Fix ksymbols mem consumption 0.21

.github/actions/build-dependencies/action.yaml

@@ -8,7 +8,7 @@ runs:
       run: |
         sudo apt-get update
         sudo apt-get install -y bsdutils build-essential pkgconf
-        sudo apt-get install -y zlib1g-dev libelf-dev
+        sudo apt-get install -y zlib1g-dev libelf-dev libzstd-dev
         sudo apt-get install -y software-properties-common
       shell: bash
     - name: Install Golang

.github/workflows/pr.yaml

@@ -61,6 +61,7 @@ env:
     DNS
     HTTP
   INSTTESTS: >
+    PROCESS_EXECUTE_FAILED
     VFS_WRITE
     FILE_MODIFICATION
     HOOKED_SYSCALL

Makefile

@@ -56,6 +56,7 @@ CMD_CONTROLLER_GEN ?= controller-gen
 
 LIB_ELF ?= libelf
 LIB_ZLIB ?= zlib
+LIB_ZSTD ?= libzstd
 
 define pkg_config
 	$(CMD_PKGCONFIG) --libs $(1)
@@ -172,6 +173,7 @@ env:
 	@echo ---------------------------------------
 	@echo "LIB_ELF                  $(LIB_ELF)"
 	@echo "LIB_ZLIB                 $(LIB_ZLIB)"
+	@echo "LIB_ZSTD                 $(LIB_ZSTD)"
 	@echo ---------------------------------------
 	@echo "VERSION                  $(VERSION)"
 	@echo "LAST_GIT_TAG             $(LAST_GIT_TAG)"
@@ -316,7 +318,7 @@ $(OUTPUT_DIR)/btfhub:
 #
 
 LIBBPF_CFLAGS = "-fPIC"
-LIBBPF_LDLAGS =
+LIBBPF_LDFLAGS =
 LIBBPF_SRC = ./3rdparty/libbpf/src
 
 $(OUTPUT_DIR)/libbpf/libbpf.a: \
@@ -392,7 +394,10 @@ TRACEE_SRC_DIRS = ./cmd/ ./pkg/ ./signatures/
 TRACEE_SRC = $(shell find $(TRACEE_SRC_DIRS) -type f -name '*.go' ! -name '*_test.go')
 
 CUSTOM_CGO_CFLAGS = "-I$(abspath $(OUTPUT_DIR)/libbpf)"
-CUSTOM_CGO_LDFLAGS = "$(shell $(call pkg_config, $(LIB_ELF))) $(shell $(call pkg_config, $(LIB_ZLIB))) $(abspath $(OUTPUT_DIR)/libbpf/libbpf.a)"
+CUSTOM_CGO_LDFLAGS = "$(shell $(call pkg_config, $(LIB_ELF))) \
+	$(shell $(call pkg_config, $(LIB_ZLIB))) \
+	$(shell $(call pkg_config, $(LIB_ZSTD))) \
+	$(abspath $(OUTPUT_DIR)/libbpf/libbpf.a)"
 
 GO_ENV_EBPF =
 GO_ENV_EBPF += GOOS=linux
@@ -439,6 +444,7 @@ $(OUTPUT_DIR)/tracee: \
 	| .checkver_$(CMD_GO) \
 	.checklib_$(LIB_ELF) \
 	.checklib_$(LIB_ZLIB) \
+	.checklib_$(LIB_ZSTD) \
 	btfhub \
 	signatures
 #
@@ -472,6 +478,7 @@ $(OUTPUT_DIR)/tracee-ebpf: \
 	| .checkver_$(CMD_GO) \
 	.checklib_$(LIB_ELF) \
 	.checklib_$(LIB_ZLIB) \
+	.checklib_$(LIB_ZSTD) \
 	btfhub
 #
 	$(MAKE) $(OUTPUT_DIR)/btfhub
@@ -757,7 +764,7 @@ $(OUTPUT_DIR)/syscaller: \
 test-integration: \
 	.checkver_$(CMD_GO) \
 	$(OUTPUT_DIR)/syscaller \
-	tracee-ebpf
+	tracee
 #
 	@$(GO_ENV_EBPF) \
 	$(CMD_GO) test \

Vagrantfile

@@ -95,7 +95,7 @@ Vagrant.configure("2") do |config|
       ln -s "$path" "${path%-*}"
     done
 
