Documentation ¶
Index ¶
- Constants
- Variables
- func IsExecBinaryInUpperLayer(execEvent *tracing.ExecveEvent) bool
- func IsSSHConfigFile(path string) bool
- type BaseRule
- type EngineAccess
- type EngineAccessMock
- type MockAppProfileAccess
- func (m *MockAppProfileAccess) GetCapabilities() (*[]collector.CapabilitiesCalls, error)
- func (m *MockAppProfileAccess) GetDNS() (*[]collector.DnsCalls, error)
- func (m *MockAppProfileAccess) GetExecList() (*[]collector.ExecCalls, error)
- func (m *MockAppProfileAccess) GetName() string
- func (m *MockAppProfileAccess) GetNamespace() string
- func (m *MockAppProfileAccess) GetNetworkActivity() (*collector.NetworkActivity, error)
- func (m *MockAppProfileAccess) GetOpenList() (*[]collector.OpenCalls, error)
- func (m *MockAppProfileAccess) GetSystemCalls() ([]string, error)
- type R0001UnexpectedProcessLaunched
- func (rule *R0001UnexpectedProcessLaunched) DeleteRule()
- func (rule *R0001UnexpectedProcessLaunched) Name() string
- func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R0001UnexpectedProcessLaunched) Requirements() RuleRequirements
- type R0001UnexpectedProcessLaunchedFailure
- func (rule *R0001UnexpectedProcessLaunchedFailure) Error() string
- func (rule *R0001UnexpectedProcessLaunchedFailure) Event() tracing.GeneralEvent
- func (rule *R0001UnexpectedProcessLaunchedFailure) FixSuggestion() string
- func (rule *R0001UnexpectedProcessLaunchedFailure) Name() string
- func (rule *R0001UnexpectedProcessLaunchedFailure) Priority() int
- type R0002UnexpectedFileAccess
- func (rule *R0002UnexpectedFileAccess) DeleteRule()
- func (rule *R0002UnexpectedFileAccess) Name() string
- func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R0002UnexpectedFileAccess) Requirements() RuleRequirements
- func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})
- type R0002UnexpectedFileAccessFailure
- func (rule *R0002UnexpectedFileAccessFailure) Error() string
- func (rule *R0002UnexpectedFileAccessFailure) Event() tracing.GeneralEvent
- func (rule *R0002UnexpectedFileAccessFailure) FixSuggestion() string
- func (rule *R0002UnexpectedFileAccessFailure) Name() string
- func (rule *R0002UnexpectedFileAccessFailure) Priority() int
- type R0003UnexpectedSystemCall
- type R0003UnexpectedSystemCallFailure
- func (rule *R0003UnexpectedSystemCallFailure) Error() string
- func (rule *R0003UnexpectedSystemCallFailure) Event() tracing.GeneralEvent
- func (rule *R0003UnexpectedSystemCallFailure) FixSuggestion() string
- func (rule *R0003UnexpectedSystemCallFailure) Name() string
- func (rule *R0003UnexpectedSystemCallFailure) Priority() int
- type R0004UnexpectedCapabilityUsed
- func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()
- func (rule *R0004UnexpectedCapabilityUsed) Name() string
- func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R0004UnexpectedCapabilityUsed) Requirements() RuleRequirements
- type R0004UnexpectedCapabilityUsedFailure
- func (rule *R0004UnexpectedCapabilityUsedFailure) Error() string
- func (rule *R0004UnexpectedCapabilityUsedFailure) Event() tracing.GeneralEvent
- func (rule *R0004UnexpectedCapabilityUsedFailure) FixSuggestion() string
- func (rule *R0004UnexpectedCapabilityUsedFailure) Name() string
- func (rule *R0004UnexpectedCapabilityUsedFailure) Priority() int
- type R0005UnexpectedDomainRequest
- func (rule *R0005UnexpectedDomainRequest) DeleteRule()
- func (rule *R0005UnexpectedDomainRequest) Name() string
- func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R0005UnexpectedDomainRequest) Requirements() RuleRequirements
- type R0005UnexpectedDomainRequestFailure
- func (rule *R0005UnexpectedDomainRequestFailure) Error() string
- func (rule *R0005UnexpectedDomainRequestFailure) Event() tracing.GeneralEvent
- func (rule *R0005UnexpectedDomainRequestFailure) FixSuggestion() string
- func (rule *R0005UnexpectedDomainRequestFailure) Name() string
- func (rule *R0005UnexpectedDomainRequestFailure) Priority() int
- type R0006UnexpectedServiceAccountTokenAccess
- func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()
- func (rule *R0006UnexpectedServiceAccountTokenAccess) Name() string
- func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R0006UnexpectedServiceAccountTokenAccess) Requirements() RuleRequirements
- type R0006UnexpectedServiceAccountTokenAccessFailure
- func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Error() string
- func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Event() tracing.GeneralEvent
- func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) FixSuggestion() string
- func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Name() string
- func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Priority() int
- type R0007KubernetesClientExecuted
- func (rule *R0007KubernetesClientExecuted) DeleteRule()
- func (rule *R0007KubernetesClientExecuted) Name() string
- func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R0007KubernetesClientExecuted) Requirements() RuleRequirements
- type R0007KubernetesClientExecutedFailure
- func (rule *R0007KubernetesClientExecutedFailure) Error() string
- func (rule *R0007KubernetesClientExecutedFailure) Event() tracing.GeneralEvent
- func (rule *R0007KubernetesClientExecutedFailure) FixSuggestion() string
- func (rule *R0007KubernetesClientExecutedFailure) Name() string
- func (rule *R0007KubernetesClientExecutedFailure) Priority() int
- type R1000ExecFromMaliciousSource
- func (rule *R1000ExecFromMaliciousSource) DeleteRule()
- func (rule *R1000ExecFromMaliciousSource) Name() string
- func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R1000ExecFromMaliciousSource) Requirements() RuleRequirements
- type R1000ExecFromMaliciousSourceFailure
