@@ -169,7 +169,7 @@ use the following flag:
 .IP
 .nf
 \f[C]
---events openat.args.pathname=\[aq]/tmp*\[aq]
+--events openat.data.pathname=\[aq]/tmp*\[aq]
 \f[R]
 .fi
 .RE
@@ -180,7 +180,7 @@ use the following flag:
 .IP
 .nf
 \f[C]
---events openat.args.pathname=\[aq]*shadow\[aq]
+--events openat.data.pathname=\[aq]*shadow\[aq]
 \f[R]
 .fi
 .RE
@@ -191,7 +191,7 @@ To exclude `openat' events that have `pathname' equal to `/tmp/1' or
 .IP
 .nf
 \f[C]
---events openat.args.pathname!=/tmp/1,/bin/ls
+--events openat.data.pathname!=/tmp/1,/bin/ls
 \f[R]
 .fi
 .RE