ruleengine

package
v0.2.111 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 11, 2024 License: Apache-2.0 Imports: 28 Imported by: 0

README

ID Rule Description Tags Priority Application profile Parameters
R0001 Unexpected process launched Detecting exec calls that are not whitelisted by application profile [exec whitelisted] 10 true false
R0002 Unexpected file access Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags [open whitelisted] 5 true [ignoreMounts: bool ignorePrefixes: string[]]
R0003 Unexpected system call Detecting unexpected system calls that are not whitelisted by application profile. Every unexpected system call will be alerted only once. [syscall whitelisted] 5 true false
R0004 Unexpected capability used Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container. [capabilities whitelisted] 8 true false
R0005 Unexpected domain request Detecting unexpected domain requests that are not whitelisted by application profile. [dns whitelisted] 5 true false
R0006 Unexpected service account token access Detecting unexpected service account token access that are not whitelisted by application profile. [token malicious whitelisted] 8 true false
R0007 Kubernetes Client Executed Detecting exececution of kubernetes client [exec malicious whitelisted] 10 false false
R1000 Exec from malicious source Detecting exec calls that are from malicious source like: /dev/shm, /run, /var/run, /proc/self [exec signature] 10 false false
R1001 Exec Binary Not In Base Image Detecting exec calls of binaries that are not included in the base image [exec malicious binary base image] 10 false false
R1002 Kernel Module Load Detecting Kernel Module Load. [syscall kernel module load] 10 false false
R1003 Malicious SSH Connection Detecting ssh connection to disallowed port [ssh connection port malicious] 8 false false
R1004 Exec from mount Detecting exec calls from mounted paths. [exec mount] 5 false false
R1006 Unshare System Call usage Detecting Unshare System Call usage. [syscall escape unshare] 8 false false
R1007 Crypto Miners Detecting Crypto Miners. [network crypto miners malicious dns] 8 false false

Documentation

Index

Constants

View Source
const (
	R0001ID   = "R0001"
	R0001Name = "Unexpected process launched"
)
View Source
const (
	R0002ID   = "R0002"
	R0002Name = "Unexpected file access"
)
View Source
const (
	R0003ID   = "R0003"
	R0003Name = "Unexpected system call"
)
View Source
const (
	R0004ID   = "R0004"
	R0004Name = "Unexpected capability used"
)
View Source
const (
	R0005ID   = "R0005"
	R0005Name = "Unexpected domain request"
)
View Source
const (
	R0006ID   = "R0006"
	R0006Name = "Unexpected Service Account Token Access"
)
View Source
const (
	R0007ID   = "R0007"
	R0007Name = "Kubernetes Client Executed"
)
View Source
const (
	R0008ID   = "R0008"
	R0008Name = "Read Environment Variables from procfs"
)
View Source
const (
	R0009ID   = "R0009"
	R0009Name = "eBPF Program Load"
)
View Source
const (
	R0010ID   = "R0010"
	R0010Name = "Unexpected Sensitive File Access"
)
View Source
const (
	R1000ID   = "R1000"
	R1000Name = "Exec from malicious source"
)
View Source
const (
	R1001ID   = "R1001"
	R1001Name = "Exec Binary Not In Base Image"
)
View Source
const (
	R1002ID   = "R1002"
	R1002Name = "Kernel Module Load"
)
View Source
const (
	R1003ID              = "R1003"
	R1003Name            = "Malicious SSH Connection"
	MaxTimeDiffInSeconds = 2
)
View Source
const (
	R1004ID   = "R1004"
	R1004Name = "Exec from mount"
)
View Source
const (
	R1005ID   = "R1005"
	R1005Name = "Fileless Execution"
)
View Source
const (
	R1006ID   = "R1006"
	R1006Name = "Unshare System Call usage"
)
View Source
const (
	R1007ID   = "R1007"
	R1007Name = "XMR Crypto Mining Detection"
)
View Source
const (
	R1008ID   = "R1008"
	R1008Name = "Crypto Mining Domain Communication"
)
View Source
const (
	R1009ID   = "R1009"
	R1009Name = "Crypto Mining Related Port Communication"
)
View Source
const (
	R1010ID   = "R1010"
	R1010Name = "Symlink Created Over Sensitive File"
)
View Source
const (
	R1011ID         = "R1011"
	R1011Name       = "LD_PRELOAD Hook"
	LD_PRELOAD_FILE = "/etc/ld.so.preload"
	JAVA_COMM       = "java"
)
View Source
const (
	R1012ID   = "R1012"
	R1012Name = "Hardlink Created Over Sensitive File"
)
View Source
const (
	RulePriorityNone        = 0
	RulePriorityLow         = 1
	RulePriorityMed         = 5
	RulePriorityHigh        = 8
	RulePriorityCritical    = 10
	RulePrioritySystemIssue = 1000
)