- func (rule *R1000ExecFromMaliciousSourceFailure) Error() string
- func (rule *R1000ExecFromMaliciousSourceFailure) Event() tracing.GeneralEvent
- func (rule *R1000ExecFromMaliciousSourceFailure) FixSuggestion() string
- func (rule *R1000ExecFromMaliciousSourceFailure) Name() string
- func (rule *R1000ExecFromMaliciousSourceFailure) Priority() int
- type R1001ExecBinaryNotInBaseImage
- func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()
- func (rule *R1001ExecBinaryNotInBaseImage) Name() string
- func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R1001ExecBinaryNotInBaseImage) Requirements() RuleRequirements
- type R1001ExecBinaryNotInBaseImageFailure
- func (rule *R1001ExecBinaryNotInBaseImageFailure) Error() string
- func (rule *R1001ExecBinaryNotInBaseImageFailure) Event() tracing.GeneralEvent
- func (rule *R1001ExecBinaryNotInBaseImageFailure) FixSuggestion() string
- func (rule *R1001ExecBinaryNotInBaseImageFailure) Name() string
- func (rule *R1001ExecBinaryNotInBaseImageFailure) Priority() int
- type R1002LoadKernelModule
- type R1002LoadKernelModuleFailure
- func (rule *R1002LoadKernelModuleFailure) Error() string
- func (rule *R1002LoadKernelModuleFailure) Event() tracing.GeneralEvent
- func (rule *R1002LoadKernelModuleFailure) FixSuggestion() string
- func (rule *R1002LoadKernelModuleFailure) Name() string
- func (rule *R1002LoadKernelModuleFailure) Priority() int
- type R1003MaliciousSSHConnection
- func (rule *R1003MaliciousSSHConnection) DeleteRule()
- func (rule *R1003MaliciousSSHConnection) Name() string
- func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType tracing.EventType, event interface{}, ...) RuleFailure
- func (rule *R1003MaliciousSSHConnection) Requirements() RuleRequirements
- func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})
- type R1003MaliciousSSHConnectionFailure
- func (rule *R1003MaliciousSSHConnectionFailure) Error() string
- func (rule *R1003MaliciousSSHConnectionFailure) Event() tracing.GeneralEvent
- func (rule *R1003MaliciousSSHConnectionFailure) FixSuggestion() string
- func (rule *R1003MaliciousSSHConnectionFailure) Name() string
- func (rule *R1003MaliciousSSHConnectionFailure) Priority() int
- type R1004ExecFromMount
- type R1004ExecFromMountFailure
- type R1006UnshareSyscall
- type R1006UnshareSyscallFailure
- type R1007CryptoMiners
- type R1007CryptoMinersFailure
- type Rule
- type RuleDesciptor
- type RuleFailure
- type RuleRequirements
Constants ¶
View Source
const ( R0001ID = "R0001" R0001UnexpectedProcessLaunchedRuleName = "Unexpected process launched" )
View Source
const ( R0002ID = "R0002" R0002UnexpectedFileAccessRuleName = "Unexpected file access" )
View Source
const ( R0003ID = "R0003" R0003UnexpectedSystemCallRuleName = "Unexpected system call" )
View Source
const ( R0004ID = "R0004" R0004UnexpectedCapabilityUsedRuleName = "Unexpected capability used" )
View Source
const ( R0005ID = "R0005" R0005UnexpectedDomainRequestRuleName = "Unexpected domain request" )
View Source
const ( R0006ID = "R0006" R0006UnexpectedServiceAccountTokenAccessRuleName = "Unexpected Service Account Token Access" )
View Source
const ( R0007ID = "R0007" R0007KubernetesClientExecutedRuleName = "Kubernetes Client Executed" )
View Source
const ( R1000ID = "R1000" R1000ExecFromMaliciousSourceRuleName = "Exec from malicious source" )
View Source
const ( R1001ID = "R1001" R1001ExecBinaryNotInBaseImageRuleName = "Exec Binary Not In Base Image" )
View Source
const ( R1002ID = "R1002" R1002LoadKernelModuleRuleName = "Kernel Module Load" )
View Source
const ( R1003ID = "R1003" R1003MaliciousSSHConnectionRuleName = "Malicious SSH Connection" MaxTimeDiffInSeconds = 2 )
View Source
const ( R1004ID = "R1004" R1004ExecFromMountRuleName = "Exec from mount" )
View Source
const ( R1006ID = "R1006" )
View Source
const ( R1007ID = "R1007" R1007CryptoMinersRuleName = "Crypto Miner detected" )
View Source
const ( RulePriorityNone = 0 RulePriorityLow = 1 RulePriorityMed = 5 RulePriorityHigh = 8 RulePriorityCritical = 10 RulePrioritySystemIssue = 1000 )
Variables ¶
View Source
var CommonlyUsedCryptoMinersDomains = []string{}/* 105 elements not displayed */
View Source
var CommonlyUsedCryptoMinersPorts = []uint16{
3333,
45700,
}
View Source
var KubernetesClients = []string{
"kubectl",
"kubeadm",
"kubelet",
"kube-proxy",
"kube-apiserver",
"kube-controller-manager",
"kube-scheduler",
"crictl",
"docker",
"containerd",
"runc",
"ctr",
"containerd-shim",
"containerd-shim-runc-v2",
"containerd-shim-runc-v1",
"containerd-shim-runc-v0",
"containerd-shim-runc",
}
View Source
var R0001UnexpectedProcessLaunchedRuleDescriptor = RuleDesciptor{ ID: R0001ID, Name: R0001UnexpectedProcessLaunchedRuleName, Description: "Detecting exec calls that are not whitelisted by application profile", Tags: []string{"exec", "whitelisted"}, Priority: RulePriorityCritical, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.ExecveEventType}, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0001UnexpectedProcessLaunched() }, }
View Source
var R0002UnexpectedFileAccessRuleDescriptor = RuleDesciptor{ ID: R0002ID, Name: R0002UnexpectedFileAccessRuleName, Description: "Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags", Tags: []string{"open", "whitelisted"}, Priority: RulePriorityMed, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.OpenEventType}, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0002UnexpectedFileAccess() }, }
View Source
var R0003UnexpectedSystemCallRuleDescriptor = RuleDesciptor{ ID: R0003ID, Name: R0003UnexpectedSystemCallRuleName, Description: "Detecting unexpected system calls that are not whitelisted by application profile. Every unexpected system call will be alerted only once.", Tags: []string{"syscall", "whitelisted"}, Priority: RulePriorityMed, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{ tracing.SyscallEventType, }, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0003UnexpectedSystemCall() }, }
