flag(stores): new flag format

Author: josedonizetti

cmd/tracee/cmd/man.go

@@ -61,6 +61,7 @@ func init() {
 		scopeCmd,
 		serverCmd,
 		eventCmd,
+		storesCmd,
 	)
 }
 
@@ -177,6 +178,15 @@ var eventCmd = &cobra.Command{
 	},
 }
 
+var storesCmd = &cobra.Command{
+	Use:     "stores",
+	Aliases: []string{},
+	Short:   "Show manual page for the --stores flag",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runManForFlag("stores")
+	},
+}
+
 // runManForFlag runs man for the specified flag name
 func runManForFlag(flagName string) error {
 	// Read the embedded manual page

cmd/tracee/cmd/root.go

@@ -218,27 +218,14 @@ func initCmd() error {
 		return errfmt.WrapError(err)
 	}
 
-	// Process Tree flags
-
-	rootCmd.Flags().StringArrayP(
-		"proctree",
-		"t",
-		[]string{"source=none"},
-		"[source=[events|signals|both]...]\tControl process tree options",
-	)
-	err = viper.BindPFlag("proctree", rootCmd.Flags().Lookup("proctree"))
-	if err != nil {
-		return errfmt.WrapError(err)
-	}
-
-	// DNS Cache flags
+	// Stores flags
 
 	rootCmd.Flags().StringArray(
-		"dnscache",
-		[]string{"none"},
-		"\t\t\t\t\tEnable DNS Cache",
+		flags.StoresFlag,
+		[]string{},
+		"\t\t\t\t\tStores configurations",
 	)
-	err = viper.BindPFlag("dnscache", rootCmd.Flags().Lookup("dnscache"))
+	err = viper.BindPFlag(flags.StoresFlag, rootCmd.Flags().Lookup(flags.StoresFlag))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

deploy/helm/tracee/templates/tracee-config.yaml

@@ -52,4 +52,34 @@ data:
     {{- if .Values.config.blobPerfBufferSize }}
     blob-perf-buffer-size: {{ .Values.config.blobPerfBufferSize}}
     {{- end }}
+    {{- if or .Values.config.stores.dns.enabled .Values.config.stores.dns.maxEntries .Values.config.stores.process.enabled .Values.config.stores.process.maxProcesses .Values.config.stores.process.maxThreads .Values.config.stores.process.source .Values.config.stores.process.useProcfs }}
+    stores:
+        {{- if or .Values.config.stores.dns.enabled .Values.config.stores.dns.maxEntries }}
+        dns:
+            {{- if .Values.config.stores.dns.enabled }}
+            enabled: {{ .Values.config.stores.dns.enabled }}
+            {{- end }}
+            {{- if .Values.config.stores.dns.maxEntries }}
+            max-entries: {{ .Values.config.stores.dns.maxEntries }}
+            {{- end }}
+        {{- end }}
+        {{- if or .Values.config.stores.process.enabled .Values.config.stores.process.maxProcesses .Values.config.stores.process.maxThreads .Values.config.stores.process.source .Values.config.stores.process.useProcfs }}
+        process:
+            {{- if .Values.config.stores.process.enabled }}
+            enabled: {{ .Values.config.stores.process.enabled }}
+            {{- end }}
+            {{- if .Values.config.stores.process.maxProcesses }}
+            max-processes: {{ .Values.config.stores.process.maxProcesses }}
+            {{- end }}
+            {{- if .Values.config.stores.process.maxThreads }}
+            max-threads: {{ .Values.config.stores.process.maxThreads }}
+            {{- end }}
+            {{- if .Values.config.stores.process.source }}
+            source: {{ .Values.config.stores.process.source }}
+            {{- end }}
+            {{- if .Values.config.stores.process.useProcfs }}
+            use-procfs: {{ .Values.config.stores.process.useProcfs }}
+            {{- end }}
+        {{- end }}
+    {{- end }}
   {{- end }}

deploy/helm/tracee/values.yaml

@@ -108,6 +108,16 @@ config:
     #   port: "8080"
     #   protocol: http
     #   timeout: 3s
+  stores:
+    dns:
+      enabled: ""
+      maxEntries: ""
+    process:
+      enabled: ""
+      maxProcesses: ""
+      maxThreads: ""
+      source: ""
+      useProcfs: ""
 
 defaultPolicy: true
 

docs/docs/advanced/data-sources/builtin/dns.md

@@ -8,24 +8,20 @@ These relations can be queried in signatures through a data source.
 To switch on the `DNS Cache` feature, run the command:
 
 ```bash
-sudo tracee --output option:sort-events --output json --output option:parse-arguments --dnscache enable --events <event_type>
+sudo tracee --output option:sort-events --output json --output option:parse-arguments --stores dns.enabled --events <event_type>
 ```
 
 The underlying structure is populated using the core [net_packet_dns](../../../events/builtin/man/network/net_packet_dns.md) event and its payload.
 
