rule

package
v0.0.40 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

README

ID Rule Description Tags Priority Application profile Parameters
R0001 Unexpected process launched Detecting exec calls that are not whitelisted by application profile [exec whitelisted] 10 true false
R0002 Unexpected file access Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags [open whitelisted] 5 true [ignoreMounts: bool ignorePrefixes: string[]]
R0003 Unexpected system call Detecting unexpected system calls that are not whitelisted by application profile. Every unexpected system call will be alerted only once. [syscall whitelisted] 5 true false
R0004 Unexpected capability used Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container. [capabilities whitelisted] 8 true false
R0005 Unexpected domain request Detecting unexpected domain requests that are not whitelisted by application profile. [dns whitelisted] 5 true false
R0006 Unexpected service account token access Detecting unexpected service account token access that are not whitelisted by application profile. [token malicious whitelisted] 8 true false
R0007 Kubernetes Client Executed Detecting exececution of kubernetes client [exec malicious whitelisted] 10 false false
R1000 Exec from malicious source Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self [exec signature] 10 false false
R1001 Exec Binary Not In Base Image Detecting exec calls of binaries that are not included in the base image [exec malicious binary base image] 10 false false
R1002 Kernel Module Load Detecting Kernel Module Load. [syscall kernel module load] 10 false false
R1003 Malicious SSH Connection Detecting ssh connection to disallowed port [ssh connection port malicious] 8 false false
R1004 Exec from mount Detecting exec calls from mounted paths. [exec mount] 5 false false
R1006 Unshare System Call usage Detecting Unshare System Call usage. [syscall escape unshare] 8 false false
R1007 Crypto Miners Detecting Crypto Miners. [network crypto miners malicious dns] 8 false false

Documentation

Index

Constants

View Source 
const (
	R0001ID                                = "R0001"
	R0001UnexpectedProcessLaunchedRuleName = "Unexpected process launched"
)
View Source 
const (
	R0002ID                           = "R0002"
	R0002UnexpectedFileAccessRuleName = "Unexpected file access"
)
View Source 
const (
	R0003ID                           = "R0003"
	R0003UnexpectedSystemCallRuleName = "Unexpected system call"
)
View Source 
const (
	R0004ID                               = "R0004"
	R0004UnexpectedCapabilityUsedRuleName = "Unexpected capability used"
)
View Source 
const (
	R0005ID                              = "R0005"
	R0005UnexpectedDomainRequestRuleName = "Unexpected domain request"
)
View Source 
const (
	R0006ID                                          = "R0006"
	R0006UnexpectedServiceAccountTokenAccessRuleName = "Unexpected Service Account Token Access"
)
View Source 
const (
	R0007ID                               = "R0007"
	R0007KubernetesClientExecutedRuleName = "Kubernetes Client Executed"
)
View Source 
const (
	R1000ID                              = "R1000"
	R1000ExecFromMaliciousSourceRuleName = "Exec from malicious source"
)
View Source 
const (
	R1001ID                               = "R1001"
	R1001ExecBinaryNotInBaseImageRuleName = "Exec Binary Not In Base Image"
)
View Source 
const (
	R1002ID                       = "R1002"
	R1002LoadKernelModuleRuleName = "Kernel Module Load"
)
View Source 
const (
	R1003ID                             = "R1003"
	R1003MaliciousSSHConnectionRuleName = "Malicious SSH Connection"
	MaxTimeDiffInSeconds                = 2
)
View Source 
const (
	R1004ID                    = "R1004"
	R1004ExecFromMountRuleName = "Exec from mount"
)
View Source 
const (
	R1006ID                     = "R1006"
	R1006UnshareSyscallRuleName = "Unshare System Call usage"
)
View Source 
const (
	R1007ID                   = "R1007"
	R1007CryptoMinersRuleName = "Crypto Miner detected"
)
View Source 
const (
	RulePriorityNone        = 0
	RulePriorityLow         = 1
	RulePriorityMed         = 5
	RulePriorityHigh        = 8
	RulePriorityCritical    = 10
	RulePrioritySystemIssue = 1000
)

