rule

package
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 28, 2023 License: Apache-2.0 Imports: 11 Imported by: 0

README

Rules

Rule list

ID Rule Description Tags Priority Application profile
R0001 Exec Whitelisted Detecting exec calls that are not whitelisted by application profile [exec whitelisted] 7 true
R0002 Unexpected file access Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags [open whitelisted] 5 true
R0003 Unexpected system call Detecting unexpected system calls that are not whitelisted by application profile. Every unexpected system call will be alerted only once. [syscall whitelisted] 7 true
R0004 Unexpected capability used Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container. [capabilities whitelisted] 8 true
R0005 Unexpected domain request Detecting unexpected domain requests that are not whitelisted by application profile. [dns whitelisted] 6 true
R1000 Exec from malicious source Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self [exec signature] 9 false

Documentation

Index

Constants

View Source 
const (
	R0001ID                      = "R0001"
	R0001ExecWhitelistedRuleName = "Exec Whitelisted"
)
View Source 
const (
	R0002ID                           = "R0002"
	R0002UnexpectedFileAccessRuleName = "Unexpected file access"
)
View Source 
const (
	R0003ID                           = "R0003"
	R0003UnexpectedSystemCallRuleName = "Unexpected system call"
)
View Source 
const (
	R0004ID                               = "R0004"
	R0004UnexpectedCapabilityUsedRuleName = "Unexpected capability used"
)
View Source 
const (
	R0005ID                              = "R0005"
	R0005UnexpectedDomainRequestRuleName = "Unexpected domain request"
)
View Source 
const (
	R0006ID                               = "R0006"
	R0006ExecBinaryNotInBaseImageRuleName = "Exec Binary Not In Base Image"
)
View Source 
const (
	R0007ID                       = "R0007"
	R0007LoadKernelModuleRuleName = "Kernel Module Load"
)
View Source 
const (
	R1000ID                              = "R1000"
	R1000ExecFromMaliciousSourceRuleName = "Exec from malicious source"
)
View Source 
const (
	RulePriorityNone        = 0
	RulePriorityLow         = 1
	RulePriorityMed         = 5
	RulePriorityHigh        = 8
	RulePriorityCrical      = 10
	RulePrioritySystemIssue = 1000
)

Variables

View Source 
var R0001ExecWhitelistedRuleDescriptor = RuleDesciptor{
	ID:          R0001ID,
	Name:        R0001ExecWhitelistedRuleName,
	Description: "Detecting exec calls that are not whitelisted by application profile",
	Tags:        []string{"exec", "whitelisted"},
	Priority:    7,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0001ExecWhitelisted()
	},
}
View Source 
var R0002UnexpectedFileAccessRuleDescriptor = RuleDesciptor{
	ID:          R0002ID,
	Name:        R0002UnexpectedFileAccessRuleName,
	Description: "Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags",
	Tags:        []string{"open", "whitelisted"},
	Priority:    5,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.OpenEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0002UnexpectedFileAccess()
	},
}
View Source 
var R0003UnexpectedSystemCallRuleDescriptor = RuleDesciptor{
	ID:          R0003ID,
	Name:        R0003UnexpectedSystemCallRuleName,
	Description: "Detecting unexpected system calls that are not whitelisted by application profile. Every unexpected system call will be alerted only once.",
	Tags:        []string{"syscall", "whitelisted"},
	Priority:    7,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.SyscallEventType,
		},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0003UnexpectedSystemCall()
	},
}
View Source 
var R0004UnexpectedCapabilityUsedRuleDescriptor = RuleDesciptor{
	ID:          R0004ID,
	Name:        R0004UnexpectedCapabilityUsedRuleName,
	Description: "Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container.",
	Tags:        []string{"capabilities", "whitelisted"},
	Priority:    8,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.CapabilitiesEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0004UnexpectedCapabilityUsed()
	},
}
View Source 
var R0005UnexpectedDomainRequestRuleDescriptor = RuleDesciptor{
	ID:          R0005ID,
	Name:        R0005UnexpectedDomainRequestRuleName,
	Description: "Detecting unexpected domain requests that are not whitelisted by application profile.",
	Tags:        []string{"dns", "whitelisted"},
	Priority:    6,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.DnsEventType},
		NeedApplicationProfile: true,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0005UnexpectedDomainRequest()
	},
}
View Source 
var R0006ExecBinaryNotInBaseImageRuleDescriptor = RuleDesciptor{
	ID:          R0006ID,
	Name:        R0006ExecBinaryNotInBaseImageRuleName,
	Description: "Detecting exec calls of binaries that are not included in the base image",
	Tags:        []string{"exec", "malicious", "binary", "base image"},
	Priority:    7,
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0006ExecBinaryNotInBaseImage()
	},
}
View Source 
var R0007LoadKernelModuleRuleDescriptor = RuleDesciptor{
	ID:          R0007ID,
	Name:        R0007LoadKernelModuleRuleName,
	Description: "Detecting Kernel Module Load.",
	Tags:        []string{"syscall", "kernel", "module", "load"},
	Priority:    7,
	Requirements: RuleRequirements{
		EventTypes: []tracing.EventType{
			tracing.SyscallEventType,
		},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0007LoadKernelModule()
	},
}
View Source 
var R1000ExecFromMaliciousSourceDescriptor = RuleDesciptor{
	ID:          R1000ID,
	Name:        R1000ExecFromMaliciousSourceRuleName,
	Description: "Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self",
	Priority:    9,
	Tags:        []string{"exec", "signature"},
	Requirements: RuleRequirements{
		EventTypes:             []tracing.EventType{tracing.ExecveEventType},
		NeedApplicationProfile: false,
	},
	RuleCreationFunc: func() Rule {
		return CreateRuleR0001ExecWhitelisted()
	},
}