View Source
var R0004UnexpectedCapabilityUsedRuleDescriptor = RuleDesciptor{ ID: R0004ID, Name: R0004UnexpectedCapabilityUsedRuleName, Description: "Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container.", Tags: []string{"capabilities", "whitelisted"}, Priority: RulePriorityHigh, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.CapabilitiesEventType}, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0004UnexpectedCapabilityUsed() }, }
View Source
var R0005UnexpectedDomainRequestRuleDescriptor = RuleDesciptor{ ID: R0005ID, Name: R0005UnexpectedDomainRequestRuleName, Description: "Detecting unexpected domain requests that are not whitelisted by application profile.", Tags: []string{"dns", "whitelisted"}, Priority: RulePriorityMed, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.DnsEventType}, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0005UnexpectedDomainRequest() }, }
View Source
var R0006UnexpectedServiceAccountTokenAccessRuleDescriptor = RuleDesciptor{ ID: R0006ID, Name: R0006UnexpectedServiceAccountTokenAccessRuleName, Description: "Detecting unexpected access to service account token.", Tags: []string{"token", "malicious", "whitelisted"}, Priority: RulePriorityHigh, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{ tracing.OpenEventType, }, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0006UnexpectedServiceAccountTokenAccess() }, }
View Source
var R0007KubernetesClientExecutedDescriptor = RuleDesciptor{ ID: R0007ID, Name: R0007KubernetesClientExecutedRuleName, Description: "Detecting exececution of kubernetes client", Priority: RulePriorityCritical, Tags: []string{"exec", "malicious", "whitelisted"}, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.ExecveEventType, tracing.NetworkEventType}, NeedApplicationProfile: true, }, RuleCreationFunc: func() Rule { return CreateRuleR0007KubernetesClientExecuted() }, }
View Source
var R1000ExecFromMaliciousSourceDescriptor = RuleDesciptor{ ID: R1000ID, Name: R1000ExecFromMaliciousSourceRuleName, Description: "Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self", Priority: RulePriorityCritical, Tags: []string{"exec", "signature"}, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.ExecveEventType}, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1000ExecFromMaliciousSource() }, }
View Source
var R1001ExecBinaryNotInBaseImageRuleDescriptor = RuleDesciptor{ ID: R1001ID, Name: R1001ExecBinaryNotInBaseImageRuleName, Description: "Detecting exec calls of binaries that are not included in the base image", Tags: []string{"exec", "malicious", "binary", "base image"}, Priority: RulePriorityCritical, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.ExecveEventType}, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1001ExecBinaryNotInBaseImage() }, }
View Source
var R1002LoadKernelModuleRuleDescriptor = RuleDesciptor{ ID: R1002ID, Name: R1002LoadKernelModuleRuleName, Description: "Detecting Kernel Module Load.", Tags: []string{"syscall", "kernel", "module", "load"}, Priority: RulePriorityCritical, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{ tracing.SyscallEventType, }, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1002LoadKernelModule() }, }
View Source
var R1003MaliciousSSHConnectionRuleDescriptor = RuleDesciptor{ ID: R1003ID, Name: R1003MaliciousSSHConnectionRuleName, Description: "Detecting ssh connection to disallowed port", Tags: []string{"ssh", "connection", "port", "malicious"}, Priority: RulePriorityHigh, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.OpenEventType, tracing.NetworkEventType}, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1003MaliciousSSHConnection() }, }
View Source
var R1004ExecFromMountRuleDescriptor = RuleDesciptor{ ID: R1004ID, Name: R1004ExecFromMountRuleName, Description: "Detecting exec calls from mounted paths.", Tags: []string{"exec", "mount"}, Priority: RulePriorityMed, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{tracing.ExecveEventType}, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1004ExecFromMount() }, }
View Source
R1006ID, Name: R1006UnshareSyscallRuleName, Description: "Detecting Unshare System Call usage, which can be used to escape container.", Tags: []string{"syscall", "escape", "unshare"}, Priority: RulePriorityHigh, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{ tracing.SyscallEventType, }, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1006UnshareSyscall() }, }ID:
View Source
var R1007CryptoMinersRuleDescriptor = RuleDesciptor{ ID: R1007ID, Name: R1007CryptoMinersRuleName, Description: "Detecting Crypto Miners by port, domain and randomx event.", Tags: []string{"network", "crypto", "miners", "malicious", "dns"}, Priority: RulePriorityHigh, Requirements: RuleRequirements{ EventTypes: []tracing.EventType{ tracing.NetworkEventType, tracing.DnsEventType, }, NeedApplicationProfile: false, }, RuleCreationFunc: func() Rule { return CreateRuleR1007CryptoMiners() }, }
View Source
var SSHRelatedFiles = []string{
"ssh_config",
"sshd_config",
"ssh_known_hosts",
"ssh_known_hosts2",
"ssh_config.d",
"sshd_config.d",
".ssh",
"authorized_keys",
"authorized_keys2",
"known_hosts",
"known_hosts2",
"id_rsa",
"id_rsa.pub",
"id_dsa",
"id_dsa.pub",
"id_ecdsa",
"id_ecdsa.pub",
"id_ed25519",
"id_ed25519.pub",
"id_xmss",
"id_xmss.pub",
}
View Source
var ServiceAccountTokenPathsPrefixs = []string{
"/run/secrets/kubernetes.io/serviceaccount",
"/var/run/secrets/kubernetes.io/serviceaccount",
}
ServiceAccountTokenPathsPrefixs is a list because of symlinks.