Variables

View Source 
var CommonlyUsedCryptoMinersDomains = []string{}/* 105 elements not displayed */
View Source 
var CommonlyUsedCryptoMinersPorts = []uint16{
	3333,
	45700,
}
View Source 
var KubernetesClients = []string{
	"kubectl",
	"kubeadm",
	"kubelet",
	"kube-proxy",
	"kube-apiserver",
	"kube-controller-manager",
	"kube-scheduler",
	"crictl",
	"docker",
	"containerd",
	"runc",
	"ctr",
	"containerd-shim",
	"containerd-shim-runc-v2",
	"containerd-shim-runc-v1",
	"containerd-shim-runc-v0",
	"containerd-shim-runc",
}
View Source 
var R0001UnexpectedProcessLaunchedRuleDescriptor = RuleDesciptor{
	ID:          R0001ID,
	Name:        R0001UnexpectedProcessLaunchedRuleName,
	Description: "Detecting exec calls that are not whitelisted by application profile",
	Tags:        []string{"exec", "whitelisted"},
	Priority:    RulePriorityCritical,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0001UnexpectedProcessLaunched()
	},
}
View Source 
var R0002UnexpectedFileAccessRuleDescriptor = RuleDesciptor{
	ID:          R0002ID,
	Name:        R0002UnexpectedFileAccessRuleName,
	Description: "Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags",
	Tags:        []string{"open", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.OpenEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0002UnexpectedFileAccess()
	},
}
View Source 
var R0003UnexpectedSystemCallRuleDescriptor = RuleDesciptor{
	ID:          R0003ID,
	Name:        R0003UnexpectedSystemCallRuleName,
	Description: "Detecting unexpected system calls that are not whitelisted by application profile. Every unexpected system call will be alerted only once.",
	Tags:        []string{"syscall", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.SyscallEventType,
		},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0003UnexpectedSystemCall()
	},
}
View Source 
var R0004UnexpectedCapabilityUsedRuleDescriptor = RuleDesciptor{
	ID:          R0004ID,
	Name:        R0004UnexpectedCapabilityUsedRuleName,
	Description: "Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container.",
	Tags:        []string{"capabilities", "whitelisted"},
	Priority:    RulePriorityHigh,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.CapabilitiesEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0004UnexpectedCapabilityUsed()
	},
}
View Source 
var R0005UnexpectedDomainRequestRuleDescriptor = RuleDesciptor{
	ID:          R0005ID,
	Name:        R0005UnexpectedDomainRequestRuleName,
	Description: "Detecting unexpected domain requests that are not whitelisted by application profile.",
	Tags:        []string{"dns", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.DnsEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0005UnexpectedDomainRequest()
	},
}
View Source 
var R0006UnexpectedServiceAccountTokenAccessRuleDescriptor = RuleDesciptor{
	ID:          R0006ID,
	Name:        R0006UnexpectedServiceAccountTokenAccessRuleName,
	Description: "Detecting unexpected access to service account token.",
	Tags:        []string{"token", "malicious", "whitelisted"},
	Priority:    RulePriorityHigh,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.OpenEventType,
		},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0006UnexpectedServiceAccountTokenAccess()
	},
}
View Source 
var R0007KubernetesClientExecutedDescriptor = RuleDesciptor{
	ID:          R0007ID,
	Name:        R0007KubernetesClientExecutedRuleName,
	Description: "Detecting exececution of kubernetes client",
	Priority:    RulePriorityCritical,
	Tags:        []string{"exec", "malicious", "whitelisted"},
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType, tracing.NetworkEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0007KubernetesClientExecuted()
	},
}
View Source 
var R1000ExecFromMaliciousSourceDescriptor = RuleDesciptor{
	ID:          R1000ID,
	Name:        R1000ExecFromMaliciousSourceRuleName,
	Description: "Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self",
	Priority:    RulePriorityCritical,
	Tags:        []string{"exec", "signature"},
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1000ExecFromMaliciousSource()
	},
}
View Source 
var R1001ExecBinaryNotInBaseImageRuleDescriptor = RuleDesciptor{
	ID:          R1001ID,
	Name:        R1001ExecBinaryNotInBaseImageRuleName,
	Description: "Detecting exec calls of binaries that are not included in the base image",
	Tags:        []string{"exec", "malicious", "binary", "base image"},
	Priority:    RulePriorityCritical,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1001ExecBinaryNotInBaseImage()
	},
}
View Source 
var R1002LoadKernelModuleRuleDescriptor = RuleDesciptor{
	ID:          R1002ID,
	Name:        R1002LoadKernelModuleRuleName,
	Description: "Detecting Kernel Module Load.",
	Tags:        []string{"syscall", "kernel", "module", "load"},
	Priority:    RulePriorityCritical,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.SyscallEventType,
		},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1002LoadKernelModule()
	},
}
View Source 
var R1003MaliciousSSHConnectionRuleDescriptor = RuleDesciptor{
	ID:          R1003ID,
	Name:        R1003MaliciousSSHConnectionRuleName,
	Description: "Detecting ssh connection to disallowed port",
	Tags:        []string{"ssh", "connection", "port", "malicious"},
	Priority:    RulePriorityHigh,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.OpenEventType, tracing.NetworkEventType},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1003MaliciousSSHConnection()
	},
}
View Source 
var R1004ExecFromMountRuleDescriptor = RuleDesciptor{
	ID:          R1004ID,
	Name:        R1004ExecFromMountRuleName,
	Description: "Detecting exec calls from mounted paths.",
	Tags:        []string{"exec", "mount"},
	Priority:    RulePriorityMed,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1004ExecFromMount()
	},
}
View Source 
var R1006UnshareSyscallRuleDescriptor = RuleDesciptor{
	ID:          R1006ID,
	Name:        R1006UnshareSyscallRuleName,
	Description: "Detecting Unshare System Call usage, which can be used to escape container.",
	Tags:        []string{"syscall", "escape", "unshare"},
	Priority:    RulePriorityHigh,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.SyscallEventType,
		},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1006UnshareSyscall()
	},
}
View Source 
var R1007CryptoMinersRuleDescriptor = RuleDesciptor{
	ID:          R1007ID,
	Name:        R1007CryptoMinersRuleName,
	Description: "Detecting Crypto Miners by port, domain and randomx event.",
	Tags:        []string{"network", "crypto", "miners", "malicious", "dns"},
	Priority:    RulePriorityHigh,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.NetworkEventType,
			tracing.DnsEventType,
			tracing.RandomXEventType,
		},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR1007CryptoMiners()
	},
}
View Source 
var SSHRelatedFiles = []string{
	"ssh_config",
	"sshd_config",
	"ssh_known_hosts",
	"ssh_known_hosts2",
	"ssh_config.d",
	"sshd_config.d",
	".ssh",
	"authorized_keys",
	"authorized_keys2",
	"known_hosts",
	"known_hosts2",
	"id_rsa",
	"id_rsa.pub",
	"id_dsa",
	"id_dsa.pub",
	"id_ecdsa",
	"id_ecdsa.pub",
	"id_ed25519",
	"id_ed25519.pub",
	"id_xmss",
	"id_xmss.pub",
}
View Source 
var ServiceAccountTokenPathsPrefixs = []string{
	"/run/secrets/kubernetes.io/serviceaccount",
	"/var/run/secrets/kubernetes.io/serviceaccount",
}