-    apt-get install --yes zlib1g-dev libelf-dev
+    apt-get install --yes zlib1g-dev libelf-dev libzstd-dev
     apt-get install --yes protobuf-compiler
     apt-get install --yes linux-tools-"$(uname -r)" ||
       apt-get install --yes linux-tools-generic

builder/Dockerfile.alpine-tracee-container

@@ -18,7 +18,7 @@ USER root
 RUN apk --no-cache update && \
     apk --no-cache add coreutils && \
     apk --no-cache add sudo curl && \
-    apk --no-cache add libelf zlib && \
+    apk --no-cache add libelf zlib zstd && \
     apk --no-cache add libc6-compat
 
 # install OPA
@@ -47,6 +47,7 @@ RUN apk --no-cache update && \
     apk --no-cache add elfutils-dev && \
     apk --no-cache add libelf-static && \
     apk --no-cache add zlib-static && \
+    apk --no-cache add zstd-static && \
     rm -f /usr/bin/cc && \
     rm -f /usr/bin/clang && \
     rm -f /usr/bin/clang++ && \
@@ -85,12 +86,7 @@ RUN apk --no-cache update && \
 RUN cd /tmp && \
     git clone https://github.com/aquasecurity/btfhub.git && \
     cd ./btfhub && \
-    git submodule update --init --recursive 3rdparty/bpftool && \
-    cd ./3rdparty/bpftool && \
-    make -C src clean && \
-    make -C src all && \
-    cp ./src/bpftool /usr/sbin/bpftool && \
-    make -C src clean
+    ./3rdparty/bpftool.sh
 
 #
 # tracee-make

builder/Dockerfile.alpine-tracee-make

@@ -19,6 +19,7 @@ RUN apk --no-cache update && \
     apk --no-cache add elfutils-dev && \
     apk --no-cache add libelf-static && \
     apk --no-cache add zlib-static && \
+    apk --no-cache add zstd-static && \
     rm -f /usr/bin/cc && \
     rm -f /usr/bin/clang && \
     rm -f /usr/bin/clang++ && \
@@ -52,6 +53,13 @@ RUN apk --no-cache update && \
     ln -s /usr/lib/llvm14/bin/llvm-readelf /usr/bin/llvm-readelf && \
     ln -s /usr/lib/llvm14/bin/opt /usr/bin/opt
 
+# install bpftool from btfhub
+
+RUN cd /tmp && \
+    git clone https://github.com/aquasecurity/btfhub.git && \
+    cd ./btfhub && \
+    ./3rdparty/bpftool.sh
+
 # install OPA
 
 RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \

builder/Dockerfile.ubuntu-tracee-make

@@ -18,9 +18,17 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
     apt-get install -y linux-headers-generic && \
     apt-get install -y libelf-dev && \
     apt-get install -y zlib1g-dev && \
+    apt-get install -y libzstd-dev && \
     update-alternatives --install /usr/bin/clang clang /usr/bin/clang-12 130 --slave /usr/bin/clang++ clang++ /usr/bin/clang++-12 --slave /usr/bin/llc llc /usr/bin/llc-12 --slave /usr/bin/clang-format clang-format /usr/bin/clang-format-12 --slave /usr/bin/clangd clangd /usr/bin/clangd-12 && \
     update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 140 --slave /usr/bin/clang++ clang++ /usr/bin/clang++-14 --slave /usr/bin/llc llc /usr/bin/llc-14 --slave /usr/bin/clang-format clang-format /usr/bin/clang-format-14 --slave /usr/bin/clangd clangd /usr/bin/clangd-14
 
+# install bpftool from btfhub
+
+RUN cd /tmp && \
+    git clone https://github.com/aquasecurity/btfhub.git && \
+    cd ./btfhub && \
+    ./3rdparty/bpftool.sh
+
 # install OPA
 
 RUN altarch=$(uname -m | sed 's:x86_64:amd64:g' | sed 's:aarch64:arm64:g') && \

deploy/helm/tracee/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: tracee
 description: Linux Runtime Security and Forensics using eBPF
-home: https://aquasecurity.github.io/tracee/v0.21.0/
+home: https://aquasecurity.github.io/tracee/v0.20.0/
 sources:
   - https://github.com/aquasecurity/tracee
 
@@ -18,10 +18,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: "0.21.0"
+version: "0.20.0"
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.21.0"
+appVersion: "0.20.0"

deploy/helm/tracee/templates/tracee-config.yaml

@@ -6,9 +6,9 @@ metadata:
   labels:
     {{- include "tracee.labels" . | nindent 4 }}
 data:
-  {{- if .Values.traceeConfig }}
+  {{- if .Values.configFile }}
   config.yaml:
-    {{- toYaml .Values.traceeConfig | nindent 4 }}
+    {{- toYaml .Values.configFile | nindent 4 }}
   {{- else }}
   config.yaml: |-
     cache:

deploy/helm/tracee/values.yaml

@@ -57,7 +57,7 @@ affinity: {}
 webhook: ""
 
