flag(stores): new flag format

cmd/tracee/cmd/man.go

@@ -61,6 +61,7 @@
 		scopeCmd,
 		serverCmd,
 		eventCmd,
+		storesCmd,
 	)
 }
 
@@ -177,6 +178,15 @@
 	},
 }
 
+var storesCmd = &cobra.Command{
+	Use:     "stores",
+	Aliases: []string{},
+	Short:   "Show manual page for the --stores flag",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		return runManForFlag("stores")
+	},
+}
+
 // runManForFlag runs man for the specified flag name
 func runManForFlag(flagName string) error {
 	// Read the embedded manual page

cmd/tracee/cmd/root.go

@@ -218,27 +218,14 @@
 		return errfmt.WrapError(err)
 	}
 
-	// Process Tree flags
-
-	rootCmd.Flags().StringArrayP(
-		"proctree",
-		"t",
-		[]string{"source=none"},
-		"[source=[events|signals|both]...]\tControl process tree options",
-	)
-	err = viper.BindPFlag("proctree", rootCmd.Flags().Lookup("proctree"))
-	if err != nil {
-		return errfmt.WrapError(err)
-	}
-
-	// DNS Cache flags
+	// Stores flags
 
 	rootCmd.Flags().StringArray(
-		"dnscache",
-		[]string{"none"},
-		"\t\t\t\t\tEnable DNS Cache",
+		flags.StoresFlag,
+		[]string{},
+		"\t\t\t\t\tStores configurations",
 	)
-	err = viper.BindPFlag("dnscache", rootCmd.Flags().Lookup("dnscache"))
+	err = viper.BindPFlag(flags.StoresFlag, rootCmd.Flags().Lookup(flags.StoresFlag))
 	if err != nil {
 		return errfmt.WrapError(err)
 	}

deploy/helm/tracee/templates/tracee-config.yaml

@@ -52,4 +52,34 @@ data:
     {{- if .Values.config.blobPerfBufferSize }}
     blob-perf-buffer-size: {{ .Values.config.blobPerfBufferSize}}
     {{- end }}
+    {{- if or .Values.config.stores.dns.enabled .Values.config.stores.dns.maxEntries .Values.config.stores.process.enabled .Values.config.stores.process.maxProcesses .Values.config.stores.process.maxThreads .Values.config.stores.process.source .Values.config.stores.process.useProcfs }}
+    stores:
+        {{- if or .Values.config.stores.dns.enabled .Values.config.stores.dns.maxEntries }}
+        dns:
+            {{- if .Values.config.stores.dns.enabled }}
+            enabled: {{ .Values.config.stores.dns.enabled }}
+            {{- end }}
+            {{- if .Values.config.stores.dns.maxEntries }}
+            max-entries: {{ .Values.config.stores.dns.maxEntries }}
+            {{- end }}
+        {{- end }}
+        {{- if or .Values.config.stores.process.enabled .Values.config.stores.process.maxProcesses .Values.config.stores.process.maxThreads .Values.config.stores.process.source .Values.config.stores.process.useProcfs }}
+        process:
+            {{- if .Values.config.stores.process.enabled }}
+            enabled: {{ .Values.config.stores.process.enabled }}
+            {{- end }}
+            {{- if .Values.config.stores.process.maxProcesses }}
+            max-processes: {{ .Values.config.stores.process.maxProcesses }}
+            {{- end }}
+            {{- if .Values.config.stores.process.maxThreads }}
+            max-threads: {{ .Values.config.stores.process.maxThreads }}
+            {{- end }}
+            {{- if .Values.config.stores.process.source }}
+            source: {{ .Values.config.stores.process.source }}
+            {{- end }}
+            {{- if .Values.config.stores.process.useProcfs }}
+            use-procfs: {{ .Values.config.stores.process.useProcfs }}
+            {{- end }}
+        {{- end }}
+    {{- end }}
   {{- end }}

deploy/helm/tracee/values.yaml

@@ -108,6 +108,16 @@ config:
     #   port: "8080"
     #   protocol: http
     #   timeout: 3s
+  stores:
+    dns:
+      enabled: ""
+      maxEntries: ""
+    process:
+      enabled: ""
+      maxProcesses: ""
+      maxThreads: ""
+      source: ""
+      useProcfs: ""
 
 defaultPolicy: true
 

docs/docs/advanced/data-sources/builtin/dns.md

@@ -8,24 +8,21 @@ These relations can be queried in signatures through a data source.
 To switch on the `DNS Cache` feature, run the command:
 
 ```bash
-sudo tracee --output option:sort-events --output json --output option:parse-arguments --dnscache enable --events <event_type>
+sudo tracee --output option:sort-events --output json --output option:parse-arguments --stores dns --events <event_type>
 ```
 
 The underlying structure is populated using the core [net_packet_dns](../../../events/builtin/man/network/net_packet_dns.md) event and its payload.
 