ServiceAccountTokenPathsPrefixs is a list because of symlinks.

Functions

func IsExecBinaryInUpperLayer 

func IsExecBinaryInUpperLayer(execEvent *tracing.ExecveEvent) bool

func IsSSHConfigFile added in v0.0.3 

func IsSSHConfigFile(path string) bool

Types

type BaseRule added in v0.0.3 

type BaseRule struct {
	// contains filtered or unexported fields
}

func (*BaseRule) GetParameters added in v0.0.3 

func (rule *BaseRule) GetParameters() map[string]interface{}

func (*BaseRule) SetParameters added in v0.0.3 

func (rule *BaseRule) SetParameters(parameters map[string]interface{})

type EngineAccess added in v0.0.3 

type EngineAccess interface {
	GetPodSpec(podName, namespace, containerID string) (*corev1.PodSpec, error)
	GetApiServerIpAddress() (string, error)
}

type EngineAccessMock added in v0.0.3 

type EngineAccessMock struct {
}

func (*EngineAccessMock) GetApiServerIpAddress added in v0.0.5 

func (e *EngineAccessMock) GetApiServerIpAddress() (string, error)

func (*EngineAccessMock) GetPodSpec added in v0.0.3 

func (e *EngineAccessMock) GetPodSpec(podName, namespace, containerID string) (*corev1.PodSpec, error)

type MockAppProfileAccess 

type MockAppProfileAccess struct {
	Execs           []collector.ExecCalls
	OpenCalls       []collector.OpenCalls
	Syscalls        []string
	Capabilities    []collector.CapabilitiesCalls
	NetworkActivity collector.NetworkActivity
	Dns             []collector.DnsCalls
}

func (*MockAppProfileAccess) GetCapabilities 

func (m *MockAppProfileAccess) GetCapabilities() (*[]collector.CapabilitiesCalls, error)

func (*MockAppProfileAccess) GetDNS 

func (m *MockAppProfileAccess) GetDNS() (*[]collector.DnsCalls, error)

func (*MockAppProfileAccess) GetExecList 

func (m *MockAppProfileAccess) GetExecList() (*[]collector.ExecCalls, error)

func (*MockAppProfileAccess) GetName added in v0.0.3 

func (m *MockAppProfileAccess) GetName() string

func (*MockAppProfileAccess) GetNamespace added in v0.0.3 

func (m *MockAppProfileAccess) GetNamespace() string

func (*MockAppProfileAccess) GetNetworkActivity 

func (m *MockAppProfileAccess) GetNetworkActivity() (*collector.NetworkActivity, error)

func (*MockAppProfileAccess) GetOpenList 

func (m *MockAppProfileAccess) GetOpenList() (*[]collector.OpenCalls, error)

func (*MockAppProfileAccess) GetSystemCalls 

func (m *MockAppProfileAccess) GetSystemCalls() ([]string, error)

type R0001UnexpectedProcessLaunched added in v0.0.3 

type R0001UnexpectedProcessLaunched struct {
	BaseRule
}

func CreateRuleR0001UnexpectedProcessLaunched added in v0.0.3 

func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched

func (*R0001UnexpectedProcessLaunched) DeleteRule added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunched) DeleteRule()

func (*R0001UnexpectedProcessLaunched) Name added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunched) Name() string

func (*R0001UnexpectedProcessLaunched) ProcessEvent added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0001UnexpectedProcessLaunched) Requirements added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunched) Requirements() RuleRequirements