 # extraWebhookTemplates is a list of additional webhook templates that can be used by
-# the traceeConfig or config.output.webhook fields
+# the configFile or config.output.webhook fields
 # in the example below, the goTemplate content will be mounted as /tracee/templates/template1.tmpl
 extraWebhookTemplates: []
 # - name: "template1.tmpl"
@@ -74,8 +74,12 @@ extraWebhookTemplates: []
 #     }
 #   }
 
-traceeConfig: {}
+# The configFile field specifies the Tracee configuration file path and can be
+# changed directly via CLI command using --set-file configFile=myconfig.yaml
+configFile: {}
 
+# This config field holds default values for Tracee configuration and each field
+# can be changed individually via CLI command, using --set config.field=value
 config:
   blobPerfBufferSize: ""
   perfBufferSize: 1024
@@ -101,7 +105,7 @@ config:
       execHash: dev-inode
       sortEvents: false
     # uncomment config.output.webhook to enable a single webhook
-    # to configure multiple webhooks, use the traceeConfig field
+    # to configure multiple webhooks, use the configFile field
     # webhook:
     #   name: "webhook1"
     #   contentType: "application/json"

deploy/kubernetes/tracee/tracee.yaml

@@ -5,10 +5,10 @@ kind: ServiceAccount
 metadata:
   name: tracee
   labels:
-    helm.sh/chart: tracee-0.21.0
+    helm.sh/chart: tracee-0.20.0
     app.kubernetes.io/name: tracee
     app.kubernetes.io/instance: tracee
-    app.kubernetes.io/version: "0.21.0"
+    app.kubernetes.io/version: "0.20.0"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: tracee/templates/serviceaccount.yaml
@@ -17,10 +17,10 @@ kind: ServiceAccount
 metadata:
   name: tracee-operator
   labels:
-    helm.sh/chart: tracee-0.21.0
+    helm.sh/chart: tracee-0.20.0
     app.kubernetes.io/name: tracee
     app.kubernetes.io/instance: tracee
-    app.kubernetes.io/version: "0.21.0"
+    app.kubernetes.io/version: "0.20.0"
     app.kubernetes.io/managed-by: Helm
 ---
 # Source: tracee/templates/tracee-config.yaml
@@ -29,10 +29,10 @@ kind: ConfigMap
 metadata:
   name: tracee-config
   labels:
-    helm.sh/chart: tracee-0.21.0
+    helm.sh/chart: tracee-0.20.0
     app.kubernetes.io/name: tracee
     app.kubernetes.io/instance: tracee
-    app.kubernetes.io/version: "0.21.0"
+    app.kubernetes.io/version: "0.20.0"
     app.kubernetes.io/managed-by: Helm
 data:
   config.yaml: |-
@@ -118,10 +118,10 @@ kind: DaemonSet
 metadata:
   name: tracee
   labels:
-    helm.sh/chart: tracee-0.21.0
+    helm.sh/chart: tracee-0.20.0
     app.kubernetes.io/name: tracee
     app.kubernetes.io/instance: tracee
-    app.kubernetes.io/version: "0.21.0"
+    app.kubernetes.io/version: "0.20.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   selector:
@@ -140,7 +140,7 @@ spec:
         {}
       containers:
         - name: tracee
-          image: "docker.io/aquasec/tracee:0.21.0"
+          image: "docker.io/aquasec/tracee:0.20.0"
           imagePullPolicy: IfNotPresent
           command:
             - /tracee/tracee
@@ -218,10 +218,10 @@ kind: Deployment
 metadata:
   name: tracee-operator
   labels:
-    helm.sh/chart: tracee-0.21.0
+    helm.sh/chart: tracee-0.20.0
     app.kubernetes.io/name: tracee
     app.kubernetes.io/instance: tracee
-    app.kubernetes.io/version: "0.21.0"
+    app.kubernetes.io/version: "0.20.0"
     app.kubernetes.io/managed-by: Helm
 spec:
   replicas: 1
@@ -238,7 +238,7 @@ spec:
         {}
       containers:
       - name: tracee-operator
-        image: "docker.io/aquasec/tracee:0.21.0"
+        image: "docker.io/aquasec/tracee:0.20.0"
         imagePullPolicy: IfNotPresent
         command:
           - /tracee/tracee-operator

