docs(filters): add restrictions when kernel data filter is used

- Add the restrictions applicable when the kernel-space data filter is available for an event field.
aquasecurity · Dec 13, 2024 · 03b6b4d · 03b6b4d
1 parent 97dd25f
commit 03b6b4d
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/docs/docs/flags/events.1.md b/docs/docs/flags/events.1.md
@@ -2,7 +2,7 @@
 title: TRACEE-EVENTS
 section: 1
 header: Tracee Events Flag Manual
-date: 2024/06
+date: 2024/12
 ...
 
 ## NAME
@@ -54,7 +54,12 @@ Available for:
 - return value
 - scope fields
 
-Strings can be compared as a prefix if ending with '\*', or as a suffix if starting with '\*'.
+Strings can be compared as a prefix if ending with '\*', or as a suffix if starting with '\*'.  If a string starts with '\*' and ends with '\*', it functions as a contains operator.
+
+For certain event fields filtered in kernel space, the user will receive a warning if:
+
+- String filters exceed 255 characters.
+- The contains operator is used. Only exact matches, prefix, and suffix comparisons are allowed.
 
 NOTE: Expressions containing '\*' token must be escaped!
 
@@ -116,6 +121,12 @@ Available only for:
   --events openat.data.pathname='*shadow'
   ```
 
+- To trace only 'openat' events that have 'pathname' contains the substring 'pass', use the following flag:
+
+  ```console
+  --events openat.data.pathname='*pass*'
+  ```
+
 - To exclude 'openat' events that have 'pathname' equal to '/tmp/1' or '/bin/ls', use the following flag:
 
   ```console

diff --git a/docs/man/events.1 b/docs/man/events.1
@@ -1,6 +1,6 @@
 .\" Automatically generated by Pandoc 3.2
 .\"
-.TH "TRACEE\-EVENTS" "1" "2024/06" "" "Tracee Events Flag Manual"
+.TH "TRACEE\-EVENTS" "1" "2024/12" "" "Tracee Events Flag Manual"
 .SS NAME
 tracee \f[B]\-\-events\f[R] \- Select which events to trace
 .SS SYNOPSIS
@@ -68,6 +68,16 @@ scope fields
 .PP
 Strings can be compared as a prefix if ending with `*', or as a suffix
 if starting with `*'.
+If a string starts with `*' and ends with `*', it functions as a
+contains operator.
+.PP
+For certain event fields filtered in kernel space, the user will receive
+a warning if:
+.IP \[bu] 2
+String filters exceed 255 characters.
+.IP \[bu] 2
+The contains operator is used.
+Only exact matches, prefix, and suffix comparisons are allowed.
 .PP
 NOTE: Expressions containing `*' token must be escaped!
 .SS EXCLUSION OPERATOR (PREPENDED)
@@ -147,6 +157,15 @@ use the following flag:
 .EE
 .RE
 .IP \[bu] 2
+To trace only `openat' events that have `pathname' contains the
+substring `pass', use the following flag:
+.RS 2
+.IP
+.EX
+\-\-events openat.data.pathname=\[aq]*pass*\[aq]
+.EE
+.RE
+.IP \[bu] 2
 To exclude `openat' events that have `pathname' equal to `/tmp/1' or
 `/bin/ls', use the following flag:
 .RS 2