Variables

View Source
var (
	ContainerNotFound = errors.New("container not found")
	ProfileNotFound   = errors.New("application profile not found")
)
View Source
var CommonlyUsedCryptoMinersPorts = []uint16{
	3333,
	45700,
}
View Source
var LD_PRELOAD_ENV_VARS = []string{"LD_PRELOAD", "LD_AUDIT", "LD_LIBRARY_PATH"}
View Source
var R0001UnexpectedProcessLaunchedRuleDescriptor = RuleDescriptor{
	ID:          R0001ID,
	Name:        R0001Name,
	Description: "Detecting exec calls that are not whitelisted by application profile",
	Tags:        []string{"exec", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0001UnexpectedProcessLaunched()
	},
}
View Source
var R0002UnexpectedFileAccessRuleDescriptor = RuleDescriptor{
	ID:          R0002ID,
	Name:        R0002Name,
	Description: "Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags",
	Tags:        []string{"open", "whitelisted"},
	Priority:    RulePriorityLow,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.OpenEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0002UnexpectedFileAccess()
	},
}
View Source
var R0003UnexpectedSystemCallRuleDescriptor = RuleDescriptor{
	ID:          R0003ID,
	Name:        R0003Name,
	Description: "Detecting unexpected system calls that are not whitelisted by application profile.",
	Tags:        []string{"syscall", "whitelisted"},
	Priority:    RulePriorityLow,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0003UnexpectedSystemCall()
	},
}
View Source
var R0004UnexpectedCapabilityUsedRuleDescriptor = RuleDescriptor{
	ID:          R0004ID,
	Name:        R0004Name,
	Description: "Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container.",
	Tags:        []string{"capabilities", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.CapabilitiesEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0004UnexpectedCapabilityUsed()
	},
}
View Source
var R0005UnexpectedDomainRequestRuleDescriptor = RuleDescriptor{
	ID:          R0005ID,
	Name:        R0005Name,
	Description: "Detecting unexpected domain requests that are not whitelisted by application profile.",
	Tags:        []string{"dns", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.DnsEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0005UnexpectedDomainRequest()
	},
}
View Source
var R0006UnexpectedServiceAccountTokenAccessRuleDescriptor = RuleDescriptor{
	ID:          R0006ID,
	Name:        R0006Name,
	Description: "Detecting unexpected access to service account token.",
	Tags:        []string{"token", "malicious", "whitelisted"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0006UnexpectedServiceAccountTokenAccess()
	},
}
View Source
var R0007KubernetesClientExecutedDescriptor = RuleDescriptor{
	ID:          R0007ID,
	Name:        R0007Name,
	Description: "Detecting exececution of kubernetes client",
	Priority:    RulePriorityHigh,
	Tags:        []string{"exec", "malicious", "whitelisted"},
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType, utils.NetworkEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0007KubernetesClientExecuted()
	},
}
View Source
var R0008ReadEnvironmentVariablesProcFSRuleDescriptor = RuleDescriptor{
	ID:          R0008ID,
	Name:        R0008Name,
	Description: "Detecting reading environment variables from procfs.",
	Tags:        []string{"env", "malicious", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0008ReadEnvironmentVariablesProcFS()
	},
}
View Source
var R0009EbpfProgramLoadRuleDescriptor = RuleDescriptor{
	ID:          R0009ID,
	Name:        R0009Name,
	Description: "Detecting eBPF program load.",
	Tags:        []string{"syscall", "ebpf"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0009EbpfProgramLoad()
	},
}
View Source
var R0010UnexpectedSensitiveFileAccessRuleDescriptor = RuleDescriptor{
	ID:          R0010ID,
	Name:        R0010Name,
	Description: "Detecting access to sensitive files.",
	Tags:        []string{"files", "malicious", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0010UnexpectedSensitiveFileAccess()
	},
}
View Source
var R1000ExecFromMaliciousSourceDescriptor = RuleDescriptor{
	ID:          R1000ID,
	Name:        R1000Name,
	Description: "Detecting exec calls that are from malicious source like: /dev/shm, /proc/self",
	Priority:    RulePriorityMed,
	Tags:        []string{"exec", "signature"},
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1000ExecFromMaliciousSource()
	},
}
View Source
var R1001ExecBinaryNotInBaseImageRuleDescriptor = RuleDescriptor{
	ID:          R1001ID,
	Name:        R1001Name,
	Description: "Detecting exec calls of binaries that are not included in the base image",
	Tags:        []string{"exec", "malicious", "binary", "base image"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1001ExecBinaryNotInBaseImage()
	},
}
View Source
