Documentation ¶
Index ¶
- Constants
- Variables
- func IsSSHConfigFile(path string) bool
- type BaseRule
- type GenericRuleFailure
- func (rule *GenericRuleFailure) GetBaseRuntimeAlert() apitypes.BaseRuntimeAlert
- func (rule *GenericRuleFailure) GetRuleAlert() apitypes.RuleAlert
- func (rule *GenericRuleFailure) GetRuleId() string
- func (rule *GenericRuleFailure) GetRuntimeAlertK8sDetails() apitypes.RuntimeAlertK8sDetails
- func (rule *GenericRuleFailure) GetRuntimeProcessDetails() apitypes.ProcessTree
- func (rule *GenericRuleFailure) GetTriggerEvent() igtypes.Event
- func (rule *GenericRuleFailure) SetBaseRuntimeAlert(baseRuntimeAlert apitypes.BaseRuntimeAlert)
- func (rule *GenericRuleFailure) SetRuleAlert(ruleAlert apitypes.RuleAlert)
- func (rule *GenericRuleFailure) SetRuntimeAlertK8sDetails(runtimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails)
- func (rule *GenericRuleFailure) SetRuntimeProcessDetails(runtimeProcessDetails apitypes.ProcessTree)
- func (rule *GenericRuleFailure) SetTriggerEvent(triggerEvent igtypes.Event)
- func (rule *GenericRuleFailure) SetWorkloadDetails(workloadDetails string)
- type R0001UnexpectedProcessLaunched
- func (rule *R0001UnexpectedProcessLaunched) ID() string
- func (rule *R0001UnexpectedProcessLaunched) Name() string
- func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event interface{}, ...) ruleengine.RuleFailure
- func (rule *R0001UnexpectedProcessLaunched) Requirements() ruleengine.RuleSpec
- func (rule *R0001UnexpectedProcessLaunched) SetParameters(params map[string]interface{})
- type R0002UnexpectedFileAccess
- func (rule *R0002UnexpectedFileAccess) DeleteRule()
- func (rule *R0002UnexpectedFileAccess) ID() string
- func (rule *R0002UnexpectedFileAccess) Name() string
- func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0002UnexpectedFileAccess) Requirements() ruleengine.RuleSpec
- func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})
- type R0003UnexpectedSystemCall
- func (rule *R0003UnexpectedSystemCall) DeleteRule()
- func (rule *R0003UnexpectedSystemCall) ID() string
- func (rule *R0003UnexpectedSystemCall) Name() string
- func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0003UnexpectedSystemCall) Requirements() ruleengine.RuleSpec
- type R0004UnexpectedCapabilityUsed
- func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()
- func (rule *R0004UnexpectedCapabilityUsed) ID() string
- func (rule *R0004UnexpectedCapabilityUsed) Name() string
- func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0004UnexpectedCapabilityUsed) Requirements() ruleengine.RuleSpec
- type R0005UnexpectedDomainRequest
- func (rule *R0005UnexpectedDomainRequest) DeleteRule()
- func (rule *R0005UnexpectedDomainRequest) ID() string
- func (rule *R0005UnexpectedDomainRequest) Name() string
- func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0005UnexpectedDomainRequest) Requirements() ruleengine.RuleSpec
- type R0006UnexpectedServiceAccountTokenAccess
- func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()
- func (rule *R0006UnexpectedServiceAccountTokenAccess) ID() string
- func (rule *R0006UnexpectedServiceAccountTokenAccess) Name() string
- func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0006UnexpectedServiceAccountTokenAccess) Requirements() ruleengine.RuleSpec
- type R0007KubernetesClientExecuted
- func (rule *R0007KubernetesClientExecuted) DeleteRule()
- func (rule *R0007KubernetesClientExecuted) ID() string
- func (rule *R0007KubernetesClientExecuted) Name() string
- func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0007KubernetesClientExecuted) Requirements() ruleengine.RuleSpec
- type R0008ReadEnvironmentVariablesProcFS
- func (rule *R0008ReadEnvironmentVariablesProcFS) DeleteRule()
- func (rule *R0008ReadEnvironmentVariablesProcFS) ID() string
- func (rule *R0008ReadEnvironmentVariablesProcFS) Name() string
- func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0008ReadEnvironmentVariablesProcFS) Requirements() ruleengine.RuleSpec
- type R0009EbpfProgramLoad
- func (rule *R0009EbpfProgramLoad) DeleteRule()
- func (rule *R0009EbpfProgramLoad) ID() string
- func (rule *R0009EbpfProgramLoad) Name() string
- func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0009EbpfProgramLoad) Requirements() ruleengine.RuleSpec
- type R0010UnexpectedSensitiveFileAccess
- func (rule *R0010UnexpectedSensitiveFileAccess) DeleteRule()
- func (rule *R0010UnexpectedSensitiveFileAccess) ID() string
- func (rule *R0010UnexpectedSensitiveFileAccess) Name() string
- func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R0010UnexpectedSensitiveFileAccess) Requirements() ruleengine.RuleSpec
- func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{})
- type R1000ExecFromMaliciousSource
- func (rule *R1000ExecFromMaliciousSource) ID() string
- func (rule *R1000ExecFromMaliciousSource) Name() string
- func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1000ExecFromMaliciousSource) Requirements() ruleengine.RuleSpec
- type R1001ExecBinaryNotInBaseImage
- func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()
- func (rule *R1001ExecBinaryNotInBaseImage) ID() string
- func (rule *R1001ExecBinaryNotInBaseImage) Name() string
- func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventType, event interface{}, ...) ruleengine.RuleFailure
- func (rule *R1001ExecBinaryNotInBaseImage) Requirements() ruleengine.RuleSpec
- type R1002LoadKernelModule
- func (rule *R1002LoadKernelModule) DeleteRule()
- func (rule *R1002LoadKernelModule) ID() string
- func (rule *R1002LoadKernelModule) Name() string
- func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1002LoadKernelModule) Requirements() ruleengine.RuleSpec
- type R1003MaliciousSSHConnection
- func (rule *R1003MaliciousSSHConnection) DeleteRule()
