Merge pull request #657 from aquasecurity/docs-small-fixes

Small fixes for documentation

Readme.md

@@ -1,4 +1,4 @@
-![Tracee Logo](images/tracee.png)
+![Tracee Logo](docs/images/tracee.png)
 
 [![GitHub release (latest by date)](https://img.shields.io/github/v/release/aquasecurity/tracee)](https://github.com/aquasecurity/tracee/releases)
 [![Go Report Card](https://goreportcard.com/badge/github.com/aquasecurity/tracee)](https://goreportcard.com/report/github.com/aquasecurity/tracee)

docs/config.md

@@ -1,3 +1,3 @@
 # Configuration Options
 
-Rules are discovered from the local `rules` directory (unless changed by the `--rules-dir` flag). By default, all discovered rules will be loaded unless specific rules are selected using the `--rules` flag.
+By default, rules are discovered from the `rules` directory next to the `tracee-rules` executable binary (you can specify a different location with the `--rules-dir` flag). By default, all discovered rules will be loaded unless specific rules are selected using the `--rules` flag.

docs/faq.md

@@ -2,4 +2,4 @@
 
 ## Secure tracing
 
-When Tracee-eBPF reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provide "LSM" (Linux Security Module) based events, for example, the `bprm_check` event which can be reported by Tracee and cross-referenced with the reported regular syscall event.
+When Tracee-eBPF reads information from user programs it is subject to a race condition where the user program might be able to change the arguments after Tracee has read them. For example, a program invoked `execve("/bin/ls", NULL, 0)`, Tracee picked that up and will report that, then the program changed the first argument from `/bin/ls` to `/bin/bash`, and this is what the kernel will execute. To mitigate this, Tracee also provides "LSM" (Linux Security Module) based events, for example, the `bprm_check` event which can be reported by Tracee and cross-referenced with the reported regular syscall event.

docs/index.md

@@ -7,11 +7,11 @@
 
 # Tracee: Runtime Security and Forensics using eBPF
 
-Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns. It is delivered as a Docker image that monitors the OS and detects suspicious behavior based on a pre-defined set of behavioral patterns.
+Tracee is a Runtime Security and forensics tool for Linux. It is using Linux eBPF technology to trace your system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns. It is delivered as a Docker image that monitors the OS and detects suspicious behavior based on a predefined set of behavioral patterns.
 
 ## Quickstart
 
-Before you proceed, make sure you follow the [minimum requirements for running Tracee](https://aquasecurity.github.io/tracee/install/prerequisites.md).
+Before you proceed, make sure you follow the [minimum requirements for running Tracee](install/prerequisites.md).
 
 ```bash
 docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest
@@ -20,7 +20,7 @@ docker run --name tracee --rm --privileged -v /lib/modules/:/lib/modules/:ro -v
 This will run Tracee with default settings and start reporting detections to standard output.  
 In order to simulate a suspicious behavior, you can run `strace ls` in another terminal, which will trigger the "Anti-Debugging" signature, which is loaded by default.
 
-> Note: You may need to change the volume mounts for the kernel headers based on your setup. See [Linux Headers](https://aquasecurity.github.io/tracee/install/headers.md) section for more info.
+> Note: You may need to change the volume mounts for the kernel headers based on your setup. See [Linux Headers](install/headers.md) section for more info.
 
 ## Trace
 

docs/install/ebpf-compilation.md

@@ -1,4 +1,4 @@
-# eBPF Program
+# eBPF Compilation
 
 Tracee is leveraging Linux's eBPF technology, which is kernel and version sensitive. Therefore, Tracee's eBPF component needs to be specifically compiled for your hosts.
 

docs/install/headers.md

@@ -7,6 +7,6 @@ In order to compile the eBPF program, Tracee needs some of the Linux kernel head
 
 Normally the files will be installed in `/lib/modules/${kernel_version}/build` which is where Tracee expects them. If you have the headers elsewhere, you can set the `KERN_HEADERS` environment variable with the correct location.
 
-> Note that it's important that the kernel headers match the exact version of kernel you are running. To check the current kernel version, run the command `uname -r`. To install a specific kernel headers version append the version to the package name: `linux-headers-$(uname -r)`.
+> Note that it's important that the kernel headers match the exact version of the kernel you are running. To check the current kernel version, run the command `uname -r`. To install a specific kernel headers version append the version to the package name: `linux-headers-$(uname -r)`.
 
 > Note that more often than not the kernel headers files contains filesystem links to other files in other directories. Therefore, when passing the kernel headers to Tracee docker container, make sure all the necessary directories are mounted. This is why the quickstart example mounts `/usr/src` in addition to `/lib/modules`.

docs/install/prerequisites.md

@@ -1,19 +1,19 @@
 # Prerequisites
 
 - Linux kernel version >= 4.18
-- Linux kernel headers available under conventional location (see [Linux Headers](#TODO) section for more info)
-- libc, and the libraries: libelf, zlib
+- Linux kernel headers available under conventional location (see [Linux Headers](../headers) section for more info)
+- libc, and the libraries: libelf, zlib, libbpf
 - GNU Make >= 4.3
 - clang >= 9
 
 Exceptions:
 
-- Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are not required at runtime, but only for the one-time compilation of the eBPF program. See [Setup Options](TODO) for more info.
-- When using Tracee's Docker image, all of the tooling is built into the image. The only requirement left is the kernel headers or the pre-built eBPF artifact. See [Setup Options](TODO) for more info.
+- Tracee supports loading a pre-compiled eBPF file, in which case the kernel headers are not required at runtime, but only for the one-time compilation of the eBPF program. See [Setup Options](../ebpf-compilation) for more info.
+- When using Tracee's Docker image, all of the tooling is built into the image. The only requirement left is the kernel headers or the pre-built eBPF artifact. See [Setup Options](../ebpf-compilation) for more info.
 
 # Permissions
 
-For using the eBPF Linux sub-system, Tracee needs to run with sufficient capabilities: 
+For using the eBPF Linux subsystem, Tracee needs to run with sufficient capabilities: 
 - `CAP_SYS_RESOURCE` (to manage eBPF maps limits)
 - `CAP_BPF`+`CAP_TRACING` which are available on recent kernels (>=5.8), or `SYS_ADMIN` on older kernels (to load and attach the eBPF programs).
 

docs/integrations.md

@@ -1,6 +1,6 @@
 # Integrations
 
-When a detection is made by any of the signatures, it will always be printed to stdout. You can customize the output format using gotemplate:
+When a detection is made by any of the signatures, it will always be printed to stdout. You can customize the output format using a [go template](https://golang.org/pkg/text/template/):
 