var R1002LoadKernelModuleRuleDescriptor = RuleDescriptor{
	ID:          R1002ID,
	Name:        R1002Name,
	Description: "Detecting Kernel Module Load.",
	Tags:        []string{"syscall", "kernel", "module", "load"},
	Priority:    RulePriorityCritical,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1002LoadKernelModule()
	},
}
View Source
var R1003MaliciousSSHConnectionRuleDescriptor = RuleDescriptor{
	ID:          R1003ID,
	Name:        R1003Name,
	Description: "Detecting ssh connection to disallowed port",
	Tags:        []string{"ssh", "connection", "port", "malicious"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.OpenEventType, utils.NetworkEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1003MaliciousSSHConnection()
	},
}
View Source
var R1004ExecFromMountRuleDescriptor = RuleDescriptor{
	ID:          R1004ID,
	Name:        R1004Name,
	Description: "Detecting exec calls from mounted paths.",
	Tags:        []string{"exec", "mount"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1004ExecFromMount()
	},
}
View Source
var R1005FilelessExecutionRuleDescriptor = RuleDescriptor{
	ID:          R1005ID,
	Name:        R1005Name,
	Description: "Detecting Fileless Execution",
	Tags:        []string{"fileless", "execution"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.ExecveEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1005FilelessExecution()
	},
}
View Source
var R1006UnshareSyscallRuleDescriptor = RuleDescriptor{
	ID:          R1006ID,
	Name:        R1006Name,
	Description: "Detecting Unshare System Call usage, which can be used to escape container.",
	Tags:        []string{"syscall", "escape", "unshare"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1006UnshareSyscall()
	},
}
View Source
var R1007XMRCryptoMiningRuleDescriptor = RuleDescriptor{
	ID:          R1007ID,
	Name:        R1007Name,
	Description: "Detecting XMR Crypto Miners by randomx algorithm usage.",
	Tags:        []string{"crypto", "miners", "malicious"},
	Priority:    RulePriorityCritical,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.RandomXEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1007XMRCryptoMining()
	},
}
View Source
var R1008CryptoMiningDomainCommunicationRuleDescriptor = RuleDescriptor{
	ID:          R1008ID,
	Name:        R1008Name,
	Description: "Detecting Crypto miners communication by domain",
	Tags:        []string{"network", "crypto", "miners", "malicious", "dns"},
	Priority:    RulePriorityCritical,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.DnsEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1008CryptoMiningDomainCommunication()
	},
}
View Source
var R1009CryptoMiningRelatedPortRuleDescriptor = RuleDescriptor{
	ID:          R1009ID,
	Name:        R1009Name,
	Description: "Detecting Crypto Miners by suspicious port usage.",
	Tags:        []string{"network", "crypto", "miners", "malicious"},
	Priority:    RulePriorityLow,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.NetworkEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1009CryptoMiningRelatedPort()
	},
}
View Source
var R1010SymlinkCreatedOverSensitiveFileRuleDescriptor = RuleDescriptor{
	ID:          R1010ID,
	Name:        R1010Name,
	Description: "Detecting symlink creation over sensitive files.",
	Tags:        []string{"files", "malicious"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SymlinkEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1010SymlinkCreatedOverSensitiveFile()
	},
}
View Source
var R1011LdPreloadHookRuleDescriptor = RuleDescriptor{
	ID:          R1011ID,
	Name:        R1011Name,
	Description: "Detecting ld_preload hook techniques.",
	Tags:        []string{"exec", "malicious"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.ExecveEventType,
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1011LdPreloadHook()
	},
}
View Source
var R1012HardlinkCreatedOverSensitiveFileRuleDescriptor = RuleDescriptor{
	ID:          R1012ID,
	Name:        R1012Name,
	Description: "Detecting hardlink creation over sensitive files.",
	Tags:        []string{"files", "malicious"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.HardlinkEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1012HardlinkCreatedOverSensitiveFile()
	},
}
View Source
var SSHRelatedFiles = []string{
	"ssh_config",
	"sshd_config",
	"ssh_known_hosts",
	"ssh_known_hosts2",
	"ssh_config.d",
	"sshd_config.d",
	".ssh",
	"authorized_keys",
	"authorized_keys2",
	"known_hosts",
	"known_hosts2",
	"id_rsa",
	"id_rsa.pub",
	"id_dsa",
	"id_dsa.pub",
	"id_ecdsa",
	"id_ecdsa.pub",
	"id_ed25519",
	"id_ed25519.pub",
	"id_xmss",
	"id_xmss.pub",
}
View Source
var SensitiveFiles = []string{
	"/etc/shadow",
	"/etc/passwd",
	"/etc/sudoers",
	"/etc/ssh/sshd_config",
	"/etc/ssh/ssh_config",
	"/etc/pam.d",
	"/etc/group",
}