 ## Command Line Option
 
 ```bash
-$ tracee --dnscache help
-Select different options for the DNS cache.
-
 Example:
-  --dnscache enable  | enable with default values (see below).
-  --dnscache size=X  | will cache up to X dns query trees - further queries may be cached regardless (default: 5000).
+  --stores dns                    | enable the DNS cache with default settings.
+  --stores dns.max-entries=X      | enable the DNS cache and cache up to X dns query trees - further queries may be cached regardless (default: 5000).
+                                   | Note: dns.max-entries automatically enables DNS, so --stores dns is not needed.
 
-Use comma OR use the flag multiple times to choose multiple options:
-  --dnscache size=A
-  --dnscache enable
+Use the flag multiple times to choose multiple options:
+  --stores dns.max-entries=5000   | This automatically enables DNS, no need for --stores dns
 ```
 
 Consider for your usecase, how many query trees would you like to store? If you will frequently check only a few addresses, consider lowering the size.

docs/docs/advanced/data-sources/builtin/process-tree.md

@@ -7,9 +7,11 @@ The `Process Tree` feature offers a structured view of processes and threads act
 To switch on the `Process Tree` feature, run the command:
 
 ```bash
-sudo tracee --output option:sort-events --output json --output option:parse-arguments --proctree source=both --events <event_type>
+sudo tracee --output option:sort-events --output json --output option:parse-arguments --stores process.source=both --events <event_type>
 ```
 
+Note: `process.source` automatically enables process, so `--stores process` is not needed.
+
 The underlying structure is populated using the core `sched_process_fork`, `sched_process_exec`, and `sched_process_exit` events and their data. There's also an option to bootstrap the process tree through a secondary route using internal signal events.
 
 > Introducing this secondary event source is strategic: it reduces interference with actively traced events, leading to more accurate and granular updates in the process tree.
@@ -27,19 +29,24 @@ The process tree query the procfs upon initialization and during runtime to fill
 
 ```bash
 Example:
-  --proctree source=[none|events|signals|both]
-      none         | process tree is disabled (default).
+  --stores process                 | enable the process tree with default settings.
+  --stores process.source=[signals|events|both]
+                                   | enable the process tree and set the source.
+                                   | Note: process.source automatically enables process, so --stores process is not needed.
+                                   | If no source is specified, the default is 'signals'.
+      signals      | process tree is built from signals (default).
       events       | process tree is built from events.
-      signals      | process tree is built from signals.
       both         | process tree is built from both events and signals.
-  --proctree process-cache=8192   | will cache up to 8192 processes in the tree (LRU cache).
-  --proctree thread-cache=16384   | will cache up to 16384 threads in the tree (LRU cache).
-  --proctree disable-procfs       | will disable procfs entirely.
-  --proctree disable-procfs-query | will disable procfs quering during runtime.
-
-Use comma OR use the flag multiple times to choose multiple options:
-  --proctree source=A,process-cache=B,thread-cache=C
-  --proctree process-cache=X --proctree thread-cache=Y
+  --stores process.max-processes=8192 | enable the process tree and cache up to 8192 processes (LRU cache).
+                                      | Note: process.max-processes automatically enables process, so --stores process is not needed.
+  --stores process.max-threads=16384  | enable the process tree and cache up to 16384 threads (LRU cache).
+                                      | Note: process.max-threads automatically enables process, so --stores process is not needed.
+  --stores process.use-procfs     | enable the process tree and enable procfs initialization and querying.
+                                   | Note: process.use-procfs automatically enables process, so --stores process is not needed.
+
+Use the flag multiple times to choose multiple options:
+  --stores process.source=both --stores process.max-processes=8192
+  | This automatically enables process, no need for --stores process
 ```
 
