aquasecurity · geyslan · Jan 16, 2025 · Sep 3, 2024 · Aug 14, 2024 · Sep 10, 2024
diff --git a/builder/entrypoint.sh b/builder/entrypoint.sh
@@ -35,7 +35,6 @@ run_tracee() {
         --capabilities drop=$CAPABILITIES_DROP \
         --output=json \
         --output=option:parse-arguments \
-        --output=option:relative-time \
         --events signatures,container_create,container_remove
     fi
 

diff --git a/deploy/helm/tracee/templates/tracee-config.yaml b/deploy/helm/tracee/templates/tracee-config.yaml
@@ -36,7 +36,6 @@ data:
             parse-arguments: {{ .Values.config.output.options.parseArguments }}
             stack-addresses: {{ .Values.config.output.options.stackAddresses }}
             exec-env: {{ .Values.config.output.options.execEnv }}
-            relative-time: {{ .Values.config.output.options.relativeTime }}
             exec-hash: {{ .Values.config.output.options.execHash }}
             sort-events: {{ .Values.config.output.options.sortEvents }}
         {{- with .Values.config.output.webhook }}

diff --git a/deploy/helm/tracee/values.yaml b/deploy/helm/tracee/values.yaml
@@ -101,7 +101,6 @@ config:
       parseArguments: true
       stackAddresses: false
       execEnv: false
-      relativeTime: true
       execHash: dev-inode
       sortEvents: false
     # uncomment config.output.webhook to enable a single webhook

diff --git a/deploy/kubernetes/tracee/tracee.yaml b/deploy/kubernetes/tracee/tracee.yaml
@@ -55,7 +55,6 @@ data:
             parse-arguments: true
             stack-addresses: false
             exec-env: false
-            relative-time: true
             exec-hash: dev-inode
             sort-events: false
 ---

diff --git a/docs/docs/flags/output.1.md b/docs/docs/flags/output.1.md
@@ -11,7 +11,7 @@ tracee **\-\-output** - Control how and where output is printed
 
 ## SYNOPSIS
 
-tracee **\-\-output** <format[:file,...]\> | gotemplate=template[:file,...] | forward:url | webhook:url | option:{stack-addresses,exec-env,relative-time,exec-hash[={inode,dev-inode,digest-inode}],parse-arguments,parse-arguments-fds,sort-events} ...
+tracee **\-\-output** <format[:file,...]\> | gotemplate=template[:file,...] | forward:url | webhook:url | option:{stack-addresses,exec-env,exec-hash[={inode,dev-inode,digest-inode}],parse-arguments,parse-arguments-fds,sort-events} ...
 
 
 ## DESCRIPTION
@@ -40,11 +40,10 @@ Webhook options:
 
 Other options:
 
-- **option:{stack-addresses,exec-env,relative-time,exec-hash,parse-arguments,sort-events}**: Augment output according to the given options. The default is none. Multiple options can be specified, separated by commas.
+- **option:{stack-addresses,exec-env,exec-hash,parse-arguments,sort-events}**: Augment output according to the given options. The default is none. Multiple options can be specified, separated by commas.
 
   - **stack-addresses**: Include stack memory addresses for each event.
   - **exec-env**: When tracing execve/execveat, show the environment variables that were used for execution.
-  - **relative-time**: Use relative timestamp instead of wall timestamp for events.
   - **exec-hash**: When tracing some file related events, show the file hash (sha256).
     - Affected events: *sched_process_exec*, *shared_object_loaded*
     - **inode** option recalculates the file hash if the inode's creation time (ctime) differs, which can occur in different namespaces even for identical inode. This option is performant, but not recommended and should only be used if container enrichment can't be enabled for digest-inode, and if performance is preferred over correctness.

diff --git a/docs/docs/install/config/index.md b/docs/docs/install/config/index.md
@@ -129,7 +129,6 @@ output:
         none: false
         stack-addresses: true
         exec-env: false
-        relative-time: true
         exec-hash: dev-inode
         parse-arguments: true
         sort-events: false

diff --git a/docs/docs/outputs/output-options.md b/docs/docs/outputs/output-options.md
@@ -51,17 +51,7 @@ Available options:
             exec-hash: dev-inode
     ```
 
-5. **relative-time**
-
-    The `relative-time` output option enables relative timestamp instead of wall timestamp for events.
-
-    ```
-    output:
-        options:
-            relative-time: true
-    ```
-
-6. **sort-events**
+5. **sort-events**
 
     This makes it possible to sort the events as they happened. Especially in systems where Tracee tracks lots of events, it can happen that they are received unordered. More information is provided in the [deep-dive](../deep-dive/ordering-events.md) section of the documentation.
 