SensitiveFiles is a list of sensitive files that should not be accessed by the application unexpectedly.

Functions

func IsSSHConfigFile

func IsSSHConfigFile(path string) bool

Types

type BaseRule

type BaseRule struct {
	// contains filtered or unexported fields
}

func (*BaseRule) GetParameters

func (br *BaseRule) GetParameters() map[string]interface{}

func (*BaseRule) SetParameters

func (br *BaseRule) SetParameters(parameters map[string]interface{})

type GenericRuleFailure

type GenericRuleFailure struct {
	BaseRuntimeAlert       apitypes.BaseRuntimeAlert
	RuntimeProcessDetails  apitypes.ProcessTree
	TriggerEvent           igtypes.Event
	RuleAlert              apitypes.RuleAlert
	RuntimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails
	RuleID                 string
}

func (*GenericRuleFailure) GetBaseRuntimeAlert

func (rule *GenericRuleFailure) GetBaseRuntimeAlert() apitypes.BaseRuntimeAlert

func (*GenericRuleFailure) GetRuleAlert

func (rule *GenericRuleFailure) GetRuleAlert() apitypes.RuleAlert

func (*GenericRuleFailure) GetRuleId

func (rule *GenericRuleFailure) GetRuleId() string

func (*GenericRuleFailure) GetRuntimeAlertK8sDetails

func (rule *GenericRuleFailure) GetRuntimeAlertK8sDetails() apitypes.RuntimeAlertK8sDetails

func (*GenericRuleFailure) GetRuntimeProcessDetails

func (rule *GenericRuleFailure) GetRuntimeProcessDetails() apitypes.ProcessTree

func (*GenericRuleFailure) GetTriggerEvent

func (rule *GenericRuleFailure) GetTriggerEvent() igtypes.Event

func (*GenericRuleFailure) SetBaseRuntimeAlert

func (rule *GenericRuleFailure) SetBaseRuntimeAlert(baseRuntimeAlert apitypes.BaseRuntimeAlert)

func (*GenericRuleFailure) SetRuleAlert

func (rule *GenericRuleFailure) SetRuleAlert(ruleAlert apitypes.RuleAlert)