Functions

func IsExecBinaryInUpperLayer 

func IsExecBinaryInUpperLayer(execEvent *tracing.ExecveEvent) bool

Types

type MockAppProfileAccess 

type MockAppProfileAccess struct {
	Execs        []collector.ExecCalls
	OpenCalls    []collector.OpenCalls
	Syscalls     []string
	Capabilities []collector.CapabilitiesCalls
	Dns          []collector.DnsCalls
}

func (*MockAppProfileAccess) GetCapabilities 

func (m *MockAppProfileAccess) GetCapabilities() ([]collector.CapabilitiesCalls, error)

func (*MockAppProfileAccess) GetDNS 

func (m *MockAppProfileAccess) GetDNS() (*[]collector.DnsCalls, error)

func (*MockAppProfileAccess) GetExecList 

func (m *MockAppProfileAccess) GetExecList() (*[]collector.ExecCalls, error)

func (*MockAppProfileAccess) GetNetworkActivity 

func (m *MockAppProfileAccess) GetNetworkActivity() (*collector.NetworkActivity, error)

func (*MockAppProfileAccess) GetOpenList 

func (m *MockAppProfileAccess) GetOpenList() (*[]collector.OpenCalls, error)

func (*MockAppProfileAccess) GetSystemCalls 

func (m *MockAppProfileAccess) GetSystemCalls() ([]string, error)

type R0001ExecFromMaliciousSourceFailure 

type R0001ExecFromMaliciousSourceFailure struct {
	RuleName     string
	RulePriority int
	Err          string
	FailureEvent *tracing.ExecveEvent
}

func (*R0001ExecFromMaliciousSourceFailure) Error 

func (rule *R0001ExecFromMaliciousSourceFailure) Error() string

func (*R0001ExecFromMaliciousSourceFailure) Event 

func (rule *R0001ExecFromMaliciousSourceFailure) Event() tracing.GeneralEvent

func (*R0001ExecFromMaliciousSourceFailure) Name 

func (rule *R0001ExecFromMaliciousSourceFailure) Name() string

func (*R0001ExecFromMaliciousSourceFailure) Priority 

func (rule *R0001ExecFromMaliciousSourceFailure) Priority() int

type R0001ExecWhitelisted 

type R0001ExecWhitelisted struct {
}

func CreateRuleR0001ExecWhitelisted 

func CreateRuleR0001ExecWhitelisted() *R0001ExecWhitelisted

func (*R0001ExecWhitelisted) DeleteRule 

func (rule *R0001ExecWhitelisted) DeleteRule()

