chore(cmd): improve list of events output using definitions

- tabled event list output
- include --wide option for better readability
- use recent factored event definitions and event groups concept

cmd/tracee-ebpf/main.go

@@ -34,7 +34,7 @@ func main() {
 			flags.PrintAndExitIfHelp(c)
 
 			if c.Bool("list") {
-				cmd.PrintEventList(false) // list events
+				cmd.PrintEventList(false, false) // list events
 				return nil
 			}
 			initialize.SetLibbpfgoCallbacks()

cmd/tracee/cmd/list.go

@@ -6,7 +6,7 @@ import (
 	"github.com/open-policy-agent/opa/compile"
 	"github.com/spf13/cobra"
 
-	tcmd "github.com/aquasecurity/tracee/pkg/cmd"
+	"github.com/aquasecurity/tracee/pkg/cmd"
 	"github.com/aquasecurity/tracee/pkg/cmd/initialize"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/logger"
@@ -15,6 +15,12 @@ import (
 
 func init() {
 	rootCmd.AddCommand(listCmd)
+	listCmd.Flags().BoolP(
+		"wide",
+		"w",
+		false,
+		"no wrapping of output lines",
+	)
 	listCmd.Flags().StringArray(
 		"signatures-dir",
 		[]string{},
@@ -27,9 +33,9 @@ var listCmd = &cobra.Command{
 	Aliases: []string{"l"},
 	Short:   "List traceable events",
 	Long:    ``,
-	Run: func(cmd *cobra.Command, args []string) {
+	Run: func(c *cobra.Command, args []string) {
 		// Get signatures to update event list
-		sigsDir, err := cmd.Flags().GetStringArray("signatures-dir")
+		sigsDir, err := c.Flags().GetStringArray("signatures-dir")
 		if err != nil {
 			logger.Fatalw("Failed to get signatures-dir flag", "err", err)
 			os.Exit(1)
@@ -48,7 +54,10 @@ var listCmd = &cobra.Command{
 		}
 
 		initialize.CreateEventsFromSignatures(events.StartSignatureID, sigs)
-		tcmd.PrintEventList(true) // list events
+
+		includeSigs := true
+		wideOutput := c.Flags().Lookup("wide").Value.String() == "true"
+		cmd.PrintEventList(includeSigs, wideOutput) // list events
 	},
 	DisableFlagsInUseLine: true,
 }

go.mod

@@ -60,6 +60,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/mattn/go-runewidth v0.0.10 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
@@ -68,6 +69,7 @@ require (
 	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/philhofer/fwd v1.1.2 // indirect
 	github.com/pyroscope-io/dotnetdiag v1.2.1 // indirect
+	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/shirou/gopsutil v3.21.11+incompatible // indirect
 	github.com/spf13/afero v1.9.5 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
@@ -136,6 +138,7 @@ require (
 	github.com/moby/sys/signal v0.7.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/olekukonko/tablewriter v0.0.5
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
 	github.com/opencontainers/runc v1.1.7 // indirect

go.sum

@@ -298,6 +298,9 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/mattn/go-runewidth v0.0.10 h1:CoZ3S2P7pvtP45xOtBw+/mDL2z0RKI576gSkzRRpdGg=
+github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
@@ -331,6 +334,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
+github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
+github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo/v2 v2.9.1 h1:zie5Ly042PD3bsCvsSOPvRnFwyo3rKe64TJlD6nu0mk=
 github.com/onsi/gomega v1.27.4 h1:Z2AnStgsdSayCMDiCU42qIz+HLqEPcgiOCXjAU/w+8E=
 github.com/open-policy-agent/opa v0.52.0 h1:Rv3F+VCDqsufaiYy/3S9/Iuk0yfcREK4iZmWbNsKZjA=
@@ -370,6 +375,9 @@ github.com/pyroscope-io/pyroscope v0.37.2 h1:MOgLU/oO7VfV6jWqb0xoFH/YPSVbWD5pGsX
 github.com/pyroscope-io/pyroscope v0.37.2/go.mod h1:r4wq4ajJvN7g1OeXGyNvmwzBfQ+Tm5alYvmxqEQSTsc=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
 github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=

pkg/cmd/flags/filter.go

@@ -107,9 +107,9 @@ func prepareEventsToTrace(eventFilter eventFilter, eventsNameToID map[string]eve
 	isExcluded := make(map[events.ID]bool)
 