 ```bash
 tracee-rules --output-template /path/to/my.tmpl
@@ -25,6 +25,6 @@ type Finding struct {
 }
 ```
 
-Additionally, the Go template can use utility functions from [Sprig ](http://masterminds.github.io/sprig/).
+Additionally, the Go template can use utility functions from [Sprig](http://masterminds.github.io/sprig/).
 
 For example templates, see [tracee/tracee-rules/templates](https://github.com/aquasecurity/tracee/tree/main/tracee-rules/templates).

docs/rules-authoring.md

@@ -7,7 +7,7 @@ Create a `.rego` file in the rules directory that has the following Rego Rules (
 
 1. `__rego_metadoc__`: A *document* rule that defines the rule's metadata.
 2. `tracee_selected_events`: A *set* rule that defines the event selectors.
-3. `tracee_match`: A *boolean* or a *document* rule that defines the logic of the signature. If bool is "returned", a true evaluation will generate a Finding with no data if document is "returned", any non-empty evaluation will generate a Finding with the returned document as the Finding's "Data".
+3. `tracee_match`: A *boolean* or a *document* rule that defines the logic of the signature. If bool is "returned", a true evaluation will generate a Finding with no data. If a document is "returned", any non-empty evaluation will generate a Finding with the returned document as the Finding's "Data".
 
 See [tracee/tracee-rules/signatures/rego/examples](https://github.com/aquasecurity/tracee/tree/main/tracee-rules/signatures/rego/examples) for example Rego signatures.
 

docs/rules-index.md

@@ -1,13 +1,15 @@
+# Available Rules
+
 To view the list of available rules, run Tracee with the `--list` flag.
 
 We are currently working on creating a library of behavioral signature detections. Currently, the following are available:
 
-Name | Description | Tags
- --- | --- | --- |
+| Name | Description | Tags
+| --- | --- | --- |
 Standard Input/Output Over Socket | Redirection of process's standard input/output to socket | "linux", "container"
 Anti-Debugging | Process uses anti-debugging technique to block debugger | "linux", "container"
 Code injection | Possible code injection into another process | "linux", "container"
 Dynamic Code Loading | Writing to executable allocated memory region | "linux", "container"
-Fileless Execution | Executing a precess from memory, without a file in the disk | "linux", "container"
+Fileless Execution | Executing a process from memory, without a file in the disk | "linux", "container"
 kernel module loading | Attempt to load a kernel module detection | "linux", "container"
 LD_PRELOAD | Usage of LD_PRELOAD to allow hooks on process | "linux", "container"

docs/tracee-ebpf/index.md

@@ -6,7 +6,7 @@ In some cases, you might want to leverage Tracee's eBPF event collection capabil
 
 ## Getting Started
 
-Before you proceed, make sure you follow the [minimum requirements for running Tracee](TODO).
+Before you proceed, make sure you follow the [minimum requirements for running Tracee](../../install/prerequisites).
 
 You can obtain Tracee-eBPF in any of the following ways:
 1. Download from the [GitHub Releases](https://github.com/aquasecurity/tracee/releases) (`tracee.tar.gz`).

mkdocs.yml

@@ -14,19 +14,20 @@ nav:
     - Linux Headers: install/headers.md
   - Integrations: integrations.md
   - Configuration Options: config.md
-  - Rules Authoring: rules-authoring.md
-  - Rules Index: rules-index.md
+  - Authoring Rules: rules-authoring.md
+  - Available Rules: rules-index.md
   - FAQ: faq.md
+  - Architecture: architecture.md
   - Tracing:
     - Getting Started: tracee-ebpf/index.md
     - Output Options: tracee-ebpf/output.md
-    - Trace Options: tracee-ebpf/trace.md
+    - Trace Options: tracee-ebpf/trace-options.md
     - Capturing Artifacts: tracee-ebpf/capture.md
 
 theme:
     name: material
     language: 'en'
-    logo: images/tracee.png
+    logo: images/tracee_logo_only.png
 
 markdown_extensions:
   - pymdownx.highlight