func (*R0001ExecWhitelisted) Name 

func (rule *R0001ExecWhitelisted) Name() string

func (*R0001ExecWhitelisted) ProcessEvent 

func (rule *R0001ExecWhitelisted) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0001ExecWhitelisted) Requirements 

func (rule *R0001ExecWhitelisted) Requirements() RuleRequirements

type R0001ExecWhitelistedFailure 

type R0001ExecWhitelistedFailure struct {
	RuleName     string
	Err          string
	RulePriority int
	FailureEvent *tracing.ExecveEvent
}

func (*R0001ExecWhitelistedFailure) Error 

func (rule *R0001ExecWhitelistedFailure) Error() string

func (*R0001ExecWhitelistedFailure) Event 

func (rule *R0001ExecWhitelistedFailure) Event() tracing.GeneralEvent

func (*R0001ExecWhitelistedFailure) Name 

func (rule *R0001ExecWhitelistedFailure) Name() string

func (*R0001ExecWhitelistedFailure) Priority 

func (rule *R0001ExecWhitelistedFailure) Priority() int

type R0002UnexpectedFileAccess 

type R0002UnexpectedFileAccess struct {
}

func CreateRuleR0002UnexpectedFileAccess 

func CreateRuleR0002UnexpectedFileAccess() *R0002UnexpectedFileAccess

func (*R0002UnexpectedFileAccess) DeleteRule 

func (rule *R0002UnexpectedFileAccess) DeleteRule()

func (*R0002UnexpectedFileAccess) Name 

func (rule *R0002UnexpectedFileAccess) Name() string

func (*R0002UnexpectedFileAccess) ProcessEvent 

func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0002UnexpectedFileAccess) Requirements 

func (rule *R0002UnexpectedFileAccess) Requirements() RuleRequirements

type R0002UnexpectedFileAccessFailure 

type R0002UnexpectedFileAccessFailure struct {
	RuleName     string
	RulePriority int
	Err          string
	FailureEvent *tracing.OpenEvent
}

func (*R0002UnexpectedFileAccessFailure) Error 

func (rule *R0002UnexpectedFileAccessFailure) Error() string

func (*R0002UnexpectedFileAccessFailure) Event 

func (rule *R0002UnexpectedFileAccessFailure) Event() tracing.GeneralEvent

func (*R0002UnexpectedFileAccessFailure) Name 

func (rule *R0002UnexpectedFileAccessFailure) Name() string

func (*R0002UnexpectedFileAccessFailure) Priority 

func (rule *R0002UnexpectedFileAccessFailure) Priority() int

type R0003UnexpectedSystemCall 

type R0003UnexpectedSystemCall struct {
	// contains filtered or unexported fields
}

func CreateRuleR0003UnexpectedSystemCall 

func CreateRuleR0003UnexpectedSystemCall() *R0003UnexpectedSystemCall

func (*R0003UnexpectedSystemCall) DeleteRule 

func (rule *R0003UnexpectedSystemCall) DeleteRule()

func (*R0003UnexpectedSystemCall) Name 

func (rule *R0003UnexpectedSystemCall) Name() string

func (*R0003UnexpectedSystemCall) ProcessEvent 

func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0003UnexpectedSystemCall) Requirements 

func (rule *R0003UnexpectedSystemCall) Requirements() RuleRequirements

type R0003UnexpectedSystemCallFailure 

type R0003UnexpectedSystemCallFailure struct {
	RuleName     string
	RulePriority int
	Err          string
	FailureEvent *tracing.SyscallEvent
}

func (*R0003UnexpectedSystemCallFailure) Error 

func (rule *R0003UnexpectedSystemCallFailure) Error() string

func (*R0003UnexpectedSystemCallFailure) Event 

func (rule *R0003UnexpectedSystemCallFailure) Event() tracing.GeneralEvent

func (*R0003UnexpectedSystemCallFailure) Name 

func (rule *R0003UnexpectedSystemCallFailure) Name() string

func (*R0003UnexpectedSystemCallFailure) Priority 

func (rule *R0003UnexpectedSystemCallFailure) Priority() int

type R0004UnexpectedCapabilityUsed 

type R0004UnexpectedCapabilityUsed struct {
}

func CreateRuleR0004UnexpectedCapabilityUsed 

func CreateRuleR0004UnexpectedCapabilityUsed() *R0004UnexpectedCapabilityUsed

func (*R0004UnexpectedCapabilityUsed) DeleteRule 

func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()

