forked from aquasecurity/tracee
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstart.py
More file actions
executable file
·60 lines (48 loc) · 2.2 KB
/
start.py
File metadata and controls
executable file
·60 lines (48 loc) · 2.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/python
# Authors:
# Yaniv Agman <yaniv@aquasec.com>
# arguments
import argparse
import sys
import re
from tracee.tracer import EventMonitor, syscalls, sysevents
examples = """examples:
./start.py -c
"""
class EventsToTraceAction(argparse.Action):
def __call__(self, parser, namespace, values, option_string=None):
events = re.split('\W+', values)
for e in events:
if e not in syscalls and e not in sysevents and e != "all":
parser.error("Invalid event {0}".format(e))
if "all" in events:
events = syscalls + sysevents
setattr(namespace, self.dest, events)
def parse_args(input_args):
parser = argparse.ArgumentParser(
description="Trace container syscalls and events",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
parser.add_argument("-c", "--container", action="store_true",
help="only trace newly created containers")
parser.add_argument("-b", "--buf-pages", type=int, default=64,
choices=[1, 2, 4, 8, 16, 32, 64, 128, 256, 512, 1024],
help="number of pages for perf buffer, defaults to %(default)s")
parser.add_argument("--ebpf", action="store_true",
help=argparse.SUPPRESS)
parser.add_argument("-j", "--json", action="store_true",
help="save events in json format")
parser.add_argument("-l", "--list", action="store_true",
help="list events")
parser.add_argument("-e", "--events-to-trace", default = syscalls + sysevents, action=EventsToTraceAction,
help="trace only the specified events and syscalls (default: trace all)")
parser.add_argument("--show-syscall", action="store_true",
help="show syscall name in kprobes")
parser.add_argument("--exec-env", action="store_true",
help="show execve(at) environment variables in output")
return parser.parse_args(input_args)
if __name__ == '__main__':
args = parse_args(sys.argv[1:])
event_monitor = EventMonitor(args)
event_monitor.init_bpf()
event_monitor.monitor_events()