 ## Internal Data Organization

docs/docs/flags/stores.1.md

@@ -0,0 +1,109 @@
+---
+title: TRACEE-STORES
+section: 1
+header: Tracee Stores Flag Manual
+date: 2025/12
+...
+
+## NAME
+
+tracee **\-\-stores** - Configure data stores for DNS cache and process tree
+
+## SYNOPSIS
+
+tracee **\-\-stores** [dns|dns.max-entries=*size*|process|process.max-processes=*size*|process.max-threads=*size*|process.source=*source*|process.use-procfs] [**\-\-stores** ...]
+
+## DESCRIPTION
+
+The **\-\-stores** flag allows you to configure data stores for DNS cache and process tree functionality.
+
+### DNS Store Options
+
+- **dns**: Enable the DNS cache store with default settings. When enabled, Tracee will cache DNS query information for enrichment of network events.
+
+- **dns.max-entries**=*size*: Enable the DNS cache store and set the maximum number of DNS query trees to cache. Default is 5000. Further queries may be cached regardless once the limit is reached. **Note**: Using this option automatically enables DNS, so you don't need to also specify `--stores dns`.
+
+### Process Store Options
+
+- **process**: Enable the process tree store with default settings. When enabled, Tracee will maintain a tree of processes and threads for enrichment of events.
+
+- **process.max-processes**=*size*: Enable the process tree store and set the maximum number of processes to cache in the process tree. Default is 10928. This is an LRU cache that will evict least recently accessed entries when full. **Note**: Using this option automatically enables process, so you don't need to also specify `--stores process`.
+
+- **process.max-threads**=*size*: Enable the process tree store and set the maximum number of threads to cache in the process tree. Default is 21856. This is an LRU cache that will evict least recently accessed entries when full. **Note**: Using this option automatically enables process, so you don't need to also specify `--stores process`.
+
+- **process.source**=*source*: Enable the process tree store and set the source for process tree enrichment. Valid values are:
+  - **signals**: Process tree is built from signals (default).
+  - **events**: Process tree is built from events.
+  - **both**: Process tree is built from both events and signals.
+
+  **Note**: Using this option automatically enables process, so you don't need to also specify `--stores process`. If no source is specified, the default is `signals`.
+
+- **process.use-procfs**: Enable the process tree store and enable procfs initialization and querying. When enabled, Tracee will:
+  - Scan procfs during initialization to fill all existing processes and threads.
+  - Query specific processes at runtime in case of missing information caused by missing events.
+
+  **Note**: Using this option automatically enables process, so you don't need to also specify `--stores process`. The procfs query might increase the feature toll on CPU and memory. The runtime query might have a snowball effect on lost events, as it will reduce the system resources in the processes of filling missing information.
+
+## EXAMPLES
+
+1. Enable DNS cache:
+   ```console
+   --stores dns
+   ```
+
+2. Enable DNS cache with custom size:
+   ```console
+   --stores dns.max-entries=10000
+   ```
+
+   Note: `dns.max-entries` automatically enables DNS, so `--stores dns` is not needed.
+
+3. Enable process tree:
+   ```console
+   --stores process
+   ```
+
+4. Enable process tree with custom cache sizes:
+   ```console
+   --stores process.max-processes=8192 --stores process.max-threads=16384
+   ```
+
+   Note: `process.max-processes` and `process.max-threads` automatically enable process, so `--stores process` is not needed.
+
+5. Enable process tree with events source:
+   ```console
+   --stores process.source=events
+   ```
+
+   Note: `process.source` automatically enables process, so `--stores process` is not needed.
+
+6. Enable process tree with both events and signals sources:
+   ```console
+   --stores process.source=both
+   ```
+
+   Note: `process.source` automatically enables process, so `--stores process` is not needed.
+
+7. Enable process tree with procfs support:
+   ```console
+   --stores process.use-procfs
+   ```
+
+   Note: `process.use-procfs` automatically enables process, so `--stores process` is not needed.
+
+8. Combine DNS and process stores:
+   ```console
+   --stores dns.max-entries=5000 --stores process.source=both --stores process.max-processes=8192
+   ```
+
+   Note: Since `dns.max-entries` and `process.source` automatically enable their respective stores, you don't need `--stores dns` or `--stores process`.
+
+9. Complete configuration example:
+   ```console
+   --stores dns.max-entries=5000 --stores process.max-processes=8192 --stores process.max-threads=16384 --stores process.source=both --stores process.use-procfs
+   ```
+
+   Note: All process options automatically enable process, and `dns.max-entries` automatically enables DNS, so you don't need `--stores dns` or `--stores process`.
+
+Please refer to the [DNS data source documentation](../advanced/data-sources/builtin/dns.md) and [Process Tree data source documentation](../advanced/data-sources/builtin/process-tree.md) for more information.
+

docs/docs/install/config/index.md

@@ -50,17 +50,21 @@ A complete config file with all available options can be found [here](https://gi
     pyroscope: true
   ```
 
-### Process Tree
+### Stores (Process Tree and DNS Cache)
 
-- **`--proctree` (`-t`)**: Controls process tree options.
+- **`--stores`**: Controls process tree and DNS cache options.
 
 
-  __NOTE__: You can view more in the [Process Tree section](../../advanced/data-sources/builtin/process-tree.md).
+  __NOTE__: You can view more in the [Process Tree section](../../advanced/data-sources/builtin/process-tree.md) and [DNS Cache section](../../advanced/data-sources/builtin/dns.md).
 
   YAML:
   ```yaml
-  proctree:
-    - process
+  stores:
+    process:
+      enabled: true
+      source: both
+    dns:
+      enabled: true
   ```
 
 ### Install Path
@@ -109,17 +113,6 @@ A complete config file with all available options can be found [here](https://gi
         socket: /var/run/docker.sock
   ```
 
-### DNS Cache
-
-- **`--dnscache`**: Enables DNS caching in Tracee.
-
-  __NOTE__: You can view more in the [DNS Cache section](../../advanced/data-sources/builtin/dns.md). 
-
-  YAML:
-  ```yaml
-  dnscache: enable
-  ```
-
 ### Capabilities
 
 - **`--capabilities` (`-C`)**: Define specific capabilities for Tracee to run with. This allows you to either bypass, add, or drop certain capabilities based on your security and operational needs.

docs/docs/policies/usage/cli.md

@@ -67,11 +67,14 @@ signatures-dir: ""
 
 capabilities:
     bypass: false
-proctree:
-    source: both
-    cache:
-        process: 8192
-        thread: 8192
+stores:
+    process:
+        enabled: true
+        source: both
+        max-processes: 8192
+        max-threads: 8192
+    dns:
+        enabled: false
 
 # logging