func (*R0004UnexpectedCapabilityUsed) Name 

func (rule *R0004UnexpectedCapabilityUsed) Name() string

func (*R0004UnexpectedCapabilityUsed) ProcessEvent 

func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0004UnexpectedCapabilityUsed) Requirements 

func (rule *R0004UnexpectedCapabilityUsed) Requirements() RuleRequirements

type R0004UnexpectedCapabilityUsedFailure 

type R0004UnexpectedCapabilityUsedFailure struct {
	RuleName     string
	RulePriority int
	Err          string
	FailureEvent *tracing.CapabilitiesEvent
}

func (*R0004UnexpectedCapabilityUsedFailure) Error 

func (rule *R0004UnexpectedCapabilityUsedFailure) Error() string

func (*R0004UnexpectedCapabilityUsedFailure) Event 

func (rule *R0004UnexpectedCapabilityUsedFailure) Event() tracing.GeneralEvent

func (*R0004UnexpectedCapabilityUsedFailure) Name 

func (rule *R0004UnexpectedCapabilityUsedFailure) Name() string

func (*R0004UnexpectedCapabilityUsedFailure) Priority 

func (rule *R0004UnexpectedCapabilityUsedFailure) Priority() int

type R0005UnexpectedDomainRequest 

type R0005UnexpectedDomainRequest struct {
}

func CreateRuleR0005UnexpectedDomainRequest 

func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest

func (*R0005UnexpectedDomainRequest) DeleteRule 

func (rule *R0005UnexpectedDomainRequest) DeleteRule()

func (*R0005UnexpectedDomainRequest) Name 

func (rule *R0005UnexpectedDomainRequest) Name() string

func (*R0005UnexpectedDomainRequest) ProcessEvent 

func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0005UnexpectedDomainRequest) Requirements 

func (rule *R0005UnexpectedDomainRequest) Requirements() RuleRequirements

type R0005UnexpectedDomainRequestFailure 

type R0005UnexpectedDomainRequestFailure struct {
	RuleName     string
	RulePriority int
	Err          string
	FailureEvent *tracing.DnsEvent
}

func (*R0005UnexpectedDomainRequestFailure) Error 

func (rule *R0005UnexpectedDomainRequestFailure) Error() string

func (*R0005UnexpectedDomainRequestFailure) Event 

func (rule *R0005UnexpectedDomainRequestFailure) Event() tracing.GeneralEvent

func (*R0005UnexpectedDomainRequestFailure) Name 

func (rule *R0005UnexpectedDomainRequestFailure) Name() string

func (*R0005UnexpectedDomainRequestFailure) Priority 

func (rule *R0005UnexpectedDomainRequestFailure) Priority() int

type R0006ExecBinaryNotInBaseImage 

type R0006ExecBinaryNotInBaseImage struct {
}

func CreateRuleR0006ExecBinaryNotInBaseImage 

func CreateRuleR0006ExecBinaryNotInBaseImage() *R0006ExecBinaryNotInBaseImage

func (*R0006ExecBinaryNotInBaseImage) DeleteRule 

func (rule *R0006ExecBinaryNotInBaseImage) DeleteRule()

func (*R0006ExecBinaryNotInBaseImage) Name 

func (rule *R0006ExecBinaryNotInBaseImage) Name() string

func (*R0006ExecBinaryNotInBaseImage) ProcessEvent 

func (rule *R0006ExecBinaryNotInBaseImage) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0006ExecBinaryNotInBaseImage) Requirements 

func (rule *R0006ExecBinaryNotInBaseImage) Requirements() RuleRequirements

type R0006ExecBinaryNotInBaseImageFailure 

type R0006ExecBinaryNotInBaseImageFailure struct {
	RuleName     string
	Err          string
	RulePriority int
	FailureEvent *tracing.ExecveEvent
}