Functions ¶
func IsExecBinaryInUpperLayer ¶
func IsExecBinaryInUpperLayer(execEvent *tracing.ExecveEvent) bool
func IsSSHConfigFile ¶ added in v0.0.3
Types ¶
type BaseRule ¶ added in v0.0.3
type BaseRule struct {
// contains filtered or unexported fields
}
func (*BaseRule) GetParameters ¶ added in v0.0.3
func (*BaseRule) SetParameters ¶ added in v0.0.3
type EngineAccess ¶ added in v0.0.3
type EngineAccessMock ¶ added in v0.0.3
type EngineAccessMock struct { }
func (*EngineAccessMock) GetApiServerIpAddress ¶ added in v0.0.5
func (e *EngineAccessMock) GetApiServerIpAddress() (string, error)
func (*EngineAccessMock) GetPodSpec ¶ added in v0.0.3
func (e *EngineAccessMock) GetPodSpec(podName, namespace, containerID string) (*corev1.PodSpec, error)
type MockAppProfileAccess ¶
type MockAppProfileAccess struct { Execs []collector.ExecCalls OpenCalls []collector.OpenCalls Syscalls []string Capabilities []collector.CapabilitiesCalls NetworkActivity collector.NetworkActivity Dns []collector.DnsCalls }
func (*MockAppProfileAccess) GetCapabilities ¶
func (m *MockAppProfileAccess) GetCapabilities() (*[]collector.CapabilitiesCalls, error)
func (*MockAppProfileAccess) GetDNS ¶
func (m *MockAppProfileAccess) GetDNS() (*[]collector.DnsCalls, error)
func (*MockAppProfileAccess) GetExecList ¶
func (m *MockAppProfileAccess) GetExecList() (*[]collector.ExecCalls, error)
func (*MockAppProfileAccess) GetName ¶ added in v0.0.3
func (m *MockAppProfileAccess) GetName() string
func (*MockAppProfileAccess) GetNamespace ¶ added in v0.0.3
func (m *MockAppProfileAccess) GetNamespace() string
func (*MockAppProfileAccess) GetNetworkActivity ¶
func (m *MockAppProfileAccess) GetNetworkActivity() (*collector.NetworkActivity, error)
func (*MockAppProfileAccess) GetOpenList ¶
func (m *MockAppProfileAccess) GetOpenList() (*[]collector.OpenCalls, error)
func (*MockAppProfileAccess) GetSystemCalls ¶
func (m *MockAppProfileAccess) GetSystemCalls() ([]string, error)
type R0001UnexpectedProcessLaunched ¶ added in v0.0.3
type R0001UnexpectedProcessLaunched struct {
BaseRule
}
func CreateRuleR0001UnexpectedProcessLaunched ¶ added in v0.0.3
func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched
func (*R0001UnexpectedProcessLaunched) DeleteRule ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunched) DeleteRule()
func (*R0001UnexpectedProcessLaunched) Name ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunched) Name() string
func (*R0001UnexpectedProcessLaunched) ProcessEvent ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0001UnexpectedProcessLaunched) Requirements ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunched) Requirements() RuleRequirements
type R0001UnexpectedProcessLaunchedFailure ¶ added in v0.0.3
type R0001UnexpectedProcessLaunchedFailure struct { RuleName string Err string RulePriority int FixSuggestionMsg string FailureEvent *tracing.ExecveEvent }
func (*R0001UnexpectedProcessLaunchedFailure) Error ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunchedFailure) Error() string
func (*R0001UnexpectedProcessLaunchedFailure) Event ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunchedFailure) Event() tracing.GeneralEvent
func (*R0001UnexpectedProcessLaunchedFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunchedFailure) FixSuggestion() string
func (*R0001UnexpectedProcessLaunchedFailure) Name ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunchedFailure) Name() string
func (*R0001UnexpectedProcessLaunchedFailure) Priority ¶ added in v0.0.3
func (rule *R0001UnexpectedProcessLaunchedFailure) Priority() int
type R0002UnexpectedFileAccess ¶
type R0002UnexpectedFileAccess struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0002UnexpectedFileAccess ¶
func CreateRuleR0002UnexpectedFileAccess() *R0002UnexpectedFileAccess
func (*R0002UnexpectedFileAccess) DeleteRule ¶
func (rule *R0002UnexpectedFileAccess) DeleteRule()
func (*R0002UnexpectedFileAccess) Name ¶
func (rule *R0002UnexpectedFileAccess) Name() string
func (*R0002UnexpectedFileAccess) ProcessEvent ¶
func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0002UnexpectedFileAccess) Requirements ¶
func (rule *R0002UnexpectedFileAccess) Requirements() RuleRequirements
func (*R0002UnexpectedFileAccess) SetParameters ¶ added in v0.0.3
func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})
type R0002UnexpectedFileAccessFailure ¶
type R0002UnexpectedFileAccessFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.OpenEvent }
func (*R0002UnexpectedFileAccessFailure) Error ¶
func (rule *R0002UnexpectedFileAccessFailure) Error() string
func (*R0002UnexpectedFileAccessFailure) Event ¶
func (rule *R0002UnexpectedFileAccessFailure) Event() tracing.GeneralEvent
func (*R0002UnexpectedFileAccessFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R0002UnexpectedFileAccessFailure) FixSuggestion() string
func (*R0002UnexpectedFileAccessFailure) Name ¶
func (rule *R0002UnexpectedFileAccessFailure) Name() string
func (*R0002UnexpectedFileAccessFailure) Priority ¶
