Documentation ¶
Index ¶
- func NewAIO(modules map[string]string, opts ...Option) (detect.Signature, error)
- func NewRegoSignature(target string, partialEval bool, regoCodes ...string) (detect.Signature, error)
- type Mapper
- type Option
- type Options
- type RegoSignature
- func (sig *RegoSignature) Close()
- func (sig *RegoSignature) GetMetadata() (detect.SignatureMetadata, error)
- func (sig *RegoSignature) GetSelectedEvents() ([]detect.SignatureEventSelector, error)
- func (sig *RegoSignature) Init(cb detect.SignatureHandler) error
- func (sig *RegoSignature) OnEvent(event protocol.Event) error
- func (sig *RegoSignature) OnSignal(signal detect.Signal) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Mapper ¶
func (Mapper) ToSelectedEventsAll ¶
func (m Mapper) ToSelectedEventsAll() (map[string][]detect.SignatureEventSelector, error)
func (Mapper) ToSignatureMetadataAll ¶
func (m Mapper) ToSignatureMetadataAll() (map[string]detect.SignatureMetadata, error)
type Options ¶
type Options struct { // OPATarget optionally specifies which OPA target engine to use for // evaluation. By default, the `rego` engine is used. OPATarget string // OPAPartial optionally specifies whether to use OPA partial evaluation // or not. By default, partial evaluation is disabled. // // NOTE: On average partial evaluation performs better by leveraging // OPA rules indexing. However, for some rules we noticed that enabling partial // evaluation significantly degraded performance. // // https://blog.openpolicyagent.org/partial-evaluation-162750eaf422 OPAPartial bool }
Options holds various Option items that can be passed to the NewAIO constructor.
type RegoSignature ¶
type RegoSignature struct {
// contains filtered or unexported fields
}
RegoSignature is an abstract signature that is implemented in rego each struct instance is associated with a rego file the rego file declares the following rules: __rego_metadoc__: a *document* rule that defines the rule's metadata (see GetMetadata()) tracee_selected_events: a *set* rule that defines the event selectors (see GetSelectedEvent()) tracee_match: a *boolean*, or a *document* rule that defines the logic of the signature (see OnEvent())
func (*RegoSignature) Close ¶
func (sig *RegoSignature) Close()
func (*RegoSignature) GetMetadata ¶
func (sig *RegoSignature) GetMetadata() (detect.SignatureMetadata, error)
GetMetadata implements the Signature interface by evaluating the Rego policy's __rego_metadoc__ rule this is a *document* rule that defines the rule's metadata based on WIP Rego convention for describing policy metadata: https://hackmd.io/@ZtQnh19kS26YiNlJLqKJnw/H1gAv5nBw
func (*RegoSignature) GetSelectedEvents ¶
func (sig *RegoSignature) GetSelectedEvents() ([]detect.SignatureEventSelector, error)
GetSelectedEvents implements the Signature interface by evaluating the Rego policy's tracee_selected_events rule this is a *set* rule that defines the rule's SelectedEvents
func (*RegoSignature) Init ¶
func (sig *RegoSignature) Init(cb detect.SignatureHandler) error
Init implements the Signature interface by resetting internal state
func (*RegoSignature) OnEvent ¶
func (sig *RegoSignature) OnEvent(event protocol.Event) error
OnEvent implements the Signature interface by evaluating the Rego policy's tracee_match rule this is a *boolean* or a *document* rule that defines the logic of the signature if bool is "returned", a true evaluation will generate a Finding with no data if document is "returned", any non-empty evaluation will generate a Finding with the document as the Finding's "Data"