type R0001UnexpectedProcessLaunchedFailure added in v0.0.3 

type R0001UnexpectedProcessLaunchedFailure struct {
	RuleName         string
	Err              string
	RulePriority     int
	FixSuggestionMsg string
	FailureEvent     *tracing.ExecveEvent
}

func (*R0001UnexpectedProcessLaunchedFailure) Error added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunchedFailure) Error() string

func (*R0001UnexpectedProcessLaunchedFailure) Event added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunchedFailure) Event() tracing.GeneralEvent

func (*R0001UnexpectedProcessLaunchedFailure) FixSuggestion added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunchedFailure) FixSuggestion() string

func (*R0001UnexpectedProcessLaunchedFailure) Name added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunchedFailure) Name() string

func (*R0001UnexpectedProcessLaunchedFailure) Priority added in v0.0.3 

func (rule *R0001UnexpectedProcessLaunchedFailure) Priority() int

type R0002UnexpectedFileAccess 

type R0002UnexpectedFileAccess struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0002UnexpectedFileAccess 

func CreateRuleR0002UnexpectedFileAccess() *R0002UnexpectedFileAccess

func (*R0002UnexpectedFileAccess) DeleteRule 

func (rule *R0002UnexpectedFileAccess) DeleteRule()

func (*R0002UnexpectedFileAccess) Name 

func (rule *R0002UnexpectedFileAccess) Name() string

func (*R0002UnexpectedFileAccess) ProcessEvent 

func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0002UnexpectedFileAccess) Requirements 

func (rule *R0002UnexpectedFileAccess) Requirements() RuleRequirements

func (*R0002UnexpectedFileAccess) SetParameters added in v0.0.3 

func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})

type R0002UnexpectedFileAccessFailure 

type R0002UnexpectedFileAccessFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.OpenEvent
}

func (*R0002UnexpectedFileAccessFailure) Error 

func (rule *R0002UnexpectedFileAccessFailure) Error() string

func (*R0002UnexpectedFileAccessFailure) Event 

func (rule *R0002UnexpectedFileAccessFailure) Event() tracing.GeneralEvent

func (*R0002UnexpectedFileAccessFailure) FixSuggestion added in v0.0.3 

func (rule *R0002UnexpectedFileAccessFailure) FixSuggestion() string

func (*R0002UnexpectedFileAccessFailure) Name 

func (rule *R0002UnexpectedFileAccessFailure) Name() string

func (*R0002UnexpectedFileAccessFailure) Priority 

func (rule *R0002UnexpectedFileAccessFailure) Priority() int

type R0003UnexpectedSystemCall 

type R0003UnexpectedSystemCall struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0003UnexpectedSystemCall 

func CreateRuleR0003UnexpectedSystemCall() *R0003UnexpectedSystemCall

func (*R0003UnexpectedSystemCall) DeleteRule 

func (rule *R0003UnexpectedSystemCall) DeleteRule()

func (*R0003UnexpectedSystemCall) Name 

func (rule *R0003UnexpectedSystemCall) Name() string

func (*R0003UnexpectedSystemCall) ProcessEvent 

func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0003UnexpectedSystemCall) Requirements 

func (rule *R0003UnexpectedSystemCall) Requirements() RuleRequirements

type R0003UnexpectedSystemCallFailure 

type R0003UnexpectedSystemCallFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.SyscallEvent
}

func (*R0003UnexpectedSystemCallFailure) Error 

func (rule *R0003UnexpectedSystemCallFailure) Error() string

func (*R0003UnexpectedSystemCallFailure) Event 

func (rule *R0003UnexpectedSystemCallFailure) Event() tracing.GeneralEvent

func (*R0003UnexpectedSystemCallFailure) FixSuggestion added in v0.0.3 

func (rule *R0003UnexpectedSystemCallFailure) FixSuggestion() string

func (*R0003UnexpectedSystemCallFailure) Name 

func (rule *R0003UnexpectedSystemCallFailure) Name() string

func (*R0003UnexpectedSystemCallFailure) Priority 

func (rule *R0003UnexpectedSystemCallFailure) Priority() int

type R0004UnexpectedCapabilityUsed 

type R0004UnexpectedCapabilityUsed struct {
	BaseRule
}

func CreateRuleR0004UnexpectedCapabilityUsed 

func CreateRuleR0004UnexpectedCapabilityUsed() *R0004UnexpectedCapabilityUsed

func (*R0004UnexpectedCapabilityUsed) DeleteRule 

func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()

func (*R0004UnexpectedCapabilityUsed) Name 

func (rule *R0004UnexpectedCapabilityUsed) Name() string

func (*R0004UnexpectedCapabilityUsed) ProcessEvent 

func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0004UnexpectedCapabilityUsed) Requirements 

func (rule *R0004UnexpectedCapabilityUsed) Requirements() RuleRequirements

type R0004UnexpectedCapabilityUsedFailure 

type R0004UnexpectedCapabilityUsedFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.CapabilitiesEvent
}