func (rule *R0002UnexpectedFileAccessFailure) Priority() int
type R0003UnexpectedSystemCall ¶
type R0003UnexpectedSystemCall struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0003UnexpectedSystemCall ¶
func CreateRuleR0003UnexpectedSystemCall() *R0003UnexpectedSystemCall
func (*R0003UnexpectedSystemCall) DeleteRule ¶
func (rule *R0003UnexpectedSystemCall) DeleteRule()
func (*R0003UnexpectedSystemCall) Name ¶
func (rule *R0003UnexpectedSystemCall) Name() string
func (*R0003UnexpectedSystemCall) ProcessEvent ¶
func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0003UnexpectedSystemCall) Requirements ¶
func (rule *R0003UnexpectedSystemCall) Requirements() RuleRequirements
type R0003UnexpectedSystemCallFailure ¶
type R0003UnexpectedSystemCallFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.SyscallEvent }
func (*R0003UnexpectedSystemCallFailure) Error ¶
func (rule *R0003UnexpectedSystemCallFailure) Error() string
func (*R0003UnexpectedSystemCallFailure) Event ¶
func (rule *R0003UnexpectedSystemCallFailure) Event() tracing.GeneralEvent
func (*R0003UnexpectedSystemCallFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R0003UnexpectedSystemCallFailure) FixSuggestion() string
func (*R0003UnexpectedSystemCallFailure) Name ¶
func (rule *R0003UnexpectedSystemCallFailure) Name() string
func (*R0003UnexpectedSystemCallFailure) Priority ¶
func (rule *R0003UnexpectedSystemCallFailure) Priority() int
type R0004UnexpectedCapabilityUsed ¶
type R0004UnexpectedCapabilityUsed struct {
BaseRule
}
func CreateRuleR0004UnexpectedCapabilityUsed ¶
func CreateRuleR0004UnexpectedCapabilityUsed() *R0004UnexpectedCapabilityUsed
func (*R0004UnexpectedCapabilityUsed) DeleteRule ¶
func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()
func (*R0004UnexpectedCapabilityUsed) Name ¶
func (rule *R0004UnexpectedCapabilityUsed) Name() string
func (*R0004UnexpectedCapabilityUsed) ProcessEvent ¶
func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0004UnexpectedCapabilityUsed) Requirements ¶
func (rule *R0004UnexpectedCapabilityUsed) Requirements() RuleRequirements
type R0004UnexpectedCapabilityUsedFailure ¶
type R0004UnexpectedCapabilityUsedFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.CapabilitiesEvent }
func (*R0004UnexpectedCapabilityUsedFailure) Error ¶
func (rule *R0004UnexpectedCapabilityUsedFailure) Error() string
func (*R0004UnexpectedCapabilityUsedFailure) Event ¶
func (rule *R0004UnexpectedCapabilityUsedFailure) Event() tracing.GeneralEvent
func (*R0004UnexpectedCapabilityUsedFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R0004UnexpectedCapabilityUsedFailure) FixSuggestion() string
func (*R0004UnexpectedCapabilityUsedFailure) Name ¶
func (rule *R0004UnexpectedCapabilityUsedFailure) Name() string
func (*R0004UnexpectedCapabilityUsedFailure) Priority ¶
func (rule *R0004UnexpectedCapabilityUsedFailure) Priority() int
type R0005UnexpectedDomainRequest ¶
type R0005UnexpectedDomainRequest struct {
BaseRule
}
func CreateRuleR0005UnexpectedDomainRequest ¶
func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest
func (*R0005UnexpectedDomainRequest) DeleteRule ¶
func (rule *R0005UnexpectedDomainRequest) DeleteRule()
func (*R0005UnexpectedDomainRequest) Name ¶
func (rule *R0005UnexpectedDomainRequest) Name() string
func (*R0005UnexpectedDomainRequest) ProcessEvent ¶
func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0005UnexpectedDomainRequest) Requirements ¶
func (rule *R0005UnexpectedDomainRequest) Requirements() RuleRequirements
type R0005UnexpectedDomainRequestFailure ¶
type R0005UnexpectedDomainRequestFailure struct { RuleName string RulePriority int FixSuggestionMsg string Err string FailureEvent *tracing.DnsEvent }
func (*R0005UnexpectedDomainRequestFailure) Error ¶
func (rule *R0005UnexpectedDomainRequestFailure) Error() string
func (*R0005UnexpectedDomainRequestFailure) Event ¶
func (rule *R0005UnexpectedDomainRequestFailure) Event() tracing.GeneralEvent
func (*R0005UnexpectedDomainRequestFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R0005UnexpectedDomainRequestFailure) FixSuggestion() string
func (*R0005UnexpectedDomainRequestFailure) Name ¶
func (rule *R0005UnexpectedDomainRequestFailure) Name() string
func (*R0005UnexpectedDomainRequestFailure) Priority ¶
func (rule *R0005UnexpectedDomainRequestFailure) Priority() int
type R0006UnexpectedServiceAccountTokenAccess ¶ added in v0.0.6
type R0006UnexpectedServiceAccountTokenAccess struct {
BaseRule
}
func CreateRuleR0006UnexpectedServiceAccountTokenAccess ¶ added in v0.0.6
func CreateRuleR0006UnexpectedServiceAccountTokenAccess() *R0006UnexpectedServiceAccountTokenAccess
func (*R0006UnexpectedServiceAccountTokenAccess) DeleteRule ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()
func (*R0006UnexpectedServiceAccountTokenAccess) Name ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccess) Name() string