diff --git a/docs/docs/policies/usage/cli.md b/docs/docs/policies/usage/cli.md
@@ -91,7 +91,6 @@ output:
         none: false
         stack-addresses: false
         exec-env: true
-        relative-time: true
         exec-hash: dev-inode
         parse-arguments: true
         parse-arguments-fds: true

diff --git a/docs/man/output.1 b/docs/man/output.1
@@ -7,7 +7,7 @@ tracee \f[B]\-\-output\f[R] \- Control how and where output is printed
 tracee \f[B]\-\-output\f[R] <format[:file,\&...]> |
 gotemplate=template[:file,\&...]
 | forward:url | webhook:url |
-option:{stack\-addresses,exec\-env,relative\-time,exec\-hash[={inode,dev\-inode,digest\-inode}],parse\-arguments,parse\-arguments\-fds,sort\-events}
+option:{stack\-addresses,exec\-env,exec\-hash[={inode,dev\-inode,digest\-inode}],parse\-arguments,parse\-arguments\-fds,sort\-events}
 \&...
 .SS DESCRIPTION
 The \f[B]\-\-output\f[R] flag allows you to control how and where the
@@ -49,7 +49,7 @@ webhook URL.
 .PP
 Other options:
 .IP \[bu] 2
-\f[B]option:{stack\-addresses,exec\-env,relative\-time,exec\-hash,parse\-arguments,sort\-events}\f[R]:
+\f[B]option:{stack\-addresses,exec\-env,exec\-hash,parse\-arguments,sort\-events}\f[R]:
 Augment output according to the given options.
 The default is none.
 Multiple options can be specified, separated by commas.
@@ -61,9 +61,6 @@ event.
 \f[B]exec\-env\f[R]: When tracing execve/execveat, show the environment
 variables that were used for execution.
 .IP \[bu] 2
-\f[B]relative\-time\f[R]: Use relative timestamp instead of wall
-timestamp for events.
-.IP \[bu] 2
 \f[B]exec\-hash\f[R]: When tracing some file related events, show the
 file hash (sha256).
 .RS 2

diff --git a/examples/config/global_config.yaml b/examples/config/global_config.yaml
@@ -121,7 +121,6 @@ output:
     #     none: false
     #     stack-addresses: true
     #     exec-env: false
-    #     relative-time: true
     #     exec-hash: dev-inode
     #     parse-arguments: true
     #     sort-events: false

diff --git a/pkg/cmd/cobra/config.go b/pkg/cmd/cobra/config.go
@@ -395,9 +395,6 @@ func (c *OutputConfig) flags() []string {
 	if c.Options.ExecEnv {
 		flags = append(flags, "option:exec-env")
 	}
-	if c.Options.RelativeTime {
-		flags = append(flags, "option:relative-time")
-	}
 	if c.Options.ExecHash != "" {
 		flags = append(flags, fmt.Sprintf("option:exec-hash=%s", c.Options.ExecHash))
 	}
@@ -478,7 +475,6 @@ type OutputOptsConfig struct {
 	None              bool   `mapstructure:"none"`
 	StackAddresses    bool   `mapstructure:"stack-addresses"`
 	ExecEnv           bool   `mapstructure:"exec-env"`
-	RelativeTime      bool   `mapstructure:"relative-time"`
 	ExecHash          string `mapstructure:"exec-hash"`
 	ParseArguments    bool   `mapstructure:"parse-arguments"`
 	ParseArgumentsFDs bool   `mapstructure:"parse-arguments-fds"`

diff --git a/pkg/cmd/cobra/config_test.go b/pkg/cmd/cobra/config_test.go
@@ -281,7 +281,6 @@ output:
     - none
     - option:stack-addresses
     - option:exec-env
-    - option:relative-time
     - option:exec-hash=dev-inode
     - option:parse-arguments
     - option:parse-arguments-fds
@@ -295,7 +294,6 @@ output:
 				"none",
 				"option:stack-addresses",
 				"option:exec-env",
-				"option:relative-time",
 				"option:exec-hash=dev-inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
@@ -313,7 +311,6 @@ output:
         none: false
         stack-addresses: true
         exec-env: true
-        relative-time: true
         exec-hash: dev-inode
         parse-arguments: true
         parse-arguments-fds: true
@@ -367,7 +364,6 @@ output:
 			expectedFlags: []string{
 				"option:stack-addresses",
 				"option:exec-env",
-				"option:relative-time",
 				"option:exec-hash=dev-inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
@@ -983,7 +979,6 @@ func TestOutputConfigFlags(t *testing.T) {
 					None:              true,
 					StackAddresses:    true,
 					ExecEnv:           true,
-					RelativeTime:      true,
 					ExecHash:          "dev-inode",
 					ParseArguments:    true,
 					ParseArgumentsFDs: true,
@@ -994,7 +989,6 @@ func TestOutputConfigFlags(t *testing.T) {
 				"none",
 				"option:stack-addresses",
 				"option:exec-env",
-				"option:relative-time",
 				"option:exec-hash=dev-inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",