- func (rule *R1003MaliciousSSHConnection) ID() string
- func (rule *R1003MaliciousSSHConnection) Name() string
- func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType, event interface{}, ...) ruleengine.RuleFailure
- func (rule *R1003MaliciousSSHConnection) Requirements() ruleengine.RuleSpec
- func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})
- type R1004ExecFromMount
- func (rule *R1004ExecFromMount) DeleteRule()
- func (rule *R1004ExecFromMount) ID() string
- func (rule *R1004ExecFromMount) Name() string
- func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1004ExecFromMount) Requirements() ruleengine.RuleSpec
- type R1005FilelessExecution
- func (rule *R1005FilelessExecution) DeleteRule()
- func (rule *R1005FilelessExecution) ID() string
- func (rule *R1005FilelessExecution) Name() string
- func (rule *R1005FilelessExecution) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1005FilelessExecution) Requirements() ruleengine.RuleSpec
- type R1006UnshareSyscall
- func (rule *R1006UnshareSyscall) DeleteRule()
- func (rule *R1006UnshareSyscall) ID() string
- func (rule *R1006UnshareSyscall) Name() string
- func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1006UnshareSyscall) Requirements() ruleengine.RuleSpec
- type R1007XMRCryptoMining
- func (rule *R1007XMRCryptoMining) DeleteRule()
- func (rule *R1007XMRCryptoMining) ID() string
- func (rule *R1007XMRCryptoMining) Name() string
- func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1007XMRCryptoMining) Requirements() ruleengine.RuleSpec
- type R1008CryptoMiningDomainCommunication
- func (rule *R1008CryptoMiningDomainCommunication) DeleteRule()
- func (rule *R1008CryptoMiningDomainCommunication) ID() string
- func (rule *R1008CryptoMiningDomainCommunication) Name() string
- func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1008CryptoMiningDomainCommunication) Requirements() ruleengine.RuleSpec
- type R1009CryptoMiningRelatedPort
- func (rule *R1009CryptoMiningRelatedPort) DeleteRule()
- func (rule *R1009CryptoMiningRelatedPort) ID() string
- func (rule *R1009CryptoMiningRelatedPort) Name() string
- func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1009CryptoMiningRelatedPort) Requirements() ruleengine.RuleSpec
- type R1010SymlinkCreatedOverSensitiveFile
- func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule()
- func (rule *R1010SymlinkCreatedOverSensitiveFile) ID() string
- func (rule *R1010SymlinkCreatedOverSensitiveFile) Name() string
- func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1010SymlinkCreatedOverSensitiveFile) Requirements() ruleengine.RuleSpec
- func (rule *R1010SymlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})
- type R1011LdPreloadHook
- func (rule *R1011LdPreloadHook) DeleteRule()
- func (rule *R1011LdPreloadHook) ID() string
- func (rule *R1011LdPreloadHook) Name() string
- func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event interface{}, ...) ruleengine.RuleFailure
- func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec
- type R1012HardlinkCreatedOverSensitiveFile
- func (rule *R1012HardlinkCreatedOverSensitiveFile) DeleteRule()
- func (rule *R1012HardlinkCreatedOverSensitiveFile) ID() string
- func (rule *R1012HardlinkCreatedOverSensitiveFile) Name() string
- func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
- func (rule *R1012HardlinkCreatedOverSensitiveFile) Requirements() ruleengine.RuleSpec
- func (rule *R1012HardlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})
- type RuleCreatorImpl
- func (r *RuleCreatorImpl) CreateRuleByID(id string) ruleengine.RuleEvaluator
- func (r *RuleCreatorImpl) CreateRuleByName(name string) ruleengine.RuleEvaluator
- func (r *RuleCreatorImpl) CreateRulesByTags(tags []string) []ruleengine.RuleEvaluator
- func (r *RuleCreatorImpl) GetAllRuleDescriptors() []RuleDescriptor
- type RuleDescriptor
- type RuleObjectCacheMock
- func (r *RuleObjectCacheMock) ApplicationProfileCache() objectcache.ApplicationProfileCache
- func (r *RuleObjectCacheMock) GetApiServerIpAddress() string
- func (r *RuleObjectCacheMock) GetApplicationProfile(string) *v1beta1.ApplicationProfile
- func (r *RuleObjectCacheMock) GetNetworkNeighborhood(string) *v1beta1.NetworkNeighborhood
- func (r *RuleObjectCacheMock) GetPodSpec(_, _ string) *corev1.PodSpec
- func (r *RuleObjectCacheMock) GetPodStatus(_, _ string) *corev1.PodStatus
- func (r *RuleObjectCacheMock) GetPods() []*corev1.Pod
- func (r *RuleObjectCacheMock) K8sObjectCache() objectcache.K8sObjectCache
- func (r *RuleObjectCacheMock) NetworkNeighborhoodCache() objectcache.NetworkNeighborhoodCache
- func (r *RuleObjectCacheMock) SetApplicationProfile(profile *v1beta1.ApplicationProfile)
- func (r *RuleObjectCacheMock) SetNetworkNeighborhood(nn *v1beta1.NetworkNeighborhood)
- func (r *RuleObjectCacheMock) SetPodSpec(podSpec *corev1.PodSpec)
- func (r *RuleObjectCacheMock) SetPodStatus(podStatus *corev1.PodStatus)
- type RuleRequirements
Constants ¶
View Source
const ( R0001ID = "R0001" R0001Name = "Unexpected process launched" )
View Source
const ( R0002ID = "R0002" R0002Name = "Unexpected file access" )
View Source
const ( R0003ID = "R0003" R0003Name = "Unexpected system call" )
View Source
const ( R0004ID = "R0004" R0004Name = "Unexpected capability used" )
View Source
const ( R0005ID = "R0005" R0005Name = "Unexpected domain request" )
View Source
const ( R0006ID = "R0006" R0006Name = "Unexpected Service Account Token Access" )
View Source
const ( R0007ID = "R0007" R0007Name = "Kubernetes Client Executed" )
View Source
const ( R0008ID = "R0008" R0008Name = "Read Environment Variables from procfs" )
View Source
const ( R0009ID = "R0009" R0009Name = "eBPF Program Load" )
View Source
const ( R0010ID = "R0010" R0010Name = "Unexpected Sensitive File Access" )
View Source