func (*GenericRuleFailure) SetRuntimeAlertK8sDetails

func (rule *GenericRuleFailure) SetRuntimeAlertK8sDetails(runtimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails)

func (*GenericRuleFailure) SetRuntimeProcessDetails

func (rule *GenericRuleFailure) SetRuntimeProcessDetails(runtimeProcessDetails apitypes.ProcessTree)

func (*GenericRuleFailure) SetTriggerEvent

func (rule *GenericRuleFailure) SetTriggerEvent(triggerEvent igtypes.Event)

func (*GenericRuleFailure) SetWorkloadDetails

func (rule *GenericRuleFailure) SetWorkloadDetails(workloadDetails string)

type R0001UnexpectedProcessLaunched

type R0001UnexpectedProcessLaunched struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0001UnexpectedProcessLaunched

func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched

func (*R0001UnexpectedProcessLaunched) ID

func (*R0001UnexpectedProcessLaunched) Name

func (*R0001UnexpectedProcessLaunched) ProcessEvent

func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0001UnexpectedProcessLaunched) Requirements

func (rule *R0001UnexpectedProcessLaunched) Requirements() ruleengine.RuleSpec

func (*R0001UnexpectedProcessLaunched) SetParameters

func (rule *R0001UnexpectedProcessLaunched) SetParameters(params map[string]interface{})

type R0002UnexpectedFileAccess

type R0002UnexpectedFileAccess struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0002UnexpectedFileAccess

func CreateRuleR0002UnexpectedFileAccess() *R0002UnexpectedFileAccess

func (*R0002UnexpectedFileAccess) DeleteRule

func (rule *R0002UnexpectedFileAccess) DeleteRule()

func (*R0002UnexpectedFileAccess) ID

func (rule *R0002UnexpectedFileAccess) ID() string

func (*R0002UnexpectedFileAccess) Name

func (rule *R0002UnexpectedFileAccess) Name() string

func (*R0002UnexpectedFileAccess) ProcessEvent

func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0002UnexpectedFileAccess) Requirements

func (rule *R0002UnexpectedFileAccess) Requirements() ruleengine.RuleSpec

func (*R0002UnexpectedFileAccess) SetParameters

func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})

type R0003UnexpectedSystemCall

type R0003UnexpectedSystemCall struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0003UnexpectedSystemCall

func CreateRuleR0003UnexpectedSystemCall() *R0003UnexpectedSystemCall

func (*R0003UnexpectedSystemCall) DeleteRule

func (rule *R0003UnexpectedSystemCall) DeleteRule()

func (*R0003UnexpectedSystemCall) ID

func (rule *R0003UnexpectedSystemCall) ID() string

func (*R0003UnexpectedSystemCall) Name

func (rule *R0003UnexpectedSystemCall) Name() string

func (*R0003UnexpectedSystemCall) ProcessEvent

func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0003UnexpectedSystemCall) Requirements

func (rule *R0003UnexpectedSystemCall) Requirements() ruleengine.RuleSpec

type R0004UnexpectedCapabilityUsed

type R0004UnexpectedCapabilityUsed struct {
	BaseRule
}

func CreateRuleR0004UnexpectedCapabilityUsed

func CreateRuleR0004UnexpectedCapabilityUsed() *R0004UnexpectedCapabilityUsed

func (*R0004UnexpectedCapabilityUsed) DeleteRule

func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()

func (*R0004UnexpectedCapabilityUsed) ID

func (*R0004UnexpectedCapabilityUsed) Name

func (*R0004UnexpectedCapabilityUsed) ProcessEvent

func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0004UnexpectedCapabilityUsed) Requirements

func (rule *R0004UnexpectedCapabilityUsed) Requirements() ruleengine.RuleSpec

type R0005UnexpectedDomainRequest

type R0005UnexpectedDomainRequest struct {
	BaseRule
}

func CreateRuleR0005UnexpectedDomainRequest

func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest

func (*R0005UnexpectedDomainRequest) DeleteRule

func (rule *R0005UnexpectedDomainRequest) DeleteRule()