diff --git a/pkg/cmd/flags/output.go b/pkg/cmd/flags/output.go
@@ -101,8 +101,6 @@ func setOption(cfg *config.OutputConfig, option string, newBinary bool) error {
 		cfg.StackAddresses = true
 	case "exec-env":
 		cfg.ExecEnv = true
-	case "relative-time":
-		cfg.RelativeTime = true
 	case "parse-arguments":
 		cfg.ParseArguments = true
 	case "parse-arguments-fds":
@@ -175,10 +173,9 @@ func getPrinterConfigs(printerMap map[string]string, traceeConfig *config.Output
 		}
 
 		printerConfigs = append(printerConfigs, config.PrinterConfig{
-			Kind:       printerKind,
-			OutPath:    outPath,
-			OutFile:    outFile,
-			RelativeTS: traceeConfig.RelativeTime,
+			Kind:    printerKind,
+			OutPath: outPath,
+			OutFile: outFile,
 		})
 	}
 

diff --git a/pkg/cmd/flags/output_test.go b/pkg/cmd/flags/output_test.go
@@ -282,18 +282,6 @@ func TestPrepareOutput(t *testing.T) {
 				},
 			},
 		},
-		{
-			testName:    "option relative-time",
-			outputSlice: []string{"json", "option:relative-time"},
-			expectedOutput: PrepareOutputResult{
-				PrinterConfigs: []config.PrinterConfig{
-					{Kind: "json", OutPath: "stdout", RelativeTS: true},
-				},
-				TraceeConfig: &config.OutputConfig{
-					RelativeTime: true,
-				},
-			},
-		},
 		{
 			testName:    "option exec-hash",
 			outputSlice: []string{"option:exec-hash"},
@@ -374,20 +362,18 @@ func TestPrepareOutput(t *testing.T) {
 				"json",
 				"option:stack-addresses",
 				"option:exec-env",
-				"option:relative-time",
 				"option:exec-hash=dev-inode",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
 				"option:sort-events",
 			},
 			expectedOutput: PrepareOutputResult{
 				PrinterConfigs: []config.PrinterConfig{
-					{Kind: "json", OutPath: "stdout", RelativeTS: true},
+					{Kind: "json", OutPath: "stdout"},
 				},
 				TraceeConfig: &config.OutputConfig{
 					StackAddresses:    true,
 					ExecEnv:           true,
-					RelativeTime:      true,
 					CalcHashes:        config.CalcHashesDevInode,
 					ParseArguments:    true,
 					ParseArgumentsFDs: true,
@@ -437,7 +423,6 @@ func assertPrinterConfigs(t *testing.T, expected []config.PrinterConfig, actual
 
 		assert.Equal(t, expectedPrinter.Kind, p.Kind)
 		assert.Equal(t, expectedPrinter.OutPath, p.OutPath)
-		assert.Equal(t, expectedPrinter.RelativeTS, p.RelativeTS)
 		assert.Equal(t, expectedPrinter.ContainerMode, p.ContainerMode)
 	}
 }
diff --git a/pkg/cmd/flags/tracee_ebpf_output.go b/pkg/cmd/flags/tracee_ebpf_output.go
@@ -17,11 +17,10 @@ Possible options:
 [format:]gotemplate=/path/to/template              output events formatted using a given gotemplate file
 out-file:/path/to/file                             write the output to a specified file. create/trim the file if exists (default: stdout)
 none                                               ignore stream of events output, usually used with --capture
-option:{stack-addresses,exec-env,relative-time,exec-hash,parse-arguments,sort-events}
+option:{stack-addresses,exec-env,exec-hash,parse-arguments,sort-events}
                                                    augment output according to given options (default: none)
   stack-addresses                                  include stack memory addresses for each event
   exec-env                                         when tracing execve/execveat, show the environment variables that were used for execution
-  relative-time                                    use relative timestamp instead of wall timestamp for events
   exec-hash                                        when tracing sched_process_exec, show the file hash(sha256) and ctime
   parse-arguments                                  do not show raw machine-readable values for event arguments, instead parse into human readable strings
   parse-arguments-fds                              enable parse-arguments and enrich fd with its file path translation. This can cause pipeline slowdowns.
@@ -81,9 +80,8 @@ func TraceeEbpfPrepareOutput(outputSlice []string, newBinary bool) (PrepareOutpu
 
 	if outPath == "" {
 		stdoutConfig := config.PrinterConfig{
-			Kind:       printerKind,
-			OutFile:    os.Stdout,
-			RelativeTS: traceeConfig.RelativeTime,
+			Kind:    printerKind,
+			OutFile: os.Stdout,
 		}
 