const ( R1000ID = "R1000" R1000Name = "Exec from malicious source" )
View Source
const ( R1001ID = "R1001" R1001Name = "Exec Binary Not In Base Image" )
View Source
const ( R1002ID = "R1002" R1002Name = "Kernel Module Load" )
View Source
const ( R1003ID = "R1003" R1003Name = "Malicious SSH Connection" MaxTimeDiffInSeconds = 2 )
View Source
const ( R1004ID = "R1004" R1004Name = "Exec from mount" )
View Source
const ( R1005ID = "R1005" R1005Name = "Fileless Execution" )
View Source
const ( R1006ID = "R1006" R1006Name = "Unshare System Call usage" )
View Source
const ( R1007ID = "R1007" R1007Name = "XMR Crypto Mining Detection" )
View Source
const ( R1008ID = "R1008" R1008Name = "Crypto Mining Domain Communication" )
View Source
const ( R1009ID = "R1009" R1009Name = "Crypto Mining Related Port Communication" )
View Source
const ( R1010ID = "R1010" R1010Name = "Symlink Created Over Sensitive File" )
View Source
const ( R1011ID = "R1011" R1011Name = "LD_PRELOAD Hook" LD_PRELOAD_FILE = "/etc/ld.so.preload" JAVA_COMM = "java" )
View Source
const ( R1012ID = "R1012" R1012Name = "Hardlink Created Over Sensitive File" )
View Source
const ( RulePriorityNone = 0 RulePriorityLow = 1 RulePriorityMed = 5 RulePriorityHigh = 8 RulePriorityCritical = 10 RulePrioritySystemIssue = 1000 )
Variables ¶
View Source
var ( ContainerNotFound = errors.New("container not found") ProfileNotFound = errors.New("application profile not found") )
View Source
var CommonlyUsedCryptoMinersPorts = []uint16{
3333,
45700,
}
View Source
var LD_PRELOAD_ENV_VARS = []string{"LD_PRELOAD", "LD_AUDIT", "LD_LIBRARY_PATH"}
View Source
var R0001UnexpectedProcessLaunchedRuleDescriptor = RuleDescriptor{ ID: R0001ID, Name: R0001Name, Description: "Detecting exec calls that are not whitelisted by application profile", Tags: []string{"exec", "whitelisted"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.ExecveEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0001UnexpectedProcessLaunched() }, }
View Source
var R0002UnexpectedFileAccessRuleDescriptor = RuleDescriptor{ ID: R0002ID, Name: R0002Name, Description: "Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags", Tags: []string{"open", "whitelisted"}, Priority: RulePriorityLow, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.OpenEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0002UnexpectedFileAccess() }, }
View Source
var R0003UnexpectedSystemCallRuleDescriptor = RuleDescriptor{ ID: R0003ID, Name: R0003Name, Description: "Detecting unexpected system calls that are not whitelisted by application profile.", Tags: []string{"syscall", "whitelisted"}, Priority: RulePriorityLow, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.SyscallEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0003UnexpectedSystemCall() }, }
View Source
var R0004UnexpectedCapabilityUsedRuleDescriptor = RuleDescriptor{ ID: R0004ID, Name: R0004Name, Description: "Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container.", Tags: []string{"capabilities", "whitelisted"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.CapabilitiesEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0004UnexpectedCapabilityUsed() }, }
View Source
var R0005UnexpectedDomainRequestRuleDescriptor = RuleDescriptor{ ID: R0005ID, Name: R0005Name, Description: "Detecting unexpected domain requests that are not whitelisted by application profile.", Tags: []string{"dns", "whitelisted"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.DnsEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0005UnexpectedDomainRequest() }, }
View Source
var R0006UnexpectedServiceAccountTokenAccessRuleDescriptor = RuleDescriptor{ ID: R0006ID, Name: R0006Name, Description: "Detecting unexpected access to service account token.", Tags: []string{"token", "malicious", "whitelisted"}, Priority: RulePriorityHigh, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.OpenEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0006UnexpectedServiceAccountTokenAccess() }, }
View Source
var R0007KubernetesClientExecutedDescriptor = RuleDescriptor{ ID: R0007ID, Name: R0007Name, Description: "Detecting exececution of kubernetes client", Priority: RulePriorityHigh, Tags: []string{"exec", "malicious", "whitelisted"}, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.ExecveEventType, utils.NetworkEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0007KubernetesClientExecuted() }, }
View Source
var R0008ReadEnvironmentVariablesProcFSRuleDescriptor = RuleDescriptor{ ID: R0008ID, Name: R0008Name, Description: "Detecting reading environment variables from procfs.", Tags: []string{"env", "malicious", "whitelisted"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.OpenEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0008ReadEnvironmentVariablesProcFS() }, }
View Source
var R0009EbpfProgramLoadRuleDescriptor = RuleDescriptor{ ID: R0009ID, Name: R0009Name, Description: "Detecting eBPF program load.", Tags: []string{"syscall", "ebpf"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.SyscallEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0009EbpfProgramLoad() }, }
View Source
var R0010UnexpectedSensitiveFileAccessRuleDescriptor = RuleDescriptor{ ID: R0010ID, Name: R0010Name, Description: "Detecting access to sensitive files.", Tags: []string{"files", "malicious", "whitelisted"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.OpenEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR0010UnexpectedSensitiveFileAccess() }, }
View Source
var R1000ExecFromMaliciousSourceDescriptor = RuleDescriptor{ ID: R1000ID, Name: R1000Name, Description: "Detecting exec calls that are from malicious source like: /dev/shm, /proc/self", Priority: RulePriorityMed, Tags: []string{"exec", "signature"}, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.ExecveEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1000ExecFromMaliciousSource() }, }