docs/contributing/building/building.md

@@ -14,10 +14,11 @@
 
     1. **clang** && **llvm** (12, 13 or 14)
     1. **golang** (1.21)
-    1. **libelf** and **libelf-dev**  
+    1. **libelf** and **libelf-dev**
        (or elfutils-libelf and elfutils-libelf-devel)
-    1. **zlib1g** and **zlib1g-dev**  
+    1. **zlib1g** and **zlib1g-dev**
        (or zlib and zlib-devel)
+    1. **libzstd-dev** for static build (libelf linkage)
     1. **clang-format-12** (specific version) for `fix-fmt`
 
     > You might take a look at the following files to understand how to have a

docs/docs/advanced/data-sources/builtin/process-tree.md

@@ -16,6 +16,13 @@ The underlying structure is populated using the core `sched_process_fork`, `sche
 
 The number of processes retained in the tree hinges on cache size. We have two separate caches at play: one for processes and another for threads. Both default to a size of 32K, supporting tracking for up to 32,768 processes and the same number of threads. It's worth noting that these are LRU caches: once full, they'll evict the least recently accessed entries to accommodate fresh ones.
 
+The process tree query the procfs upon initialization and during runtime to fill missing data:
+* During initialization, it runs over all procfs to fill all existing processes and threads
+* During runtime, it queries specific processes in the case of missing information caused by missing events. 
+
+> [!CAUTION]
+> The procfs query might increase the feature toll on CPU and memory. The runtime query might have a snowball effect on lost events, as it will reduce the system resources in the processes of filling missing information.
+
 ## Command Line Option
 
 ```bash
@@ -26,8 +33,9 @@ Example:
       events       | process tree is built from events.
       signals      | process tree is built from signals.
       both         | process tree is built from both events and signals.
-  --proctree process-cache=8192  | will cache up to 8192 processes in the tree (LRU cache).
-  --proctree thread-cache=4096   | will cache up to 4096 threads in the tree (LRU cache).
+  --proctree process-cache=8192   | will cache up to 8192 processes in the tree (LRU cache).
+  --proctree thread-cache=4096    | will cache up to 4096 threads in the tree (LRU cache).
+  --proctree disable-procfs-query | Will disable procfs quering during runtime
 
 Use comma OR use the flag multiple times to choose multiple options:
   --proctree source=A,process-cache=B,thread-cache=C

docs/docs/events/builtin/extra/process_execute_failed.md

@@ -28,13 +28,30 @@ while providing as much as possible the arguments as used by the kernel.
 #### Type
 kprobe
 #### Purpose
-Fetch the arguments of exec_binprm
+To retrieve the arguments of exec_binprm.
+Used for kernels older than 5.8.
 
 ### exec_binprm
 #### Type
 kretprobe
 #### Purpose
-Fetch the return value of exec_binprm
+To retrieve the return value of exec_binprm and generate the event.
+Used for kernels older than 5.8.
+
+### security_bprm_creds_for_exec
+#### Type
+kprobe
+#### Purpose
+To retrieve the arguments for the event.
+Relevant from kernel version 5.8 onwards, as the function was added in that kernel.
+
+### sys_enter
+#### Type
+tracepoint
+#### Purpose
+To obtain the return code of the execution, determining whether to generate the event.
+For a failed execution, an event will be generated using the information from the `security_bprm_creds_for_exec` hook.
+Relevant from kernel version 5.8 onwards, matching the `security_bprm_creds_for_exec` hook.
 
 ## Example Use Case
 
@@ -43,7 +60,8 @@ Fetch the return value of exec_binprm
 ```
 
 ## Issues
-Currently, only covers failed executions that are happening within exec_binprm. Other failures may occur at an earlier stage.
+The `exec_binprm` symbol is not available in some systems, potentially resulting in the failure to load the event in kernels older than 5.8.
+For kernels older than 5.8, the event only encompasses failed executions occurring within `exec_binprm`. Other failures may occur at an earlier stage. Newer versions do not account for failures before `security_bprm_creds_for_exec`, which precedes `exec_binprm`.
 
 ## Related Events
 execve,execveat,bprm_check,sched_process_exec

docs/docs/install/config/kubernetes.md

@@ -57,5 +57,5 @@ or to provide a complete config file:
 ```
  helm install tracee aqua/tracee \
         --namespace tracee --create-namespace \
-        --set-file traceeConfig=myconfig.yaml
+        --set-file configFile=myconfig.yaml
 ```