 	// build a map: k:set, v:eventID
-	for id, eventDefinition := range events.Core.GetDefinitions() {
+	for _, eventDefinition := range events.Core.GetDefinitions() {
 		for _, set := range eventDefinition.GetSets() {
-			setsToEvents[set] = append(setsToEvents[set], id)
+			setsToEvents[set] = append(setsToEvents[set], eventDefinition.GetID())
 		}
 	}
 

pkg/cmd/list.go

@@ -0,0 +1,92 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/olekukonko/tablewriter"
+
+	"github.com/aquasecurity/tracee/pkg/events"
+	"github.com/aquasecurity/tracee/types/trace"
+)
+
+func PrintEventList(includeSigs bool, wideOutput bool) {
+	// TODO: Create String() method in types trace.ArgMeta
+	paramsToString := func(params []trace.ArgMeta) string {
+		strSlice := []string{}
+		for _, p := range params {
+			strSlice = append(strSlice, p.Type+" "+p.Name)
+		}
+		return strings.Join(strSlice, ", ")
+	}
+
+	allDefinitions := events.Core.GetDefinitions()
+
+	// Use tablewriter to print events in a table
+	newTable := func() *tablewriter.Table {
+		table := tablewriter.NewWriter(os.Stdout)
+		table.SetHeader([]string{"Rule", "Sets", "Arguments"})
+		table.SetColMinWidth(0, 15)
+		table.SetColMinWidth(1, 15)
+		table.SetColMinWidth(2, 40)
+		table.SetAutoWrapText(!wideOutput)
+		table.SetRowLine(!wideOutput)
+		table.SetAutoFormatHeaders(true)
+		table.SetHeaderAlignment(tablewriter.ALIGN_LEFT)
+		table.SetAlignment(tablewriter.ALIGN_LEFT)
+		table.SetHeaderLine(true)
+		table.SetBorder(true)
+		return table
+	}
+
+	tableRender := func(table *tablewriter.Table, title string) *tablewriter.Table {
+		fmt.Printf("\n" + title + "\n\n")
+		table.Render()
+		return newTable()
+	}
+
+	getRow := func(evtDef events.Definition) []string {
+		return []string{
+			evtDef.GetName(),
+			strings.Join(evtDef.GetSets(), ", "),
+			paramsToString(evtDef.GetParams()),
+		}
+	}
+
+	fmt.Printf("Tracee supports the following events (use --wide for wider output):\n")
+	table := newTable()
+
+	// Signature Events
+	for _, evtDef := range allDefinitions {
+		if evtDef.IsSignature() {
+			table.AppendBulk([][]string{getRow(evtDef)})
+		}
+	}
+	table = tableRender(table, "Signature Events")
+
+	// Syscall Events
+	for _, evtDef := range allDefinitions {
+		if evtDef.IsSyscall() {
+			table.AppendBulk([][]string{getRow(evtDef)})
+		}
+	}
+	table = tableRender(table, "Syscall Events")
+
+	// Other Events
+	for _, evtDef := range allDefinitions {
+		if !evtDef.IsInternal() && !evtDef.IsSyscall() &&
+			!evtDef.IsSignature() && !evtDef.IsNetwork() {
+			table.AppendBulk([][]string{getRow(evtDef)})
+		}
+	}
+	table = tableRender(table, "Other Events")
+
+	// Network Events
+	for _, evtDef := range allDefinitions {
+		if evtDef.IsNetwork() {
+			table.AppendBulk([][]string{getRow(evtDef)})
+		}
+	}
+	tableRender(table, "Network Events")
+}

pkg/cmd/tracee.go

@@ -2,17 +2,14 @@ package cmd
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"strconv"
-	"strings"
 	"syscall"
 
 	"github.com/aquasecurity/tracee/pkg/cmd/printer"
 	"github.com/aquasecurity/tracee/pkg/config"
 	tracee "github.com/aquasecurity/tracee/pkg/ebpf"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
-	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/server"
 	"github.com/aquasecurity/tracee/pkg/utils"
@@ -104,84 +101,6 @@ func (r Runner) Run(ctx context.Context) error {
 	}
 }
 