 ## Command Line Option
 
 ```bash
-$ tracee --dnscache help
-Select different options for the DNS cache.
-
 Example:
-  --dnscache enable  | enable with default values (see below).
-  --dnscache size=X  | will cache up to X dns query trees - further queries may be cached regardless (default: 5000).
+  --stores dns.enabled  | enable the DNS cache.
+  --stores dns.max-entries=X   | will cache up to X dns query trees - further queries may be cached regardless (default: 5000).
 
-Use comma OR use the flag multiple times to choose multiple options:
-  --dnscache size=A
-  --dnscache enable
+Use the flag multiple times to choose multiple options:
+  --stores dns.enabled --stores dns.max-entries=5000
 ```
 
 Consider for your usecase, how many query trees would you like to store? If you will frequently check only a few addresses, consider lowering the size.

docs/docs/advanced/data-sources/builtin/process-tree.md

@@ -7,7 +7,7 @@ The `Process Tree` feature offers a structured view of processes and threads act
 To switch on the `Process Tree` feature, run the command:
 
 ```bash
-sudo tracee --output option:sort-events --output json --output option:parse-arguments --proctree source=both --events <event_type>
+sudo tracee --output option:sort-events --output json --output option:parse-arguments --stores process.enabled --stores process.source=both --events <event_type>
 ```
 
 The underlying structure is populated using the core `sched_process_fork`, `sched_process_exec`, and `sched_process_exit` events and their data. There's also an option to bootstrap the process tree through a secondary route using internal signal events.
@@ -27,19 +27,18 @@ The process tree query the procfs upon initialization and during runtime to fill
 
 ```bash
 Example:
-  --proctree source=[none|events|signals|both]
-      none         | process tree is disabled (default).
+  --stores process.enabled        | enable the process tree.
+  --stores process.source=[none|events|signals|both]
+      none         | process tree source is disabled (default).
       events       | process tree is built from events.
       signals      | process tree is built from signals.
       both         | process tree is built from both events and signals.
-  --proctree process-cache=8192   | will cache up to 8192 processes in the tree (LRU cache).
-  --proctree thread-cache=16384   | will cache up to 16384 threads in the tree (LRU cache).
-  --proctree disable-procfs       | will disable procfs entirely.
-  --proctree disable-procfs-query | will disable procfs quering during runtime.
-
-Use comma OR use the flag multiple times to choose multiple options:
-  --proctree source=A,process-cache=B,thread-cache=C
-  --proctree process-cache=X --proctree thread-cache=Y
+  --stores process.max-processes=8192 | will cache up to 8192 processes in the tree (LRU cache).
+  --stores process.max-threads=16384  | will cache up to 16384 threads in the tree (LRU cache).
+  --stores process.use-procfs     | will enable procfs initialization and querying.
+
+Use the flag multiple times to choose multiple options:
+  --stores process.enabled --stores process.source=both --stores process.max-processes=8192
 ```
 