func (*R0004UnexpectedCapabilityUsedFailure) Error 

func (rule *R0004UnexpectedCapabilityUsedFailure) Error() string

func (*R0004UnexpectedCapabilityUsedFailure) Event 

func (rule *R0004UnexpectedCapabilityUsedFailure) Event() tracing.GeneralEvent

func (*R0004UnexpectedCapabilityUsedFailure) FixSuggestion added in v0.0.3 

func (rule *R0004UnexpectedCapabilityUsedFailure) FixSuggestion() string

func (*R0004UnexpectedCapabilityUsedFailure) Name 

func (rule *R0004UnexpectedCapabilityUsedFailure) Name() string

func (*R0004UnexpectedCapabilityUsedFailure) Priority 

func (rule *R0004UnexpectedCapabilityUsedFailure) Priority() int

type R0005UnexpectedDomainRequest 

type R0005UnexpectedDomainRequest struct {
	BaseRule
}

func CreateRuleR0005UnexpectedDomainRequest 

func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest

func (*R0005UnexpectedDomainRequest) DeleteRule 

func (rule *R0005UnexpectedDomainRequest) DeleteRule()

func (*R0005UnexpectedDomainRequest) Name 

func (rule *R0005UnexpectedDomainRequest) Name() string

func (*R0005UnexpectedDomainRequest) ProcessEvent 

func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0005UnexpectedDomainRequest) Requirements 

func (rule *R0005UnexpectedDomainRequest) Requirements() RuleRequirements

type R0005UnexpectedDomainRequestFailure 

type R0005UnexpectedDomainRequestFailure struct {
	RuleName         string
	RulePriority     int
	FixSuggestionMsg string
	Err              string
	FailureEvent     *tracing.DnsEvent
}

func (*R0005UnexpectedDomainRequestFailure) Error 

func (rule *R0005UnexpectedDomainRequestFailure) Error() string

func (*R0005UnexpectedDomainRequestFailure) Event 

func (rule *R0005UnexpectedDomainRequestFailure) Event() tracing.GeneralEvent

func (*R0005UnexpectedDomainRequestFailure) FixSuggestion added in v0.0.3 

func (rule *R0005UnexpectedDomainRequestFailure) FixSuggestion() string

func (*R0005UnexpectedDomainRequestFailure) Name 

func (rule *R0005UnexpectedDomainRequestFailure) Name() string

func (*R0005UnexpectedDomainRequestFailure) Priority 

func (rule *R0005UnexpectedDomainRequestFailure) Priority() int

type R0006UnexpectedServiceAccountTokenAccess added in v0.0.6 

type R0006UnexpectedServiceAccountTokenAccess struct {
	BaseRule
}

func CreateRuleR0006UnexpectedServiceAccountTokenAccess added in v0.0.6 

func CreateRuleR0006UnexpectedServiceAccountTokenAccess() *R0006UnexpectedServiceAccountTokenAccess

func (*R0006UnexpectedServiceAccountTokenAccess) DeleteRule added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()

func (*R0006UnexpectedServiceAccountTokenAccess) Name added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccess) Name() string

func (*R0006UnexpectedServiceAccountTokenAccess) ProcessEvent added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0006UnexpectedServiceAccountTokenAccess) Requirements added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccess) Requirements() RuleRequirements

type R0006UnexpectedServiceAccountTokenAccessFailure added in v0.0.6 

type R0006UnexpectedServiceAccountTokenAccessFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.OpenEvent
}

func (*R0006UnexpectedServiceAccountTokenAccessFailure) Error added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Error() string

func (*R0006UnexpectedServiceAccountTokenAccessFailure) Event added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Event() tracing.GeneralEvent

func (*R0006UnexpectedServiceAccountTokenAccessFailure) FixSuggestion added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) FixSuggestion() string

func (*R0006UnexpectedServiceAccountTokenAccessFailure) Name added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Name() string

func (*R0006UnexpectedServiceAccountTokenAccessFailure) Priority added in v0.0.6 

func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Priority() int

type R0007KubernetesClientExecuted added in v0.0.9 

type R0007KubernetesClientExecuted struct {
	BaseRule
}

func CreateRuleR0007KubernetesClientExecuted added in v0.0.9 

func CreateRuleR0007KubernetesClientExecuted() *R0007KubernetesClientExecuted

func (*R0007KubernetesClientExecuted) DeleteRule added in v0.0.9 

func (rule *R0007KubernetesClientExecuted) DeleteRule()

func (*R0007KubernetesClientExecuted) Name added in v0.0.9 

func (rule *R0007KubernetesClientExecuted) Name() string

func (*R0007KubernetesClientExecuted) ProcessEvent added in v0.0.9 

func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R0007KubernetesClientExecuted) Requirements added in v0.0.9 