View Source
var R1001ExecBinaryNotInBaseImageRuleDescriptor = RuleDescriptor{ ID: R1001ID, Name: R1001Name, Description: "Detecting exec calls of binaries that are not included in the base image", Tags: []string{"exec", "malicious", "binary", "base image"}, Priority: RulePriorityHigh, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.ExecveEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1001ExecBinaryNotInBaseImage() }, }
View Source
var R1002LoadKernelModuleRuleDescriptor = RuleDescriptor{ ID: R1002ID, Name: R1002Name, Description: "Detecting Kernel Module Load.", Tags: []string{"syscall", "kernel", "module", "load"}, Priority: RulePriorityCritical, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.SyscallEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1002LoadKernelModule() }, }
View Source
var R1003MaliciousSSHConnectionRuleDescriptor = RuleDescriptor{ ID: R1003ID, Name: R1003Name, Description: "Detecting ssh connection to disallowed port", Tags: []string{"ssh", "connection", "port", "malicious"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.OpenEventType, utils.NetworkEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1003MaliciousSSHConnection() }, }
View Source
var R1004ExecFromMountRuleDescriptor = RuleDescriptor{ ID: R1004ID, Name: R1004Name, Description: "Detecting exec calls from mounted paths.", Tags: []string{"exec", "mount"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{utils.ExecveEventType}, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1004ExecFromMount() }, }
View Source
var R1005FilelessExecutionRuleDescriptor = RuleDescriptor{ ID: R1005ID, Name: R1005Name, Description: "Detecting Fileless Execution", Tags: []string{"fileless", "execution"}, Priority: RulePriorityHigh, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.ExecveEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1005FilelessExecution() }, }
View Source
R1006ID, Name: R1006Name, Description: "Detecting Unshare System Call usage, which can be used to escape container.", Tags: []string{"syscall", "escape", "unshare"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.SyscallEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1006UnshareSyscall() }, }ID:
View Source
var R1007XMRCryptoMiningRuleDescriptor = RuleDescriptor{ ID: R1007ID, Name: R1007Name, Description: "Detecting XMR Crypto Miners by randomx algorithm usage.", Tags: []string{"crypto", "miners", "malicious"}, Priority: RulePriorityCritical, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.RandomXEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1007XMRCryptoMining() }, }
View Source
var R1008CryptoMiningDomainCommunicationRuleDescriptor = RuleDescriptor{ ID: R1008ID, Name: R1008Name, Description: "Detecting Crypto miners communication by domain", Tags: []string{"network", "crypto", "miners", "malicious", "dns"}, Priority: RulePriorityCritical, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.DnsEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1008CryptoMiningDomainCommunication() }, }
View Source
var R1009CryptoMiningRelatedPortRuleDescriptor = RuleDescriptor{ ID: R1009ID, Name: R1009Name, Description: "Detecting Crypto Miners by suspicious port usage.", Tags: []string{"network", "crypto", "miners", "malicious"}, Priority: RulePriorityLow, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.NetworkEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1009CryptoMiningRelatedPort() }, }
View Source
var R1010SymlinkCreatedOverSensitiveFileRuleDescriptor = RuleDescriptor{ ID: R1010ID, Name: R1010Name, Description: "Detecting symlink creation over sensitive files.", Tags: []string{"files", "malicious"}, Priority: RulePriorityHigh, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.SymlinkEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1010SymlinkCreatedOverSensitiveFile() }, }
View Source
var R1011LdPreloadHookRuleDescriptor = RuleDescriptor{ ID: R1011ID, Name: R1011Name, Description: "Detecting ld_preload hook techniques.", Tags: []string{"exec", "malicious"}, Priority: RulePriorityMed, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.ExecveEventType, utils.OpenEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1011LdPreloadHook() }, }
View Source
var R1012HardlinkCreatedOverSensitiveFileRuleDescriptor = RuleDescriptor{ ID: R1012ID, Name: R1012Name, Description: "Detecting hardlink creation over sensitive files.", Tags: []string{"files", "malicious"}, Priority: RulePriorityHigh, Requirements: &RuleRequirements{ EventTypes: []utils.EventType{ utils.HardlinkEventType, }, }, RuleCreationFunc: func() ruleengine.RuleEvaluator { return CreateRuleR1012HardlinkCreatedOverSensitiveFile() }, }
View Source
var SSHRelatedFiles = []string{
"ssh_config",
"sshd_config",
"ssh_known_hosts",
"ssh_known_hosts2",
"ssh_config.d",
"sshd_config.d",
".ssh",
"authorized_keys",
"authorized_keys2",
"known_hosts",
"known_hosts2",
"id_rsa",
"id_rsa.pub",
"id_dsa",
"id_dsa.pub",
"id_ecdsa",
"id_ecdsa.pub",
"id_ed25519",
"id_ed25519.pub",
"id_xmss",
"id_xmss.pub",
}
View Source
var SensitiveFiles = []string{
"/etc/shadow",
"/etc/passwd",
"/etc/sudoers",
"/etc/ssh/sshd_config",
"/etc/ssh/ssh_config",
"/etc/pam.d",
"/etc/group",
}
SensitiveFiles is a list of sensitive files that should not be accessed by the application unexpectedly.
Functions ¶
func IsSSHConfigFile ¶
Types ¶
type BaseRule ¶
type BaseRule struct {
// contains filtered or unexported fields
}
func (*BaseRule) GetParameters ¶
func (*BaseRule) SetParameters ¶
type GenericRuleFailure ¶
type GenericRuleFailure struct { BaseRuntimeAlert apitypes.BaseRuntimeAlert RuntimeProcessDetails apitypes.ProcessTree TriggerEvent igtypes.Event RuleAlert apitypes.RuleAlert RuntimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails RuleID string }
