fix(ebpf): disable PrintSyscallTable as default

[geyslan]

Close: #3397

1. Explain what the PR does

e91f15a chore: change logger levels to debug
286dff2 fix(ebpf): cancel dependencies of the canceled one
19381ad chore(flags): remove leftover
ab97d72 fix: disable syscall_hooking
2e200fd fix(ebpf): set events to be disabled by default

286dff2 fix(ebpf): cancel dependencies of the canceled one

Context: #3495
https://github.com/aquasecurity/tracee/actions/runs/6475371851/job/17582516454#step:5:42

19381ad chore(flags): remove leftover

After the changes of #3262, at this stage, policies.Map() length is
always greater than 0.

ab97d72 fix: disable syscall_hooking

This is a temporary fix to silence error messages from GKE kernel.

2e200fd fix(ebpf): set events to be disabled by default

EvtsToDisable is a hardcoded map of events (key: string) to be disabled
by default. It allows to turn off events that may be causing unwanted
side effects or can't have their ID predicted (e.g. signature events).

If the user sets such an event on the policy, it will be removed from
the list of disabled events and the event will be enabled as usual.

2. Explain how to test it

When setting syscall_hooking, if the symbol AAAsys_call_table is not found we see the error.

sudo ./dist/tracee -l debug -l filter:pkg=ebpf -s comm=who -e syscall_hooking
{"L":"ERROR","T":"2023-10-16T09:02:20.154-0300","M":"Event canceled because of missing kernel symbol dependency","missing symbols":["AAAsys_call_table"],"event":"print_syscall_table"}
{"L":"ERROR","T":"2023-10-16T09:02:20.154-0300","M":"Event canceled because it depends on an previously canceled event","event":"hooked_syscalls","dependency":"print_syscall_table"}
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
^C

Even with the symbol not found, if syscall_hooking is NOT required by the user, we don't receive the error any more, just a debug log concerning the disabling.

sudo ./dist/tracee -l debug -l filter:pkg=ebpf -s comm=who                   
{"L":"DEBUG","T":"2023-10-16T09:02:43.476-0300","M":"Event disabled","id":6028,"name":"syscall_hooking","origin":"ebpf:pkg/ebpf/tracee.go:284","calls":"New() < Runner.Run() < glob..func4() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
^C

3. Other comments

[geyslan]

E2E 1173 is ✅.

[rafaeldtinoco]

It's the goimports-reviser. Updated locally, sending changes.

yep, Ori has already complained about this on his tests.

[geyslan]

It's the goimports-reviser. Updated locally, sending changes.

yep, Ori has already complained about this on his tests.

7595b29 solves it.

[rafaeldtinoco]

@geyslan mind opening a PR solving the imports issue by itself ? THats because we can merge it before this PR is merged and solve other failing tests before anything.

[rafaeldtinoco]

What if the event in "eventsToDisable" is also used in another policy ? You just removed it from the map that is going to be used by the prepareEventsToTracee when the other policy filters are parsed, no ? The event could have been excluded in this policy, but maybe not the other ? Am I missing something ?

[rafaeldtinoco]

Discussed a bit offline with Geyslan. We agreed (and he already thought like that before) that the signature and the event should be disabled if the ksymbol isnt available, but using a debug log only (so it does not scare the end user).

[geyslan]

Yep. From the start I didn't like this PR approach, it increases complexity just to silence an error that should be issued.

[rafaeldtinoco]

Please rebase on top of #3601 just to make sure we're good (since the event in question has changed). I'll be adding a INST test to that event as well.

[geyslan]

Closing this. Context: https://github.com/aquasecurity/tracee/pull/3562/files#r1373607623