func (*R0006ExecBinaryNotInBaseImageFailure) Error 

func (rule *R0006ExecBinaryNotInBaseImageFailure) Error() string

func (*R0006ExecBinaryNotInBaseImageFailure) Event 

func (rule *R0006ExecBinaryNotInBaseImageFailure) Event() tracing.GeneralEvent

func (*R0006ExecBinaryNotInBaseImageFailure) Name 

func (rule *R0006ExecBinaryNotInBaseImageFailure) Name() string

func (*R0006ExecBinaryNotInBaseImageFailure) Priority 

func (rule *R0006ExecBinaryNotInBaseImageFailure) Priority() int

type R0007LoadKernelModule 

type R0007LoadKernelModule struct {
}

func CreateRuleR0007LoadKernelModule 

func CreateRuleR0007LoadKernelModule() *R0007LoadKernelModule

func (*R0007LoadKernelModule) DeleteRule 

func (rule *R0007LoadKernelModule) DeleteRule()

func (*R0007LoadKernelModule) Name 

func (rule *R0007LoadKernelModule) Name() string

func (*R0007LoadKernelModule) ProcessEvent 

func (rule *R0007LoadKernelModule) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R0007LoadKernelModule) Requirements 

func (rule *R0007LoadKernelModule) Requirements() RuleRequirements

type R0007LoadKernelModuleFailure 

type R0007LoadKernelModuleFailure struct {
	RuleName     string
	RulePriority int
	Err          string
	FailureEvent *tracing.SyscallEvent
}

func (*R0007LoadKernelModuleFailure) Error 

func (rule *R0007LoadKernelModuleFailure) Error() string

func (*R0007LoadKernelModuleFailure) Event 

func (rule *R0007LoadKernelModuleFailure) Event() tracing.GeneralEvent

func (*R0007LoadKernelModuleFailure) Name 

func (rule *R0007LoadKernelModuleFailure) Name() string

func (*R0007LoadKernelModuleFailure) Priority 

func (rule *R0007LoadKernelModuleFailure) Priority() int

type R1000ExecFromMaliciousSource 

type R1000ExecFromMaliciousSource struct {
}

func CreateRuleR1000ExecFromMaliciousSource 

func CreateRuleR1000ExecFromMaliciousSource() *R1000ExecFromMaliciousSource

func (*R1000ExecFromMaliciousSource) DeleteRule 

func (rule *R1000ExecFromMaliciousSource) DeleteRule()

func (*R1000ExecFromMaliciousSource) Name 

func (rule *R1000ExecFromMaliciousSource) Name() string

func (*R1000ExecFromMaliciousSource) ProcessEvent 

func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

func (*R1000ExecFromMaliciousSource) Requirements 

func (rule *R1000ExecFromMaliciousSource) Requirements() RuleRequirements

type Rule 

type Rule interface {
	// Delete a rule instance.
	DeleteRule()

	// Rule Name.
	Name() string

	// Needed events for the rule.
	ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess) RuleFailure

	// Rule requirements.
	Requirements() RuleRequirements
}

func CreateRuleByID 

func CreateRuleByID(id string) Rule

func CreateRuleByName 

func CreateRuleByName(name string) Rule

func CreateRulesByNames 

func CreateRulesByNames(names []string) []Rule

func CreateRulesByTags 

func CreateRulesByTags(tags []string) []Rule

type RuleDesciptor 

type RuleDesciptor struct {
	// Rule ID
	ID string
	// Rule Name.
	Name string
	// Rule Description.
	Description string
	// Priority.
	Priority int
	// Tags
	Tags []string
	// Rule requirements.
	Requirements RuleRequirements
	// Create a rule function.
	RuleCreationFunc func() Rule
}

func GetAllRuleDescriptors 

func GetAllRuleDescriptors() []RuleDesciptor

func (*RuleDesciptor) HasTags 

func (r *RuleDesciptor) HasTags(tags []string) bool

type RuleFailure 

type RuleFailure interface {
	// Rule Name.
	Name() string
	// Priority.
	Priority() int
	// Error interface.
	Error() string
	// Generic event
	Event() tracing.GeneralEvent
}

type RuleRequirements 

type RuleRequirements struct {
	// Needed events for the rule.
	EventTypes []tracing.EventType

	// Need application profile.
	NeedApplicationProfile bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.