func (*R0005UnexpectedDomainRequest) ID

func (*R0005UnexpectedDomainRequest) Name

func (rule *R0005UnexpectedDomainRequest) Name() string

func (*R0005UnexpectedDomainRequest) ProcessEvent

func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0005UnexpectedDomainRequest) Requirements

func (rule *R0005UnexpectedDomainRequest) Requirements() ruleengine.RuleSpec

type R0006UnexpectedServiceAccountTokenAccess

type R0006UnexpectedServiceAccountTokenAccess struct {
	BaseRule
}

func CreateRuleR0006UnexpectedServiceAccountTokenAccess

func CreateRuleR0006UnexpectedServiceAccountTokenAccess() *R0006UnexpectedServiceAccountTokenAccess

func (*R0006UnexpectedServiceAccountTokenAccess) DeleteRule

func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()

func (*R0006UnexpectedServiceAccountTokenAccess) ID

func (*R0006UnexpectedServiceAccountTokenAccess) Name

func (*R0006UnexpectedServiceAccountTokenAccess) ProcessEvent

func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0006UnexpectedServiceAccountTokenAccess) Requirements

type R0007KubernetesClientExecuted

type R0007KubernetesClientExecuted struct {
	BaseRule
}

func CreateRuleR0007KubernetesClientExecuted

func CreateRuleR0007KubernetesClientExecuted() *R0007KubernetesClientExecuted

func (*R0007KubernetesClientExecuted) DeleteRule

func (rule *R0007KubernetesClientExecuted) DeleteRule()

func (*R0007KubernetesClientExecuted) ID

func (*R0007KubernetesClientExecuted) Name

func (*R0007KubernetesClientExecuted) ProcessEvent

func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0007KubernetesClientExecuted) Requirements

func (rule *R0007KubernetesClientExecuted) Requirements() ruleengine.RuleSpec

type R0008ReadEnvironmentVariablesProcFS

type R0008ReadEnvironmentVariablesProcFS struct {
	BaseRule
}

func CreateRuleR0008ReadEnvironmentVariablesProcFS

func CreateRuleR0008ReadEnvironmentVariablesProcFS() *R0008ReadEnvironmentVariablesProcFS

func (*R0008ReadEnvironmentVariablesProcFS) DeleteRule

func (rule *R0008ReadEnvironmentVariablesProcFS) DeleteRule()

func (*R0008ReadEnvironmentVariablesProcFS) ID

func (*R0008ReadEnvironmentVariablesProcFS) Name

func (*R0008ReadEnvironmentVariablesProcFS) ProcessEvent

func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0008ReadEnvironmentVariablesProcFS) Requirements

type R0009EbpfProgramLoad

type R0009EbpfProgramLoad struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0009EbpfProgramLoad

func CreateRuleR0009EbpfProgramLoad() *R0009EbpfProgramLoad

func (*R0009EbpfProgramLoad) DeleteRule

func (rule *R0009EbpfProgramLoad) DeleteRule()

func (*R0009EbpfProgramLoad) ID

func (rule *R0009EbpfProgramLoad) ID() string

func (*R0009EbpfProgramLoad) Name

func (rule *R0009EbpfProgramLoad) Name() string

func (*R0009EbpfProgramLoad) ProcessEvent

func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0009EbpfProgramLoad) Requirements

func (rule *R0009EbpfProgramLoad) Requirements() ruleengine.RuleSpec

type R0010UnexpectedSensitiveFileAccess

type R0010UnexpectedSensitiveFileAccess struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0010UnexpectedSensitiveFileAccess

func CreateRuleR0010UnexpectedSensitiveFileAccess() *R0010UnexpectedSensitiveFileAccess

func (*R0010UnexpectedSensitiveFileAccess) DeleteRule

func (rule *R0010UnexpectedSensitiveFileAccess) DeleteRule()

func (*R0010UnexpectedSensitiveFileAccess) ID

func (*R0010UnexpectedSensitiveFileAccess) Name

func (*R0010UnexpectedSensitiveFileAccess) ProcessEvent

func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0010UnexpectedSensitiveFileAccess) Requirements