func (rule *R0007KubernetesClientExecuted) Requirements() RuleRequirements

type R0007KubernetesClientExecutedFailure added in v0.0.9 

type R0007KubernetesClientExecutedFailure struct {
	RuleName         string
	RulePriority     int
	FixSuggestionMsg string
	Err              string
	FailureEvent     *tracing.GeneralEvent
}

func (*R0007KubernetesClientExecutedFailure) Error added in v0.0.9 

func (rule *R0007KubernetesClientExecutedFailure) Error() string

func (*R0007KubernetesClientExecutedFailure) Event added in v0.0.9 

func (rule *R0007KubernetesClientExecutedFailure) Event() tracing.GeneralEvent

func (*R0007KubernetesClientExecutedFailure) FixSuggestion added in v0.0.9 

func (rule *R0007KubernetesClientExecutedFailure) FixSuggestion() string

func (*R0007KubernetesClientExecutedFailure) Name added in v0.0.9 

func (rule *R0007KubernetesClientExecutedFailure) Name() string

func (*R0007KubernetesClientExecutedFailure) Priority added in v0.0.9 

func (rule *R0007KubernetesClientExecutedFailure) Priority() int

type R1000ExecFromMaliciousSource 

type R1000ExecFromMaliciousSource struct {
	BaseRule
}

func CreateRuleR1000ExecFromMaliciousSource 

func CreateRuleR1000ExecFromMaliciousSource() *R1000ExecFromMaliciousSource

func (*R1000ExecFromMaliciousSource) DeleteRule 

func (rule *R1000ExecFromMaliciousSource) DeleteRule()

func (*R1000ExecFromMaliciousSource) Name 

func (rule *R1000ExecFromMaliciousSource) Name() string

func (*R1000ExecFromMaliciousSource) ProcessEvent 

func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1000ExecFromMaliciousSource) Requirements 

func (rule *R1000ExecFromMaliciousSource) Requirements() RuleRequirements

type R1000ExecFromMaliciousSourceFailure added in v0.0.3 

type R1000ExecFromMaliciousSourceFailure struct {
	RuleName         string
	RulePriority     int
	FixSuggestionMsg string
	Err              string
	FailureEvent     *tracing.ExecveEvent
}

func (*R1000ExecFromMaliciousSourceFailure) Error added in v0.0.3 

func (rule *R1000ExecFromMaliciousSourceFailure) Error() string

func (*R1000ExecFromMaliciousSourceFailure) Event added in v0.0.3 

func (rule *R1000ExecFromMaliciousSourceFailure) Event() tracing.GeneralEvent

func (*R1000ExecFromMaliciousSourceFailure) FixSuggestion added in v0.0.3 

func (rule *R1000ExecFromMaliciousSourceFailure) FixSuggestion() string

func (*R1000ExecFromMaliciousSourceFailure) Name added in v0.0.3 

func (rule *R1000ExecFromMaliciousSourceFailure) Name() string

func (*R1000ExecFromMaliciousSourceFailure) Priority added in v0.0.3 

func (rule *R1000ExecFromMaliciousSourceFailure) Priority() int

type R1001ExecBinaryNotInBaseImage added in v0.0.3 

type R1001ExecBinaryNotInBaseImage struct {
	BaseRule
}

func CreateRuleR1001ExecBinaryNotInBaseImage added in v0.0.3 

func CreateRuleR1001ExecBinaryNotInBaseImage() *R1001ExecBinaryNotInBaseImage

func (*R1001ExecBinaryNotInBaseImage) DeleteRule added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()

func (*R1001ExecBinaryNotInBaseImage) Name added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImage) Name() string

func (*R1001ExecBinaryNotInBaseImage) ProcessEvent added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1001ExecBinaryNotInBaseImage) Requirements added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImage) Requirements() RuleRequirements

type R1001ExecBinaryNotInBaseImageFailure added in v0.0.3 

type R1001ExecBinaryNotInBaseImageFailure struct {
	RuleName         string
	Err              string
	FixSuggestionMsg string
	RulePriority     int
	FailureEvent     *tracing.ExecveEvent
}

func (*R1001ExecBinaryNotInBaseImageFailure) Error added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImageFailure) Error() string

func (*R1001ExecBinaryNotInBaseImageFailure) Event added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImageFailure) Event() tracing.GeneralEvent

func (*R1001ExecBinaryNotInBaseImageFailure) FixSuggestion added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImageFailure) FixSuggestion() string

func (*R1001ExecBinaryNotInBaseImageFailure) Name added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImageFailure) Name() string

func (*R1001ExecBinaryNotInBaseImageFailure) Priority added in v0.0.3 

func (rule *R1001ExecBinaryNotInBaseImageFailure) Priority() int

type R1002LoadKernelModule added in v0.0.3 

type R1002LoadKernelModule struct {
	BaseRule
}

func CreateRuleR1002LoadKernelModule added in v0.0.3 

func CreateRuleR1002LoadKernelModule() *R1002LoadKernelModule

func (*R1002LoadKernelModule) DeleteRule added in v0.0.3 

func (rule *R1002LoadKernelModule) DeleteRule()

