Adding category for each event

[AsafEitani]

Adding a category could enable users to better understand the meaning of each syscall that's being logged by tracee.
It will also help analysts to produce easier queries and perform more advanced analysis (like get all the execve calls that weren't followed by a security_bprm_check)

Another issue that this might solve is delayed returned values from execve. at the moment tracee-ebf logs failed execve events twice:

1. When the syscall is called - with all of it's parameters and 0 returnValue
2. When the syscall returns - with empty args and a real returnValue

By adding categories we will be able to categorize those failure events to "Failed syscalls" category - thus enabling for cleaner queries over successful executions and querying for any failed execution will be as easy as filtering the category.

Categories could range from Execution to Connections and even Misc for syscalls that won't fit in any other category.

[yanivagman]

@AsafEitani Have you tried using the tracee sets?
Just list the events with --list to see the available sets, then start tracee with -t set=some_set.

Filtering failed events is also possible using tracee filters. Use --filter help for more info about this.

[AsafEitani]

@yanivagman Maybe we could leverage sets but I think we need to add a couple, for example security_bprm_check is not flagged as execution. Also the meaning of adding categorization is to add a field to each event with it's category (sorry that wasn't so clear from my initial issue)

By filtering I mainly ment in a later date via Splunk\elasticsearch. Adding that field would make it much easier.

[yanivagman]

You can have a look at the existing sets and suggest new ones.

About the filtering - I don't see something that we can take from here to tracee-ebpf, unless I misunderstood you.

For later use of the events, maybe a rule can be added to tracee-rules to locally add a tag?