 ## Internal Data Organization

docs/docs/flags/stores.1.md

@@ -0,0 +1,94 @@
+---
+title: TRACEE-STORES
+section: 1
+header: Tracee Stores Flag Manual
+date: 2025/11
+...
+
+## NAME
+
+tracee **\-\-stores** - Configure data stores for DNS cache and process tree
+
+## SYNOPSIS
+
+tracee **\-\-stores** [dns.enabled|dns.max-entries=*size*|process.enabled|process.max-processes=*size*|process.max-threads=*size*|process.source=*source*|process.use-procfs] [**\-\-stores** ...]
+
+## DESCRIPTION
+
+The **\-\-stores** flag allows you to configure data stores for DNS cache and process tree functionality.
+
+### DNS Store Options
+
+- **dns.enabled**: Enable the DNS cache store. When enabled, Tracee will cache DNS query information for enrichment of network events.
+
+- **dns.max-entries**=*size*: Set the maximum number of DNS query trees to cache. Default is 5000. Further queries may be cached regardless once the limit is reached.
+
+### Process Store Options
+
+- **process.enabled**: Enable the process tree store. When enabled, Tracee will maintain a tree of processes and threads for enrichment of events.
+
+- **process.max-processes**=*size*: Set the maximum number of processes to cache in the process tree. Default is 10928. This is an LRU cache that will evict least recently accessed entries when full.
+
+- **process.max-threads**=*size*: Set the maximum number of threads to cache in the process tree. Default is 21856. This is an LRU cache that will evict least recently accessed entries when full.
+
+- **process.source**=*source*: Set the source for process tree enrichment. Valid values are:
+  - **none**: Process tree source is disabled (default).
+  - **events**: Process tree is built from events.
+  - **signals**: Process tree is built from signals.
+  - **both**: Process tree is built from both events and signals.
+
+- **process.use-procfs**: Enable procfs initialization and querying. When enabled, Tracee will:
+  - Scan procfs during initialization to fill all existing processes and threads.
+  - Query specific processes at runtime in case of missing information caused by missing events.
+
+  Note: The procfs query might increase the feature toll on CPU and memory. The runtime query might have a snowball effect on lost events, as it will reduce the system resources in the processes of filling missing information.
+
+## EXAMPLES
+
+1. Enable DNS cache:
+   ```console
+   --stores dns.enabled
+   ```
+
+2. Enable DNS cache with custom size:
+   ```console
+   --stores dns.enabled --stores dns.max-entries=10000
+   ```
+
+3. Enable process tree:
+   ```console
+   --stores process.enabled
+   ```
+
+4. Enable process tree with custom cache sizes:
+   ```console
+   --stores process.enabled --stores process.max-processes=8192 --stores process.max-threads=16384
+   ```
+
+5. Enable process tree with events source:
+   ```console
+   --stores process.enabled --stores process.source=events
+   ```
+
+6. Enable process tree with both events and signals sources:
+   ```console
+   --stores process.enabled --stores process.source=both
+   ```
+
+7. Enable process tree with procfs support:
+   ```console
+   --stores process.enabled --stores process.use-procfs
+   ```
+
+8. Combine DNS and process stores:
+   ```console
+   --stores dns.enabled --stores dns.max-entries=5000 --stores process.enabled --stores process.source=both --stores process.max-processes=8192
+   ```
+
+9. Complete configuration example:
+   ```console
+   --stores dns.enabled --stores dns.max-entries=5000 --stores process.enabled --stores process.max-processes=8192 --stores process.max-threads=16384 --stores process.source=both --stores process.use-procfs
+   ```
+
+Please refer to the [DNS data source documentation](../advanced/data-sources/builtin/dns.md) and [Process Tree data source documentation](../advanced/data-sources/builtin/process-tree.md) for more information.
+

docs/docs/install/config/index.md

@@ -50,17 +50,21 @@ A complete config file with all available options can be found [here](https://gi
     pyroscope: true
   ```
 
-### Process Tree
+### Stores (Process Tree and DNS Cache)
 
-- **`--proctree` (`-t`)**: Controls process tree options.
+- **`--stores`**: Controls process tree and DNS cache options.
 
 
-  __NOTE__: You can view more in the [Process Tree section](../../advanced/data-sources/builtin/process-tree.md).
+  __NOTE__: You can view more in the [Process Tree section](../../advanced/data-sources/builtin/process-tree.md) and [DNS Cache section](../../advanced/data-sources/builtin/dns.md).
 
   YAML:
   ```yaml
-  proctree:
-    - process
+  stores:
+    process:
+      enabled: true
+      source: both
+    dns:
+      enabled: true
   ```
 
 ### Install Path
@@ -109,17 +113,6 @@ A complete config file with all available options can be found [here](https://gi
         socket: /var/run/docker.sock
   ```
 
-### DNS Cache
-
-- **`--dnscache`**: Enables DNS caching in Tracee.
-
-  __NOTE__: You can view more in the [DNS Cache section](../../advanced/data-sources/builtin/dns.md). 
-
-  YAML:
-  ```yaml
-  dnscache: enable
-  ```
-
 ### Capabilities
 
 - **`--capabilities` (`-C`)**: Define specific capabilities for Tracee to run with. This allows you to either bypass, add, or drop certain capabilities based on your security and operational needs.

docs/docs/policies/usage/cli.md

@@ -67,11 +67,14 @@ signatures-dir: ""
 
 capabilities:
     bypass: false
-proctree:
-    source: both
-    cache:
-        process: 8192
-        thread: 8192
+stores:
+    process:
+        enabled: true
+        source: both
+        max-processes: 8192
+        max-threads: 8192
+    dns:
+        enabled: false
 
 # logging