func (*R1002LoadKernelModule) Name added in v0.0.3 

func (rule *R1002LoadKernelModule) Name() string

func (*R1002LoadKernelModule) ProcessEvent added in v0.0.3 

func (rule *R1002LoadKernelModule) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1002LoadKernelModule) Requirements added in v0.0.3 

func (rule *R1002LoadKernelModule) Requirements() RuleRequirements

type R1002LoadKernelModuleFailure added in v0.0.3 

type R1002LoadKernelModuleFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.SyscallEvent
}

func (*R1002LoadKernelModuleFailure) Error added in v0.0.3 

func (rule *R1002LoadKernelModuleFailure) Error() string

func (*R1002LoadKernelModuleFailure) Event added in v0.0.3 

func (rule *R1002LoadKernelModuleFailure) Event() tracing.GeneralEvent

func (*R1002LoadKernelModuleFailure) FixSuggestion added in v0.0.3 

func (rule *R1002LoadKernelModuleFailure) FixSuggestion() string

func (*R1002LoadKernelModuleFailure) Name added in v0.0.3 

func (rule *R1002LoadKernelModuleFailure) Name() string

func (*R1002LoadKernelModuleFailure) Priority added in v0.0.3 

func (rule *R1002LoadKernelModuleFailure) Priority() int

type R1003MaliciousSSHConnection added in v0.0.3 

type R1003MaliciousSSHConnection struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1003MaliciousSSHConnection added in v0.0.3 

func CreateRuleR1003MaliciousSSHConnection() *R1003MaliciousSSHConnection

func (*R1003MaliciousSSHConnection) DeleteRule added in v0.0.3 

func (rule *R1003MaliciousSSHConnection) DeleteRule()

func (*R1003MaliciousSSHConnection) Name added in v0.0.3 

func (rule *R1003MaliciousSSHConnection) Name() string

func (*R1003MaliciousSSHConnection) ProcessEvent added in v0.0.3 

func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1003MaliciousSSHConnection) Requirements added in v0.0.3 

func (rule *R1003MaliciousSSHConnection) Requirements() RuleRequirements

func (*R1003MaliciousSSHConnection) SetParameters added in v0.0.3 

func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})

type R1003MaliciousSSHConnectionFailure added in v0.0.3 

type R1003MaliciousSSHConnectionFailure struct {
	RuleName         string
	Err              string
	FixSuggestionMsg string
	RulePriority     int
	FailureEvent     *tracing.NetworkEvent
}

func (*R1003MaliciousSSHConnectionFailure) Error added in v0.0.3 

func (rule *R1003MaliciousSSHConnectionFailure) Error() string

func (*R1003MaliciousSSHConnectionFailure) Event added in v0.0.3 

func (rule *R1003MaliciousSSHConnectionFailure) Event() tracing.GeneralEvent

func (*R1003MaliciousSSHConnectionFailure) FixSuggestion added in v0.0.3 

func (rule *R1003MaliciousSSHConnectionFailure) FixSuggestion() string

func (*R1003MaliciousSSHConnectionFailure) Name added in v0.0.3 

func (rule *R1003MaliciousSSHConnectionFailure) Name() string

func (*R1003MaliciousSSHConnectionFailure) Priority added in v0.0.3 

func (rule *R1003MaliciousSSHConnectionFailure) Priority() int

type R1004ExecFromMount added in v0.0.3 

type R1004ExecFromMount struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1004ExecFromMount added in v0.0.3 

func CreateRuleR1004ExecFromMount() *R1004ExecFromMount

func (*R1004ExecFromMount) DeleteRule added in v0.0.3 

func (rule *R1004ExecFromMount) DeleteRule()

func (*R1004ExecFromMount) Name added in v0.0.3 

func (rule *R1004ExecFromMount) Name() string

func (*R1004ExecFromMount) ProcessEvent added in v0.0.3 

func (rule *R1004ExecFromMount) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1004ExecFromMount) Requirements added in v0.0.3 

func (rule *R1004ExecFromMount) Requirements() RuleRequirements

type R1004ExecFromMountFailure added in v0.0.3 

type R1004ExecFromMountFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.ExecveEvent
}

func (*R1004ExecFromMountFailure) Error added in v0.0.3 

func (rule *R1004ExecFromMountFailure) Error() string

func (*R1004ExecFromMountFailure) Event added in v0.0.3 

func (rule *R1004ExecFromMountFailure) Event() tracing.GeneralEvent

func (*R1004ExecFromMountFailure) FixSuggestion added in v0.0.3 

func (rule *R1004ExecFromMountFailure) FixSuggestion() string

func (*R1004ExecFromMountFailure) Name added in v0.0.3 

func (rule *R1004ExecFromMountFailure) Name() string

func (*R1004ExecFromMountFailure) Priority added in v0.0.3 

func (rule *R1004ExecFromMountFailure) Priority() int

type R1006UnshareSyscall added in v0.0.6 

type R1006UnshareSyscall struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1006UnshareSyscall added in v0.0.6 