func (*R0006UnexpectedServiceAccountTokenAccess) ProcessEvent ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0006UnexpectedServiceAccountTokenAccess) Requirements ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccess) Requirements() RuleRequirements
type R0006UnexpectedServiceAccountTokenAccessFailure ¶ added in v0.0.6
type R0006UnexpectedServiceAccountTokenAccessFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.OpenEvent }
func (*R0006UnexpectedServiceAccountTokenAccessFailure) Error ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Error() string
func (*R0006UnexpectedServiceAccountTokenAccessFailure) Event ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Event() tracing.GeneralEvent
func (*R0006UnexpectedServiceAccountTokenAccessFailure) FixSuggestion ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) FixSuggestion() string
func (*R0006UnexpectedServiceAccountTokenAccessFailure) Name ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Name() string
func (*R0006UnexpectedServiceAccountTokenAccessFailure) Priority ¶ added in v0.0.6
func (rule *R0006UnexpectedServiceAccountTokenAccessFailure) Priority() int
type R0007KubernetesClientExecuted ¶ added in v0.0.9
type R0007KubernetesClientExecuted struct {
BaseRule
}
func CreateRuleR0007KubernetesClientExecuted ¶ added in v0.0.9
func CreateRuleR0007KubernetesClientExecuted() *R0007KubernetesClientExecuted
func (*R0007KubernetesClientExecuted) DeleteRule ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecuted) DeleteRule()
func (*R0007KubernetesClientExecuted) Name ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecuted) Name() string
func (*R0007KubernetesClientExecuted) ProcessEvent ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R0007KubernetesClientExecuted) Requirements ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecuted) Requirements() RuleRequirements
type R0007KubernetesClientExecutedFailure ¶ added in v0.0.9
type R0007KubernetesClientExecutedFailure struct { RuleName string RulePriority int FixSuggestionMsg string Err string FailureEvent *tracing.GeneralEvent }
func (*R0007KubernetesClientExecutedFailure) Error ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecutedFailure) Error() string
func (*R0007KubernetesClientExecutedFailure) Event ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecutedFailure) Event() tracing.GeneralEvent
func (*R0007KubernetesClientExecutedFailure) FixSuggestion ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecutedFailure) FixSuggestion() string
func (*R0007KubernetesClientExecutedFailure) Name ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecutedFailure) Name() string
func (*R0007KubernetesClientExecutedFailure) Priority ¶ added in v0.0.9
func (rule *R0007KubernetesClientExecutedFailure) Priority() int
type R1000ExecFromMaliciousSource ¶
type R1000ExecFromMaliciousSource struct {
BaseRule
}
func CreateRuleR1000ExecFromMaliciousSource ¶
func CreateRuleR1000ExecFromMaliciousSource() *R1000ExecFromMaliciousSource
func (*R1000ExecFromMaliciousSource) DeleteRule ¶
func (rule *R1000ExecFromMaliciousSource) DeleteRule()
func (*R1000ExecFromMaliciousSource) Name ¶
func (rule *R1000ExecFromMaliciousSource) Name() string
func (*R1000ExecFromMaliciousSource) ProcessEvent ¶
func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1000ExecFromMaliciousSource) Requirements ¶
func (rule *R1000ExecFromMaliciousSource) Requirements() RuleRequirements
type R1000ExecFromMaliciousSourceFailure ¶ added in v0.0.3
type R1000ExecFromMaliciousSourceFailure struct { RuleName string RulePriority int FixSuggestionMsg string Err string FailureEvent *tracing.ExecveEvent }
func (*R1000ExecFromMaliciousSourceFailure) Error ¶ added in v0.0.3
func (rule *R1000ExecFromMaliciousSourceFailure) Error() string
func (*R1000ExecFromMaliciousSourceFailure) Event ¶ added in v0.0.3
func (rule *R1000ExecFromMaliciousSourceFailure) Event() tracing.GeneralEvent
func (*R1000ExecFromMaliciousSourceFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R1000ExecFromMaliciousSourceFailure) FixSuggestion() string
func (*R1000ExecFromMaliciousSourceFailure) Name ¶ added in v0.0.3
func (rule *R1000ExecFromMaliciousSourceFailure) Name() string
func (*R1000ExecFromMaliciousSourceFailure) Priority ¶ added in v0.0.3
func (rule *R1000ExecFromMaliciousSourceFailure) Priority() int
type R1001ExecBinaryNotInBaseImage ¶ added in v0.0.3
type R1001ExecBinaryNotInBaseImage struct {
BaseRule
}
func CreateRuleR1001ExecBinaryNotInBaseImage ¶ added in v0.0.3
func CreateRuleR1001ExecBinaryNotInBaseImage() *R1001ExecBinaryNotInBaseImage
func (*R1001ExecBinaryNotInBaseImage) DeleteRule ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()
func (*R1001ExecBinaryNotInBaseImage) Name ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImage) Name() string
func (*R1001ExecBinaryNotInBaseImage) ProcessEvent ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1001ExecBinaryNotInBaseImage) Requirements ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImage) Requirements() RuleRequirements