func (*GenericRuleFailure) GetBaseRuntimeAlert ¶
func (rule *GenericRuleFailure) GetBaseRuntimeAlert() apitypes.BaseRuntimeAlert
func (*GenericRuleFailure) GetRuleAlert ¶
func (rule *GenericRuleFailure) GetRuleAlert() apitypes.RuleAlert
func (*GenericRuleFailure) GetRuleId ¶
func (rule *GenericRuleFailure) GetRuleId() string
func (*GenericRuleFailure) GetRuntimeAlertK8sDetails ¶
func (rule *GenericRuleFailure) GetRuntimeAlertK8sDetails() apitypes.RuntimeAlertK8sDetails
func (*GenericRuleFailure) GetRuntimeProcessDetails ¶
func (rule *GenericRuleFailure) GetRuntimeProcessDetails() apitypes.ProcessTree
func (*GenericRuleFailure) GetTriggerEvent ¶
func (rule *GenericRuleFailure) GetTriggerEvent() igtypes.Event
func (*GenericRuleFailure) SetBaseRuntimeAlert ¶
func (rule *GenericRuleFailure) SetBaseRuntimeAlert(baseRuntimeAlert apitypes.BaseRuntimeAlert)
func (*GenericRuleFailure) SetRuleAlert ¶
func (rule *GenericRuleFailure) SetRuleAlert(ruleAlert apitypes.RuleAlert)
func (*GenericRuleFailure) SetRuntimeAlertK8sDetails ¶
func (rule *GenericRuleFailure) SetRuntimeAlertK8sDetails(runtimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails)
func (*GenericRuleFailure) SetRuntimeProcessDetails ¶
func (rule *GenericRuleFailure) SetRuntimeProcessDetails(runtimeProcessDetails apitypes.ProcessTree)
func (*GenericRuleFailure) SetTriggerEvent ¶
func (rule *GenericRuleFailure) SetTriggerEvent(triggerEvent igtypes.Event)
func (*GenericRuleFailure) SetWorkloadDetails ¶
func (rule *GenericRuleFailure) SetWorkloadDetails(workloadDetails string)
type R0001UnexpectedProcessLaunched ¶
type R0001UnexpectedProcessLaunched struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0001UnexpectedProcessLaunched ¶
func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched
func (*R0001UnexpectedProcessLaunched) ID ¶
func (rule *R0001UnexpectedProcessLaunched) ID() string
func (*R0001UnexpectedProcessLaunched) Name ¶
func (rule *R0001UnexpectedProcessLaunched) Name() string
func (*R0001UnexpectedProcessLaunched) ProcessEvent ¶
func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0001UnexpectedProcessLaunched) Requirements ¶
func (rule *R0001UnexpectedProcessLaunched) Requirements() ruleengine.RuleSpec
func (*R0001UnexpectedProcessLaunched) SetParameters ¶
func (rule *R0001UnexpectedProcessLaunched) SetParameters(params map[string]interface{})
type R0002UnexpectedFileAccess ¶
type R0002UnexpectedFileAccess struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0002UnexpectedFileAccess ¶
func CreateRuleR0002UnexpectedFileAccess() *R0002UnexpectedFileAccess
func (*R0002UnexpectedFileAccess) DeleteRule ¶
func (rule *R0002UnexpectedFileAccess) DeleteRule()
func (*R0002UnexpectedFileAccess) ID ¶
func (rule *R0002UnexpectedFileAccess) ID() string
func (*R0002UnexpectedFileAccess) Name ¶
func (rule *R0002UnexpectedFileAccess) Name() string
func (*R0002UnexpectedFileAccess) ProcessEvent ¶
func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0002UnexpectedFileAccess) Requirements ¶
func (rule *R0002UnexpectedFileAccess) Requirements() ruleengine.RuleSpec
func (*R0002UnexpectedFileAccess) SetParameters ¶
func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})
type R0003UnexpectedSystemCall ¶
type R0003UnexpectedSystemCall struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0003UnexpectedSystemCall ¶
func CreateRuleR0003UnexpectedSystemCall() *R0003UnexpectedSystemCall
func (*R0003UnexpectedSystemCall) DeleteRule ¶
func (rule *R0003UnexpectedSystemCall) DeleteRule()
func (*R0003UnexpectedSystemCall) ID ¶
func (rule *R0003UnexpectedSystemCall) ID() string
func (*R0003UnexpectedSystemCall) Name ¶
func (rule *R0003UnexpectedSystemCall) Name() string
func (*R0003UnexpectedSystemCall) ProcessEvent ¶
func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0003UnexpectedSystemCall) Requirements ¶
func (rule *R0003UnexpectedSystemCall) Requirements() ruleengine.RuleSpec
type R0004UnexpectedCapabilityUsed ¶
type R0004UnexpectedCapabilityUsed struct {
BaseRule
}
func CreateRuleR0004UnexpectedCapabilityUsed ¶
func CreateRuleR0004UnexpectedCapabilityUsed() *R0004UnexpectedCapabilityUsed
func (*R0004UnexpectedCapabilityUsed) DeleteRule ¶
func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()
func (*R0004UnexpectedCapabilityUsed) ID ¶
func (rule *R0004UnexpectedCapabilityUsed) ID() string
func (*R0004UnexpectedCapabilityUsed) Name ¶
func (rule *R0004UnexpectedCapabilityUsed) Name() string
func (*R0004UnexpectedCapabilityUsed) ProcessEvent ¶
func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0004UnexpectedCapabilityUsed) Requirements ¶
func (rule *R0004UnexpectedCapabilityUsed) Requirements() ruleengine.RuleSpec
type R0005UnexpectedDomainRequest ¶
type R0005UnexpectedDomainRequest struct {
BaseRule
}
func CreateRuleR0005UnexpectedDomainRequest ¶
func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest
func (*R0005UnexpectedDomainRequest) DeleteRule ¶
func (rule *R0005UnexpectedDomainRequest) DeleteRule()
func (*R0005UnexpectedDomainRequest) ID ¶
func (rule *R0005UnexpectedDomainRequest) ID() string
func (*R0005UnexpectedDomainRequest) Name ¶
func (rule *R0005UnexpectedDomainRequest) Name() string
func (*R0005UnexpectedDomainRequest) ProcessEvent ¶
func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0005UnexpectedDomainRequest) Requirements ¶
func (rule *R0005UnexpectedDomainRequest) Requirements() ruleengine.RuleSpec
type R0006UnexpectedServiceAccountTokenAccess ¶
type R0006UnexpectedServiceAccountTokenAccess struct {
BaseRule
}
func CreateRuleR0006UnexpectedServiceAccountTokenAccess ¶
func CreateRuleR0006UnexpectedServiceAccountTokenAccess() *R0006UnexpectedServiceAccountTokenAccess
func (*R0006UnexpectedServiceAccountTokenAccess) DeleteRule ¶
func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()