func CreateRuleR1006UnshareSyscall() *R1006UnshareSyscall

func (*R1006UnshareSyscall) DeleteRule added in v0.0.6 

func (rule *R1006UnshareSyscall) DeleteRule()

func (*R1006UnshareSyscall) Name added in v0.0.6 

func (rule *R1006UnshareSyscall) Name() string

func (*R1006UnshareSyscall) ProcessEvent added in v0.0.6 

func (rule *R1006UnshareSyscall) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1006UnshareSyscall) Requirements added in v0.0.6 

func (rule *R1006UnshareSyscall) Requirements() RuleRequirements

type R1006UnshareSyscallFailure added in v0.0.6 

type R1006UnshareSyscallFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.SyscallEvent
}

func (*R1006UnshareSyscallFailure) Error added in v0.0.6 

func (rule *R1006UnshareSyscallFailure) Error() string

func (*R1006UnshareSyscallFailure) Event added in v0.0.6 

func (rule *R1006UnshareSyscallFailure) Event() tracing.GeneralEvent

func (*R1006UnshareSyscallFailure) FixSuggestion added in v0.0.6 

func (rule *R1006UnshareSyscallFailure) FixSuggestion() string

func (*R1006UnshareSyscallFailure) Name added in v0.0.6 

func (rule *R1006UnshareSyscallFailure) Name() string

func (*R1006UnshareSyscallFailure) Priority added in v0.0.6 

func (rule *R1006UnshareSyscallFailure) Priority() int

type R1007CryptoMiners added in v0.0.6 

type R1007CryptoMiners struct {
	BaseRule
}

func CreateRuleR1007CryptoMiners added in v0.0.6 

func CreateRuleR1007CryptoMiners() *R1007CryptoMiners

func (*R1007CryptoMiners) DeleteRule added in v0.0.6 

func (rule *R1007CryptoMiners) DeleteRule()

func (*R1007CryptoMiners) Name added in v0.0.6 

func (rule *R1007CryptoMiners) Name() string

func (*R1007CryptoMiners) ProcessEvent added in v0.0.6 

func (rule *R1007CryptoMiners) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

func (*R1007CryptoMiners) Requirements added in v0.0.6 

func (rule *R1007CryptoMiners) Requirements() RuleRequirements

type R1007CryptoMinersFailure added in v0.0.6 

type R1007CryptoMinersFailure struct {
	RuleName         string
	RulePriority     int
	Err              string
	FixSuggestionMsg string
	FailureEvent     *tracing.GeneralEvent
}

func (*R1007CryptoMinersFailure) Error added in v0.0.6 

func (rule *R1007CryptoMinersFailure) Error() string

func (*R1007CryptoMinersFailure) Event added in v0.0.6 

func (rule *R1007CryptoMinersFailure) Event() tracing.GeneralEvent

func (*R1007CryptoMinersFailure) FixSuggestion added in v0.0.6 

func (rule *R1007CryptoMinersFailure) FixSuggestion() string

func (*R1007CryptoMinersFailure) Name added in v0.0.6 

func (rule *R1007CryptoMinersFailure) Name() string

func (*R1007CryptoMinersFailure) Priority added in v0.0.6 

func (rule *R1007CryptoMinersFailure) Priority() int

type Rule 

type Rule interface {
	// Delete a rule instance.
	DeleteRule()

	// Rule Name.
	Name() string

	// Needed events for the rule.
	ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure

	// Rule requirements.
	Requirements() RuleRequirements

	// Set rule parameters.
	SetParameters(parameters map[string]interface{})

	// Get rule parameters.
	GetParameters() map[string]interface{}
}

func CreateRuleByID 

func CreateRuleByID(id string) Rule

func CreateRuleByName 

func CreateRuleByName(name string) Rule

func CreateRulesByNames 

func CreateRulesByNames(names []string) []Rule

func CreateRulesByTags 

func CreateRulesByTags(tags []string) []Rule

type RuleDesciptor 

type RuleDesciptor struct {
	// Rule ID
	ID string
	// Rule Name.
	Name string
	// Rule Description.
	Description string
	// Priority.
	Priority int
	// Tags
	Tags []string
	// Rule requirements.
	Requirements RuleRequirements
	// Create a rule function.
	RuleCreationFunc func() Rule
}

func GetAllRuleDescriptors 

func GetAllRuleDescriptors() []RuleDesciptor

func (*RuleDesciptor) HasTags 

func (r *RuleDesciptor) HasTags(tags []string) bool

type RuleFailure 

type RuleFailure interface {
	// Rule Name.
	Name() string
	// Priority.
	Priority() int
	// Error interface.
	Error() string
	// Fix suggestion.
	FixSuggestion() string
	// Generic event
	Event() tracing.GeneralEvent
}

type RuleRequirements 

type RuleRequirements struct {
	// Needed events for the rule.
	EventTypes []tracing.EventType

	// Need application profile.
	NeedApplicationProfile bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.