Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tracee: add analyze cmd #3101

Merged
merged 1 commit into from
Jun 27, 2023
Merged

tracee: add analyze cmd #3101

merged 1 commit into from
Jun 27, 2023

Conversation

josedonizetti
Copy link
Contributor

@josedonizetti josedonizetti commented May 13, 2023
edited
Loading

1. Explain what the PR does

Fix #2736

Adds analyze subcommand. The subcommand only accepts json as input, and only output json.

2. Explain how to test it

tracee --filter event=ptrace --output=json:events.json

tracee analyze events.json
tracee analyze --event=anti_debugging events.json
tracee analyze --event=dropped_executable events.json

3. Other comments

This is marked as EXPERIMENT, because the implementation will later change to support datasources. For now this is equivalent to tracee-rules.

@josedonizetti josedonizetti force-pushed the add-analyze-cmd branch 4 times, most recently from 7e7a231 to cadbd4b Compare May 13, 2023 18:07
@josedonizetti josedonizetti marked this pull request as ready for review June 26, 2023 13:03
@rafaeldtinoco rafaeldtinoco self-requested a review June 27, 2023 01:48
rafaeldtinoco
rafaeldtinoco approved these changes Jun 27, 2023
View reviewed changes
Copy link
Contributor

@rafaeldtinoco rafaeldtinoco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

NOTE: I think its ok to have it already included as experimental in v0.16.0 release as its orthogonal to any other code and couldn't cause any harm.

@rafaeldtinoco rafaeldtinoco merged commit d9ec9bc into aquasecurity:main Jun 27, 2023
@NDStrahilevitz
Copy link
Collaborator

We should add a warning not to rely on data sources when running tracee analyze for now, just to cover that edge case until we resolve it.

@josedonizetti
Copy link
Contributor Author

We should add a warning not to rely on data sources when running tracee analyze for now, just to cover that edge case until we resolve it.

That makes sense, as it is marked as experimental I expected people to know it will not support everything, but the warning will also help. I'll add it today!

@josedonizetti josedonizetti deleted the add-analyze-cmd branch June 27, 2023 11:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafaeldtinoco rafaeldtinoco rafaeldtinoco approved these changes

Assignees

@josedonizetti josedonizetti

Labels
area/UX backport/v0.17.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tracee: add subcomand to analyze events in a file
3 participants
@josedonizetti @NDStrahilevitz @rafaeldtinoco