aquasecurity · AlonZivony · Mar 17, 2024 · Mar 17, 2024 · Apr 1, 2024 · Mar 17, 2024
diff --git a/docs/docs/events/builtin/extra/init_tracee_data.md b/docs/docs/events/builtin/extra/init_tracee_data.md
@@ -0,0 +1,26 @@
+# init_tracee_data
+
+## Intro
+
+init_tracee_data - An event that exports some relevant data of Tracee upon startup.
+
+## Description
+
+This is an event create in user-mode upon Tracee's initialization. Hence, it should be one of the first events to be created by Tracee.
+The event is used to pass the user some internal data of Tracee that might have some significant for events analyze.
+The event was created also with the Analyze mode of Tracee in mind, to pass the Analyze mode some information regarding how Tracee ran during runtime.
+
+## Arguments
+
+* `boot_time`:`u64`[U] - the boot time of the system Tracee run in since epoch.
+* `start_time`:`u64`[U] - the time Tracee started since epoch.
+
+## Hooks
+
+## Example Use Case
+
+The event could be used to calculate the relative time of events since Tracee's start.
+
+## Related Events
+
+`init_namespaces`
diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -1507,6 +1507,14 @@ func (t *Tracee) invokeInitEvents(out chan *trace.Event) {
 
 	// Initial namespace events
 
+	matchedPolicies = policiesMatch(t.eventsState[events.InitTraceeData])
+	if matchedPolicies > 0 {
+		traceeDataEvent := events.InitTraceeDataEvent(t.bootTime, t.startTime)
+		setMatchedPolicies(&traceeDataEvent, matchedPolicies,  t.config.Policies)
+		out <- &traceeDataEvent
+		_ = t.stats.EventCount.Increment()
+	}
+
 	matchedPolicies = policiesMatch(t.eventsState[events.InitNamespaces])
 	if matchedPolicies > 0 {
 		systemInfoEvent := events.InitNamespacesEvent()

diff --git a/pkg/events/core.go b/pkg/events/core.go
@@ -142,6 +142,7 @@ const (
 	SymbolsCollision
 	HiddenKernelModule
 	FtraceHook
+	InitTraceeData
 	MaxUserSpace
 )
 
@@ -11907,6 +11908,18 @@ var CoreEvents = map[ID]Definition{
 			{Type: "u32", Name: "uts"},
 		},
 	},
+	InitTraceeData: {
+		id:           InitTraceeData,
+		id32Bit:      Sys32Undefined,
+		name:         "init_tracee_info",
+		version:      NewVersion(1, 0, 0),
+		sets:         []string{},
+		dependencies: Dependencies{},
+		params: []trace.ArgMeta{
+			{Type: "u64", Name: "boot_time"},
+			{Type: "u64", Name: "start_time"},
+		},
+	},
 	SocketDup: {
 		id:      SocketDup,
 		id32Bit: Sys32Undefined,

diff --git a/pkg/events/usermode.go b/pkg/events/usermode.go
@@ -49,6 +49,27 @@ func InitNamespacesEvent() trace.Event {
 	return initNamespacesEvent
 }
 
+// InitTraceeDataEvent exports data related to Tracee's initialization
+func InitTraceeDataEvent(bootTime uint64, startTime uint64) trace.Event {
+	def := Core.GetDefinitionByID(InitTraceeData)
+	params := def.GetParams()
+	args := []trace.Argument{
+		{ArgMeta: params[0], Value: bootTime},
+		{ArgMeta: params[1], Value: startTime},
+	}
+
+	initTraceeDataEvent := trace.Event{
+		Timestamp:   int(time.Now().UnixNano()),
+		ProcessName: "tracee-ebpf",
+		EventID:     int(def.GetID()),
+		EventName:   def.GetName(),
+		ArgsNum:     len(args),
+		Args:        args,
+	}
+
+	return initTraceeDataEvent
+}
+
 // getInitNamespaceArguments fetches the namespaces of the init process and
 // parse them into event arguments.
 func getInitNamespaceArguments() []trace.Argument {