func (*R0006UnexpectedServiceAccountTokenAccess) ID ¶
func (rule *R0006UnexpectedServiceAccountTokenAccess) ID() string
func (*R0006UnexpectedServiceAccountTokenAccess) Name ¶
func (rule *R0006UnexpectedServiceAccountTokenAccess) Name() string
func (*R0006UnexpectedServiceAccountTokenAccess) ProcessEvent ¶
func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0006UnexpectedServiceAccountTokenAccess) Requirements ¶
func (rule *R0006UnexpectedServiceAccountTokenAccess) Requirements() ruleengine.RuleSpec
type R0007KubernetesClientExecuted ¶
type R0007KubernetesClientExecuted struct {
BaseRule
}
func CreateRuleR0007KubernetesClientExecuted ¶
func CreateRuleR0007KubernetesClientExecuted() *R0007KubernetesClientExecuted
func (*R0007KubernetesClientExecuted) DeleteRule ¶
func (rule *R0007KubernetesClientExecuted) DeleteRule()
func (*R0007KubernetesClientExecuted) ID ¶
func (rule *R0007KubernetesClientExecuted) ID() string
func (*R0007KubernetesClientExecuted) Name ¶
func (rule *R0007KubernetesClientExecuted) Name() string
func (*R0007KubernetesClientExecuted) ProcessEvent ¶
func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0007KubernetesClientExecuted) Requirements ¶
func (rule *R0007KubernetesClientExecuted) Requirements() ruleengine.RuleSpec
type R0008ReadEnvironmentVariablesProcFS ¶
type R0008ReadEnvironmentVariablesProcFS struct {
BaseRule
}
func CreateRuleR0008ReadEnvironmentVariablesProcFS ¶
func CreateRuleR0008ReadEnvironmentVariablesProcFS() *R0008ReadEnvironmentVariablesProcFS
func (*R0008ReadEnvironmentVariablesProcFS) DeleteRule ¶
func (rule *R0008ReadEnvironmentVariablesProcFS) DeleteRule()
func (*R0008ReadEnvironmentVariablesProcFS) ID ¶
func (rule *R0008ReadEnvironmentVariablesProcFS) ID() string
func (*R0008ReadEnvironmentVariablesProcFS) Name ¶
func (rule *R0008ReadEnvironmentVariablesProcFS) Name() string
func (*R0008ReadEnvironmentVariablesProcFS) ProcessEvent ¶
func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0008ReadEnvironmentVariablesProcFS) Requirements ¶
func (rule *R0008ReadEnvironmentVariablesProcFS) Requirements() ruleengine.RuleSpec
type R0009EbpfProgramLoad ¶
type R0009EbpfProgramLoad struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0009EbpfProgramLoad ¶
func CreateRuleR0009EbpfProgramLoad() *R0009EbpfProgramLoad
func (*R0009EbpfProgramLoad) DeleteRule ¶
func (rule *R0009EbpfProgramLoad) DeleteRule()
func (*R0009EbpfProgramLoad) ID ¶
func (rule *R0009EbpfProgramLoad) ID() string
func (*R0009EbpfProgramLoad) Name ¶
func (rule *R0009EbpfProgramLoad) Name() string
func (*R0009EbpfProgramLoad) ProcessEvent ¶
func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0009EbpfProgramLoad) Requirements ¶
func (rule *R0009EbpfProgramLoad) Requirements() ruleengine.RuleSpec
type R0010UnexpectedSensitiveFileAccess ¶
type R0010UnexpectedSensitiveFileAccess struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR0010UnexpectedSensitiveFileAccess ¶
func CreateRuleR0010UnexpectedSensitiveFileAccess() *R0010UnexpectedSensitiveFileAccess
func (*R0010UnexpectedSensitiveFileAccess) DeleteRule ¶
func (rule *R0010UnexpectedSensitiveFileAccess) DeleteRule()
func (*R0010UnexpectedSensitiveFileAccess) ID ¶
func (rule *R0010UnexpectedSensitiveFileAccess) ID() string
func (*R0010UnexpectedSensitiveFileAccess) Name ¶
func (rule *R0010UnexpectedSensitiveFileAccess) Name() string
func (*R0010UnexpectedSensitiveFileAccess) ProcessEvent ¶
func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R0010UnexpectedSensitiveFileAccess) Requirements ¶
func (rule *R0010UnexpectedSensitiveFileAccess) Requirements() ruleengine.RuleSpec
func (*R0010UnexpectedSensitiveFileAccess) SetParameters ¶
func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{})
type R1000ExecFromMaliciousSource ¶
type R1000ExecFromMaliciousSource struct {
BaseRule
}
func CreateRuleR1000ExecFromMaliciousSource ¶
func CreateRuleR1000ExecFromMaliciousSource() *R1000ExecFromMaliciousSource
func (*R1000ExecFromMaliciousSource) ID ¶
func (rule *R1000ExecFromMaliciousSource) ID() string
func (*R1000ExecFromMaliciousSource) Name ¶
func (rule *R1000ExecFromMaliciousSource) Name() string
func (*R1000ExecFromMaliciousSource) ProcessEvent ¶
func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1000ExecFromMaliciousSource) Requirements ¶
func (rule *R1000ExecFromMaliciousSource) Requirements() ruleengine.RuleSpec
type R1001ExecBinaryNotInBaseImage ¶
type R1001ExecBinaryNotInBaseImage struct {
BaseRule
}
func CreateRuleR1001ExecBinaryNotInBaseImage ¶
func CreateRuleR1001ExecBinaryNotInBaseImage() *R1001ExecBinaryNotInBaseImage
func (*R1001ExecBinaryNotInBaseImage) DeleteRule ¶
func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()
func (*R1001ExecBinaryNotInBaseImage) ID ¶
func (rule *R1001ExecBinaryNotInBaseImage) ID() string
func (*R1001ExecBinaryNotInBaseImage) Name ¶
func (rule *R1001ExecBinaryNotInBaseImage) Name() string
func (*R1001ExecBinaryNotInBaseImage) ProcessEvent ¶
func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1001ExecBinaryNotInBaseImage) Requirements ¶
func (rule *R1001ExecBinaryNotInBaseImage) Requirements() ruleengine.RuleSpec
type R1002LoadKernelModule ¶
type R1002LoadKernelModule struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR1002LoadKernelModule ¶
func CreateRuleR1002LoadKernelModule() *R1002LoadKernelModule
func (*R1002LoadKernelModule) DeleteRule ¶
func (rule *R1002LoadKernelModule) DeleteRule()
func (*R1002LoadKernelModule) ID ¶
func (rule *R1002LoadKernelModule) ID() string
func (*R1002LoadKernelModule) Name ¶
func (rule *R1002LoadKernelModule) Name() string
func (*R1002LoadKernelModule) ProcessEvent ¶
func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1002LoadKernelModule) Requirements ¶
func (rule *R1002LoadKernelModule) Requirements() ruleengine.RuleSpec