type R1001ExecBinaryNotInBaseImageFailure ¶ added in v0.0.3
type R1001ExecBinaryNotInBaseImageFailure struct { RuleName string Err string FixSuggestionMsg string RulePriority int FailureEvent *tracing.ExecveEvent }
func (*R1001ExecBinaryNotInBaseImageFailure) Error ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImageFailure) Error() string
func (*R1001ExecBinaryNotInBaseImageFailure) Event ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImageFailure) Event() tracing.GeneralEvent
func (*R1001ExecBinaryNotInBaseImageFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImageFailure) FixSuggestion() string
func (*R1001ExecBinaryNotInBaseImageFailure) Name ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImageFailure) Name() string
func (*R1001ExecBinaryNotInBaseImageFailure) Priority ¶ added in v0.0.3
func (rule *R1001ExecBinaryNotInBaseImageFailure) Priority() int
type R1002LoadKernelModule ¶ added in v0.0.3
type R1002LoadKernelModule struct {
BaseRule
}
func CreateRuleR1002LoadKernelModule ¶ added in v0.0.3
func CreateRuleR1002LoadKernelModule() *R1002LoadKernelModule
func (*R1002LoadKernelModule) DeleteRule ¶ added in v0.0.3
func (rule *R1002LoadKernelModule) DeleteRule()
func (*R1002LoadKernelModule) Name ¶ added in v0.0.3
func (rule *R1002LoadKernelModule) Name() string
func (*R1002LoadKernelModule) ProcessEvent ¶ added in v0.0.3
func (rule *R1002LoadKernelModule) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1002LoadKernelModule) Requirements ¶ added in v0.0.3
func (rule *R1002LoadKernelModule) Requirements() RuleRequirements
type R1002LoadKernelModuleFailure ¶ added in v0.0.3
type R1002LoadKernelModuleFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.SyscallEvent }
func (*R1002LoadKernelModuleFailure) Error ¶ added in v0.0.3
func (rule *R1002LoadKernelModuleFailure) Error() string
func (*R1002LoadKernelModuleFailure) Event ¶ added in v0.0.3
func (rule *R1002LoadKernelModuleFailure) Event() tracing.GeneralEvent
func (*R1002LoadKernelModuleFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R1002LoadKernelModuleFailure) FixSuggestion() string
func (*R1002LoadKernelModuleFailure) Name ¶ added in v0.0.3
func (rule *R1002LoadKernelModuleFailure) Name() string
func (*R1002LoadKernelModuleFailure) Priority ¶ added in v0.0.3
func (rule *R1002LoadKernelModuleFailure) Priority() int
type R1003MaliciousSSHConnection ¶ added in v0.0.3
type R1003MaliciousSSHConnection struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR1003MaliciousSSHConnection ¶ added in v0.0.3
func CreateRuleR1003MaliciousSSHConnection() *R1003MaliciousSSHConnection
func (*R1003MaliciousSSHConnection) DeleteRule ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnection) DeleteRule()
func (*R1003MaliciousSSHConnection) Name ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnection) Name() string
func (*R1003MaliciousSSHConnection) ProcessEvent ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1003MaliciousSSHConnection) Requirements ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnection) Requirements() RuleRequirements
func (*R1003MaliciousSSHConnection) SetParameters ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})
type R1003MaliciousSSHConnectionFailure ¶ added in v0.0.3
type R1003MaliciousSSHConnectionFailure struct { RuleName string Err string FixSuggestionMsg string RulePriority int FailureEvent *tracing.NetworkEvent }
func (*R1003MaliciousSSHConnectionFailure) Error ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnectionFailure) Error() string
func (*R1003MaliciousSSHConnectionFailure) Event ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnectionFailure) Event() tracing.GeneralEvent
func (*R1003MaliciousSSHConnectionFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnectionFailure) FixSuggestion() string
func (*R1003MaliciousSSHConnectionFailure) Name ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnectionFailure) Name() string
func (*R1003MaliciousSSHConnectionFailure) Priority ¶ added in v0.0.3
func (rule *R1003MaliciousSSHConnectionFailure) Priority() int
type R1004ExecFromMount ¶ added in v0.0.3
type R1004ExecFromMount struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR1004ExecFromMount ¶ added in v0.0.3
func CreateRuleR1004ExecFromMount() *R1004ExecFromMount
func (*R1004ExecFromMount) DeleteRule ¶ added in v0.0.3
func (rule *R1004ExecFromMount) DeleteRule()
func (*R1004ExecFromMount) Name ¶ added in v0.0.3
func (rule *R1004ExecFromMount) Name() string
func (*R1004ExecFromMount) ProcessEvent ¶ added in v0.0.3
func (rule *R1004ExecFromMount) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1004ExecFromMount) Requirements ¶ added in v0.0.3
func (rule *R1004ExecFromMount) Requirements() RuleRequirements
type R1004ExecFromMountFailure ¶ added in v0.0.3
type R1004ExecFromMountFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.ExecveEvent }
func (*R1004ExecFromMountFailure) Error ¶ added in v0.0.3
func (rule *R1004ExecFromMountFailure) Error() string