 		printerConfigs = append(printerConfigs, stdoutConfig)
@@ -94,10 +92,9 @@ func TraceeEbpfPrepareOutput(outputSlice []string, newBinary bool) (PrepareOutpu
 		}
 
 		printerConfig := config.PrinterConfig{
-			Kind:       printerKind,
-			OutPath:    outPath,
-			OutFile:    file,
-			RelativeTS: traceeConfig.RelativeTime,
+			Kind:    printerKind,
+			OutPath: outPath,
+			OutFile: file,
 		}
 
 		printerConfigs = append(printerConfigs, printerConfig)

diff --git a/pkg/cmd/flags/tracee_ebpf_output_test.go b/pkg/cmd/flags/tracee_ebpf_output_test.go
@@ -77,15 +77,6 @@ func TestPrepareTraceeEbpfOutput(t *testing.T) {
 				},
 			},
 		},
-		{
-			testName:    "option relative-time",
-			outputSlice: []string{"json", "option:relative-time"},
-			expectedOutput: PrepareOutputResult{
-				TraceeConfig: &config.OutputConfig{
-					RelativeTime: true,
-				},
-			},
-		},
 		{
 			testName:    "option exec-hash=inode",
 			outputSlice: []string{"option:exec-hash=inode"},
@@ -131,7 +122,6 @@ func TestPrepareTraceeEbpfOutput(t *testing.T) {
 				"json",
 				"option:stack-addresses",
 				"option:exec-env",
-				"option:relative-time",
 				"option:exec-hash=none",
 				"option:parse-arguments",
 				"option:parse-arguments-fds",
@@ -141,7 +131,6 @@ func TestPrepareTraceeEbpfOutput(t *testing.T) {
 				TraceeConfig: &config.OutputConfig{
 					StackAddresses:    true,
 					ExecEnv:           true,
-					RelativeTime:      true,
 					CalcHashes:        config.CalcHashesNone,
 					ParseArguments:    true,
 					ParseArgumentsFDs: true,

diff --git a/pkg/cmd/printer/printer.go b/pkg/cmd/printer/printer.go
@@ -52,14 +52,12 @@ func New(cfg config.PrinterConfig) (EventPrinter, error) {
 			out:           cfg.OutFile,
 			verbose:       false,
 			containerMode: cfg.ContainerMode,
-			relativeTS:    cfg.RelativeTS,
 		}
 	case kind == "table-verbose":
 		res = &tableEventPrinter{
 			out:           cfg.OutFile,
 			verbose:       true,
 			containerMode: cfg.ContainerMode,
-			relativeTS:    cfg.RelativeTS,
 		}
 	case kind == "json":
 		res = &jsonEventPrinter{

diff --git a/pkg/cmd/printer/printer_test.go b/pkg/cmd/printer/printer_test.go
@@ -50,16 +50,6 @@ func TestTraceeEbpfPrepareOutputPrinterConfig(t *testing.T) {
 			},
 			expectedError: nil,
 		},
-		{
-			testName:    "option relative timestamp",
-			outputSlice: []string{"option:relative-time"},
-			expectedPrinter: config.PrinterConfig{
-				Kind:       "table",
-				OutFile:    os.Stdout,
-				RelativeTS: true,
-			},
-			expectedError: nil,
-		},
 	}
 	for _, testcase := range testCases {
 		testcase := testcase

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -166,7 +166,6 @@ func (c CalcHashesOption) String() string {
 type OutputConfig struct {
 	StackAddresses bool
 	ExecEnv        bool
-	RelativeTime   bool
 	CalcHashes     CalcHashesOption
 
 	ParseArguments    bool
@@ -187,5 +186,4 @@ type PrinterConfig struct {
 	OutPath       string
 	OutFile       io.WriteCloser
 	ContainerMode ContainerMode
-	RelativeTS    bool
 }
diff --git a/pkg/ebpf/capture.go b/pkg/ebpf/capture.go
@@ -12,6 +12,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/bufferdecoder"
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/logger"
+	"github.com/aquasecurity/tracee/pkg/time"
 	"github.com/aquasecurity/tracee/pkg/utils"
 )
 
@@ -109,7 +110,7 @@ func (t *Tracee) handleFileCaptures(ctx context.Context) {
 					continue
 				}
 				// note: size of buffer will determine maximum extracted file size! (as writes from kernel are immediate)
-				mprotectMeta.Ts = uint64(t.timeNormalizer.NormalizeTime(int(mprotectMeta.Ts)))
+				mprotectMeta.Ts = time.BootToEpochNS(uint64(mprotectMeta.Ts))
 				filename = fmt.Sprintf("bin.pid-%d.ts-%d", mprotectMeta.Pid, mprotectMeta.Ts)
 			} else if meta.BinType == bufferdecoder.SendKernelModule {
 				err = metaBuffDecoder.DecodeKernelModuleMeta(&kernelModuleMeta)