type R1003MaliciousSSHConnection ¶
type R1003MaliciousSSHConnection struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR1003MaliciousSSHConnection ¶
func CreateRuleR1003MaliciousSSHConnection() *R1003MaliciousSSHConnection
func (*R1003MaliciousSSHConnection) DeleteRule ¶
func (rule *R1003MaliciousSSHConnection) DeleteRule()
func (*R1003MaliciousSSHConnection) ID ¶
func (rule *R1003MaliciousSSHConnection) ID() string
func (*R1003MaliciousSSHConnection) Name ¶
func (rule *R1003MaliciousSSHConnection) Name() string
func (*R1003MaliciousSSHConnection) ProcessEvent ¶
func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1003MaliciousSSHConnection) Requirements ¶
func (rule *R1003MaliciousSSHConnection) Requirements() ruleengine.RuleSpec
func (*R1003MaliciousSSHConnection) SetParameters ¶
func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})
type R1004ExecFromMount ¶
type R1004ExecFromMount struct {
BaseRule
}
func CreateRuleR1004ExecFromMount ¶
func CreateRuleR1004ExecFromMount() *R1004ExecFromMount
func (*R1004ExecFromMount) DeleteRule ¶
func (rule *R1004ExecFromMount) DeleteRule()
func (*R1004ExecFromMount) ID ¶
func (rule *R1004ExecFromMount) ID() string
func (*R1004ExecFromMount) Name ¶
func (rule *R1004ExecFromMount) Name() string
func (*R1004ExecFromMount) ProcessEvent ¶
func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1004ExecFromMount) Requirements ¶
func (rule *R1004ExecFromMount) Requirements() ruleengine.RuleSpec
type R1005FilelessExecution ¶
type R1005FilelessExecution struct {
BaseRule
}
func CreateRuleR1005FilelessExecution ¶
func CreateRuleR1005FilelessExecution() *R1005FilelessExecution
func (*R1005FilelessExecution) DeleteRule ¶
func (rule *R1005FilelessExecution) DeleteRule()
func (*R1005FilelessExecution) ID ¶
func (rule *R1005FilelessExecution) ID() string
func (*R1005FilelessExecution) Name ¶
func (rule *R1005FilelessExecution) Name() string
func (*R1005FilelessExecution) ProcessEvent ¶
func (rule *R1005FilelessExecution) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1005FilelessExecution) Requirements ¶
func (rule *R1005FilelessExecution) Requirements() ruleengine.RuleSpec
type R1006UnshareSyscall ¶
type R1006UnshareSyscall struct { // contains filtered or unexported fields }
func CreateRuleR1006UnshareSyscall ¶
func CreateRuleR1006UnshareSyscall() *R1006UnshareSyscall
func (*R1006UnshareSyscall) DeleteRule ¶
func (rule *R1006UnshareSyscall) DeleteRule()
func (*R1006UnshareSyscall) ID ¶
func (rule *R1006UnshareSyscall) ID() string
func (*R1006UnshareSyscall) Name ¶
func (rule *R1006UnshareSyscall) Name() string
func (*R1006UnshareSyscall) ProcessEvent ¶
func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1006UnshareSyscall) Requirements ¶
func (rule *R1006UnshareSyscall) Requirements() ruleengine.RuleSpec
type R1007XMRCryptoMining ¶
type R1007XMRCryptoMining struct {
BaseRule
}
func CreateRuleR1007XMRCryptoMining ¶
func CreateRuleR1007XMRCryptoMining() *R1007XMRCryptoMining
func (*R1007XMRCryptoMining) DeleteRule ¶
func (rule *R1007XMRCryptoMining) DeleteRule()
func (*R1007XMRCryptoMining) ID ¶
func (rule *R1007XMRCryptoMining) ID() string
func (*R1007XMRCryptoMining) Name ¶
func (rule *R1007XMRCryptoMining) Name() string
func (*R1007XMRCryptoMining) ProcessEvent ¶
func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1007XMRCryptoMining) Requirements ¶
func (rule *R1007XMRCryptoMining) Requirements() ruleengine.RuleSpec
type R1008CryptoMiningDomainCommunication ¶
type R1008CryptoMiningDomainCommunication struct {
BaseRule
}
func CreateRuleR1008CryptoMiningDomainCommunication ¶
func CreateRuleR1008CryptoMiningDomainCommunication() *R1008CryptoMiningDomainCommunication
func (*R1008CryptoMiningDomainCommunication) DeleteRule ¶
func (rule *R1008CryptoMiningDomainCommunication) DeleteRule()
func (*R1008CryptoMiningDomainCommunication) ID ¶
func (rule *R1008CryptoMiningDomainCommunication) ID() string
func (*R1008CryptoMiningDomainCommunication) Name ¶
func (rule *R1008CryptoMiningDomainCommunication) Name() string
func (*R1008CryptoMiningDomainCommunication) ProcessEvent ¶
func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1008CryptoMiningDomainCommunication) Requirements ¶
func (rule *R1008CryptoMiningDomainCommunication) Requirements() ruleengine.RuleSpec
type R1009CryptoMiningRelatedPort ¶
type R1009CryptoMiningRelatedPort struct {
BaseRule
}
func CreateRuleR1009CryptoMiningRelatedPort ¶
func CreateRuleR1009CryptoMiningRelatedPort() *R1009CryptoMiningRelatedPort
func (*R1009CryptoMiningRelatedPort) DeleteRule ¶
func (rule *R1009CryptoMiningRelatedPort) DeleteRule()
func (*R1009CryptoMiningRelatedPort) ID ¶
func (rule *R1009CryptoMiningRelatedPort) ID() string
func (*R1009CryptoMiningRelatedPort) Name ¶
func (rule *R1009CryptoMiningRelatedPort) Name() string
func (*R1009CryptoMiningRelatedPort) ProcessEvent ¶
func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1009CryptoMiningRelatedPort) Requirements ¶
func (rule *R1009CryptoMiningRelatedPort) Requirements() ruleengine.RuleSpec
type R1010SymlinkCreatedOverSensitiveFile ¶
type R1010SymlinkCreatedOverSensitiveFile struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR1010SymlinkCreatedOverSensitiveFile ¶
func CreateRuleR1010SymlinkCreatedOverSensitiveFile() *R1010SymlinkCreatedOverSensitiveFile
func (*R1010SymlinkCreatedOverSensitiveFile) DeleteRule ¶
func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule()
func (*R1010SymlinkCreatedOverSensitiveFile) ID ¶
func (rule *R1010SymlinkCreatedOverSensitiveFile) ID() string
func (*R1010SymlinkCreatedOverSensitiveFile) Name ¶
func (rule *R1010SymlinkCreatedOverSensitiveFile) Name() string
func (*R1010SymlinkCreatedOverSensitiveFile) ProcessEvent ¶
func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1010SymlinkCreatedOverSensitiveFile) Requirements ¶