-func PrintEventList(printRulesSet bool) {
-	padChar := " "
-	titleHeaderPadFirst := getPad(padChar, 24)
-	titleHeaderPadSecond := getPad(padChar, 36)
-
-	var b strings.Builder
-
-	if printRulesSet {
-		b.WriteString("Rules: " + titleHeaderPadFirst + "Sets:" + titleHeaderPadSecond + "Arguments:\n")
-		b.WriteString("_____  " + titleHeaderPadFirst + "____ " + titleHeaderPadSecond + "_________" + "\n\n")
-		printEventGroup(&b, events.StartSignatureID, events.MaxSignatureID)
-		b.WriteString("\n")
-	}
-
-	titleHeaderPadFirst = getPad(padChar, 17)
-	b.WriteString("System Calls: " + titleHeaderPadFirst + "Sets:" + titleHeaderPadSecond + "Arguments:\n")
-	b.WriteString("____________  " + titleHeaderPadFirst + "____ " + titleHeaderPadSecond + "_________" + "\n\n")
-	printEventGroup(&b, 0, events.MaxSyscallID)
-	b.WriteString("\n\nOther Events: " + titleHeaderPadFirst + "Sets:" + titleHeaderPadSecond + "Arguments:\n")
-	b.WriteString("____________  " + titleHeaderPadFirst + "____ " + titleHeaderPadSecond + "_________\n\n")
-	printEventGroup(&b, events.SysEnter, events.MaxCommonID)
-	printEventGroup(&b, events.InitNamespaces, events.MaxUserSpace)
-
-	titleHeaderPadFirst = getPad(padChar, 15)
-	b.WriteString("\n\nNetwork Events: " + titleHeaderPadFirst + "Sets:" + titleHeaderPadSecond + "Arguments:\n")
-	b.WriteString("______________  " + titleHeaderPadFirst + "____ " + titleHeaderPadSecond + "_________\n\n")
-	printEventGroup(&b, events.NetPacketIPv4, events.MaxUserNetID)
-	fmt.Println(b.String())
-}
-
-func printEventGroup(b *strings.Builder, firstEventID, lastEventID events.ID) {
-	for i := firstEventID; i < lastEventID; i++ {
-		if !events.Core.IsDefined(i) {
-			continue
-		}
-		eventDefinition := events.Core.GetDefinitionByID(i)
-		if eventDefinition.IsInternal() {
-			continue
-		}
-		if eventDefinition.GetSets() != nil {
-			eventSets := fmt.Sprintf(
-				"%-30s %-40s %s\n",
-				eventDefinition.GetName(),
-				fmt.Sprintf("%v", eventDefinition.GetSets()), getFormattedEventParams(i),
-			)
-			b.WriteString(eventSets)
-		} else {
-			b.WriteString(eventDefinition.GetName() + "\n")
-		}
-	}
-}
-
-func getFormattedEventParams(eventID events.ID) string {
-	if !events.Core.IsDefined(eventID) {
-		return "()"
-	}
-	var verboseEventParams string
-	verboseEventParams += "("
-	prefix := ""
-	for index, arg := range events.Core.GetDefinitionByID(eventID).GetParams() {
-		if index == 0 {
-			verboseEventParams += arg.Type + " " + arg.Name
-			prefix = ", "
-			continue
-		}
-		verboseEventParams += prefix + arg.Type + " " + arg.Name
-	}
-	verboseEventParams += ")"
-	return verboseEventParams
-}
-
-func getPad(padChar string, padLength int) (pad string) {
-	for i := 0; i < padLength; i++ {
-		pad += padChar
-	}
-	return pad
-}
-
 func GetContainerMode(cfg config.Config) config.ContainerMode {
 	containerMode := config.ContainerModeDisabled
 

pkg/ebpf/tracee.go

@@ -929,7 +929,8 @@ func (t *Tracee) validateKallsymsDependencies() {
 func (t *Tracee) populateBPFMaps() error {
 	// Initialize events parameter types map
 	eventsParams := make(map[events.ID][]bufferdecoder.ArgType)
-	for id, eventDefinition := range events.Core.GetDefinitions() {
+	for _, eventDefinition := range events.Core.GetDefinitions() {
+		id := eventDefinition.GetID()
 		params := eventDefinition.GetParams()
 		for _, param := range params {
 			eventsParams[id] = append(eventsParams[id], bufferdecoder.GetParamType(param.Type))

pkg/events/definition.go

@@ -85,3 +85,11 @@ func (d Definition) IsSignature() bool {
 
 	return false
 }
+
+func (d Definition) IsNetwork() bool {
+	if d.id >= NetPacketIPv4 && d.id <= MaxUserNetID {
+		return true
+	}
+
+	return false
+}

pkg/events/definition_dependencies.go

@@ -6,6 +6,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/ebpf/probes"
 )
 
+// Dependencies is a struct that holds all the dependencies of a given event definition.
 type Dependencies struct {
 	ids          []ID
 	kSymbols     []KSymbol