func (*R1004ExecFromMountFailure) Event ¶ added in v0.0.3
func (rule *R1004ExecFromMountFailure) Event() tracing.GeneralEvent
func (*R1004ExecFromMountFailure) FixSuggestion ¶ added in v0.0.3
func (rule *R1004ExecFromMountFailure) FixSuggestion() string
func (*R1004ExecFromMountFailure) Name ¶ added in v0.0.3
func (rule *R1004ExecFromMountFailure) Name() string
func (*R1004ExecFromMountFailure) Priority ¶ added in v0.0.3
func (rule *R1004ExecFromMountFailure) Priority() int
type R1006UnshareSyscall ¶ added in v0.0.6
type R1006UnshareSyscall struct { // contains filtered or unexported fields }
func CreateRuleR1006UnshareSyscall ¶ added in v0.0.6
func CreateRuleR1006UnshareSyscall() *R1006UnshareSyscall
func (*R1006UnshareSyscall) DeleteRule ¶ added in v0.0.6
func (rule *R1006UnshareSyscall) DeleteRule()
func (*R1006UnshareSyscall) Name ¶ added in v0.0.6
func (rule *R1006UnshareSyscall) Name() string
func (*R1006UnshareSyscall) ProcessEvent ¶ added in v0.0.6
func (rule *R1006UnshareSyscall) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1006UnshareSyscall) Requirements ¶ added in v0.0.6
func (rule *R1006UnshareSyscall) Requirements() RuleRequirements
type R1006UnshareSyscallFailure ¶ added in v0.0.6
type R1006UnshareSyscallFailure struct {}
func (*R1006UnshareSyscallFailure) Error ¶ added in v0.0.6
func (rule *R1006UnshareSyscallFailure) Error() string
func (*R1006UnshareSyscallFailure) Event ¶ added in v0.0.6
func (rule *R1006UnshareSyscallFailure) Event() tracing.GeneralEvent
func (*R1006UnshareSyscallFailure) FixSuggestion ¶ added in v0.0.6
func (rule *R1006UnshareSyscallFailure) FixSuggestion() string
func (*R1006UnshareSyscallFailure) Name ¶ added in v0.0.6
func (rule *R1006UnshareSyscallFailure) Name() string
func (*R1006UnshareSyscallFailure) Priority ¶ added in v0.0.6
func (rule *R1006UnshareSyscallFailure) Priority() int
type R1007CryptoMiners ¶ added in v0.0.6
type R1007CryptoMiners struct {
BaseRule
}
func CreateRuleR1007CryptoMiners ¶ added in v0.0.6
func CreateRuleR1007CryptoMiners() *R1007CryptoMiners
func (*R1007CryptoMiners) DeleteRule ¶ added in v0.0.6
func (rule *R1007CryptoMiners) DeleteRule()
func (*R1007CryptoMiners) Name ¶ added in v0.0.6
func (rule *R1007CryptoMiners) Name() string
func (*R1007CryptoMiners) ProcessEvent ¶ added in v0.0.6
func (rule *R1007CryptoMiners) ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure
func (*R1007CryptoMiners) Requirements ¶ added in v0.0.6
func (rule *R1007CryptoMiners) Requirements() RuleRequirements
type R1007CryptoMinersFailure ¶ added in v0.0.6
type R1007CryptoMinersFailure struct { RuleName string RulePriority int Err string FixSuggestionMsg string FailureEvent *tracing.GeneralEvent }
func (*R1007CryptoMinersFailure) Error ¶ added in v0.0.6
func (rule *R1007CryptoMinersFailure) Error() string
func (*R1007CryptoMinersFailure) Event ¶ added in v0.0.6
func (rule *R1007CryptoMinersFailure) Event() tracing.GeneralEvent
func (*R1007CryptoMinersFailure) FixSuggestion ¶ added in v0.0.6
func (rule *R1007CryptoMinersFailure) FixSuggestion() string
func (*R1007CryptoMinersFailure) Name ¶ added in v0.0.6
func (rule *R1007CryptoMinersFailure) Name() string
func (*R1007CryptoMinersFailure) Priority ¶ added in v0.0.6
func (rule *R1007CryptoMinersFailure) Priority() int
type Rule ¶
type Rule interface { // Delete a rule instance. DeleteRule() // Rule Name. Name() string // Needed events for the rule. ProcessEvent(eventType tracing.EventType, event interface{}, appProfileAccess approfilecache.SingleApplicationProfileAccess, engineAccess EngineAccess) RuleFailure // Rule requirements. Requirements() RuleRequirements // Set rule parameters. SetParameters(parameters map[string]interface{}) // Get rule parameters. GetParameters() map[string]interface{} }
func CreateRuleByID ¶
func CreateRuleByName ¶
func CreateRulesByNames ¶
func CreateRulesByTags ¶
type RuleDesciptor ¶
type RuleDesciptor struct { // Rule ID ID string // Rule Name. Name string // Rule Description. Description string // Priority. Priority int // Tags Tags []string // Rule requirements. Requirements RuleRequirements // Create a rule function. RuleCreationFunc func() Rule }
func GetAllRuleDescriptors ¶
func GetAllRuleDescriptors() []RuleDesciptor
func (*RuleDesciptor) HasTags ¶
func (r *RuleDesciptor) HasTags(tags []string) bool
type RuleFailure ¶
type RuleRequirements ¶
Source Files ¶
- factory.go
- mock.go
- r0001_unexpected_process_launched.go
- r0002_unexpected_file_access.go
- r0003_unexpected_system_call.go
- r0004_unexpected_capability_used.go
- r0005_unexpected_domain_request.go
- r0006_unexpected_service_account_token_access.go
- r0007_kubernetes_client_executed.go
- r1000_exec_from_malicious_source.go
- r1001_exec_binary_not_in_base_image.go
- r1002_load_kernel_module.go
- r1003_malicious_ssh_connection.go
- r1004_exec_from_mount.go
- r1006_unshare_system_call.go
- r1007_crypto_miners.go
- rule.go
- types.go
Click to show internal directories.
Click to hide internal directories.