func (rule *R1010SymlinkCreatedOverSensitiveFile) Requirements() ruleengine.RuleSpec
func (*R1010SymlinkCreatedOverSensitiveFile) SetParameters ¶
func (rule *R1010SymlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})
type R1011LdPreloadHook ¶
type R1011LdPreloadHook struct {
BaseRule
}
func CreateRuleR1011LdPreloadHook ¶
func CreateRuleR1011LdPreloadHook() *R1011LdPreloadHook
func (*R1011LdPreloadHook) DeleteRule ¶
func (rule *R1011LdPreloadHook) DeleteRule()
func (*R1011LdPreloadHook) ID ¶
func (rule *R1011LdPreloadHook) ID() string
func (*R1011LdPreloadHook) Name ¶
func (rule *R1011LdPreloadHook) Name() string
func (*R1011LdPreloadHook) ProcessEvent ¶
func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1011LdPreloadHook) Requirements ¶
func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec
type R1012HardlinkCreatedOverSensitiveFile ¶
type R1012HardlinkCreatedOverSensitiveFile struct { BaseRule // contains filtered or unexported fields }
func CreateRuleR1012HardlinkCreatedOverSensitiveFile ¶
func CreateRuleR1012HardlinkCreatedOverSensitiveFile() *R1012HardlinkCreatedOverSensitiveFile
func (*R1012HardlinkCreatedOverSensitiveFile) DeleteRule ¶
func (rule *R1012HardlinkCreatedOverSensitiveFile) DeleteRule()
func (*R1012HardlinkCreatedOverSensitiveFile) ID ¶
func (rule *R1012HardlinkCreatedOverSensitiveFile) ID() string
func (*R1012HardlinkCreatedOverSensitiveFile) Name ¶
func (rule *R1012HardlinkCreatedOverSensitiveFile) Name() string
func (*R1012HardlinkCreatedOverSensitiveFile) ProcessEvent ¶
func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure
func (*R1012HardlinkCreatedOverSensitiveFile) Requirements ¶
func (rule *R1012HardlinkCreatedOverSensitiveFile) Requirements() ruleengine.RuleSpec
func (*R1012HardlinkCreatedOverSensitiveFile) SetParameters ¶
func (rule *R1012HardlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})
type RuleCreatorImpl ¶
type RuleCreatorImpl struct {
// contains filtered or unexported fields
}
func NewRuleCreator ¶
func NewRuleCreator() *RuleCreatorImpl
func (*RuleCreatorImpl) CreateRuleByID ¶
func (r *RuleCreatorImpl) CreateRuleByID(id string) ruleengine.RuleEvaluator
func (*RuleCreatorImpl) CreateRuleByName ¶
func (r *RuleCreatorImpl) CreateRuleByName(name string) ruleengine.RuleEvaluator
func (*RuleCreatorImpl) CreateRulesByTags ¶
func (r *RuleCreatorImpl) CreateRulesByTags(tags []string) []ruleengine.RuleEvaluator
func (*RuleCreatorImpl) GetAllRuleDescriptors ¶
func (r *RuleCreatorImpl) GetAllRuleDescriptors() []RuleDescriptor
type RuleDescriptor ¶
type RuleDescriptor struct { // Rule ID ID string // Rule Name Name string // Rule Description Description string // Priority Priority int // Tags Tags []string // Rule requirements Requirements ruleengine.RuleSpec // Create a rule function RuleCreationFunc func() ruleengine.RuleEvaluator }
func (*RuleDescriptor) HasTags ¶
func (r *RuleDescriptor) HasTags(tags []string) bool
type RuleObjectCacheMock ¶
type RuleObjectCacheMock struct {
// contains filtered or unexported fields
}
func (*RuleObjectCacheMock) ApplicationProfileCache ¶
func (r *RuleObjectCacheMock) ApplicationProfileCache() objectcache.ApplicationProfileCache
func (*RuleObjectCacheMock) GetApiServerIpAddress ¶
func (r *RuleObjectCacheMock) GetApiServerIpAddress() string
func (*RuleObjectCacheMock) GetApplicationProfile ¶
func (r *RuleObjectCacheMock) GetApplicationProfile(string) *v1beta1.ApplicationProfile
func (*RuleObjectCacheMock) GetNetworkNeighborhood ¶
func (r *RuleObjectCacheMock) GetNetworkNeighborhood(string) *v1beta1.NetworkNeighborhood
func (*RuleObjectCacheMock) GetPodSpec ¶
func (r *RuleObjectCacheMock) GetPodSpec(_, _ string) *corev1.PodSpec
func (*RuleObjectCacheMock) GetPodStatus ¶
func (r *RuleObjectCacheMock) GetPodStatus(_, _ string) *corev1.PodStatus
func (*RuleObjectCacheMock) GetPods ¶
func (r *RuleObjectCacheMock) GetPods() []*corev1.Pod
func (*RuleObjectCacheMock) K8sObjectCache ¶
func (r *RuleObjectCacheMock) K8sObjectCache() objectcache.K8sObjectCache
func (*RuleObjectCacheMock) NetworkNeighborhoodCache ¶
func (r *RuleObjectCacheMock) NetworkNeighborhoodCache() objectcache.NetworkNeighborhoodCache
func (*RuleObjectCacheMock) SetApplicationProfile ¶
func (r *RuleObjectCacheMock) SetApplicationProfile(profile *v1beta1.ApplicationProfile)
func (*RuleObjectCacheMock) SetNetworkNeighborhood ¶
func (r *RuleObjectCacheMock) SetNetworkNeighborhood(nn *v1beta1.NetworkNeighborhood)
func (*RuleObjectCacheMock) SetPodSpec ¶
func (r *RuleObjectCacheMock) SetPodSpec(podSpec *corev1.PodSpec)
func (*RuleObjectCacheMock) SetPodStatus ¶
func (r *RuleObjectCacheMock) SetPodStatus(podStatus *corev1.PodStatus)
type RuleRequirements ¶
func (*RuleRequirements) RequiredEventTypes ¶
func (r *RuleRequirements) RequiredEventTypes() []utils.EventType
Event types required for the rule
Source Files ¶
- factory.go
- failureobj.go
- helpers.go
- mock.go
- r0001_unexpected_process_launched.go
- r0002_unexpected_file_access.go
- r0003_unexpected_system_call.go
- r0004_unexpected_capability_used.go
- r0005_unexpected_domain_request.go
- r0006_unexpected_service_account_token_access.go
- r0007_kubernetes_client_executed.go
- r0008_read_env_variables_procfs.go
- r0009_ebpf_program_load.go
- r0010_unexpected_sensitive_file_access.go
- r1000_exec_from_malicious_source.go
- r1001_exec_binary_not_in_base_image.go
- r1002_load_kernel_module.go
- r1003_malicious_ssh_connection.go
- r1004_exec_from_mount.go
- r1005_fileless_execution.go
- r1006_unshare_system_call.go
- r1007_xmr_crypto_mining.go
- r1008_crypto_mining_domain.go
- r1009_crypto_mining_port.go
- r1010_symlink_created_over_sensitive_file.go
- r1011_ld_preload_hook.go
- r1012_hardlink_created_over_sensitive_file.go
- rule.go
Click to show internal directories.
Click to hide internal directories.