func (*R0010UnexpectedSensitiveFileAccess) SetParameters

func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{})

type R1000ExecFromMaliciousSource

type R1000ExecFromMaliciousSource struct {
	BaseRule
}

func CreateRuleR1000ExecFromMaliciousSource

func CreateRuleR1000ExecFromMaliciousSource() *R1000ExecFromMaliciousSource

func (*R1000ExecFromMaliciousSource) ID

func (*R1000ExecFromMaliciousSource) Name

func (rule *R1000ExecFromMaliciousSource) Name() string

func (*R1000ExecFromMaliciousSource) ProcessEvent

func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1000ExecFromMaliciousSource) Requirements

func (rule *R1000ExecFromMaliciousSource) Requirements() ruleengine.RuleSpec

type R1001ExecBinaryNotInBaseImage

type R1001ExecBinaryNotInBaseImage struct {
	BaseRule
}

func CreateRuleR1001ExecBinaryNotInBaseImage

func CreateRuleR1001ExecBinaryNotInBaseImage() *R1001ExecBinaryNotInBaseImage

func (*R1001ExecBinaryNotInBaseImage) DeleteRule

func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()

func (*R1001ExecBinaryNotInBaseImage) ID

func (*R1001ExecBinaryNotInBaseImage) Name

func (*R1001ExecBinaryNotInBaseImage) ProcessEvent

func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1001ExecBinaryNotInBaseImage) Requirements

func (rule *R1001ExecBinaryNotInBaseImage) Requirements() ruleengine.RuleSpec

type R1002LoadKernelModule

type R1002LoadKernelModule struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1002LoadKernelModule

func CreateRuleR1002LoadKernelModule() *R1002LoadKernelModule

func (*R1002LoadKernelModule) DeleteRule

func (rule *R1002LoadKernelModule) DeleteRule()

func (*R1002LoadKernelModule) ID

func (rule *R1002LoadKernelModule) ID() string

func (*R1002LoadKernelModule) Name

func (rule *R1002LoadKernelModule) Name() string

func (*R1002LoadKernelModule) ProcessEvent

func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1002LoadKernelModule) Requirements

func (rule *R1002LoadKernelModule) Requirements() ruleengine.RuleSpec

type R1003MaliciousSSHConnection

type R1003MaliciousSSHConnection struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1003MaliciousSSHConnection

func CreateRuleR1003MaliciousSSHConnection() *R1003MaliciousSSHConnection

func (*R1003MaliciousSSHConnection) DeleteRule

func (rule *R1003MaliciousSSHConnection) DeleteRule()

func (*R1003MaliciousSSHConnection) ID

func (*R1003MaliciousSSHConnection) Name

func (rule *R1003MaliciousSSHConnection) Name() string

func (*R1003MaliciousSSHConnection) ProcessEvent

func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1003MaliciousSSHConnection) Requirements

func (rule *R1003MaliciousSSHConnection) Requirements() ruleengine.RuleSpec

func (*R1003MaliciousSSHConnection) SetParameters

func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})

type R1004ExecFromMount

type R1004ExecFromMount struct {
	BaseRule
}

func CreateRuleR1004ExecFromMount

func CreateRuleR1004ExecFromMount() *R1004ExecFromMount

func (*R1004ExecFromMount) DeleteRule

func (rule *R1004ExecFromMount) DeleteRule()

func (*R1004ExecFromMount) ID

func (rule *R1004ExecFromMount) ID() string

func (*R1004ExecFromMount) Name

func (rule *R1004ExecFromMount) Name() string

func (*R1004ExecFromMount) ProcessEvent

func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1004ExecFromMount) Requirements

func (rule *R1004ExecFromMount) Requirements() ruleengine.RuleSpec

type R1005FilelessExecution

type R1005FilelessExecution struct {
	BaseRule
}

func CreateRuleR1005FilelessExecution

func CreateRuleR1005FilelessExecution() *R1005FilelessExecution

func (*R1005FilelessExecution) DeleteRule

func (rule *R1005FilelessExecution) DeleteRule()

func (*R1005FilelessExecution) ID

func (rule *R1005FilelessExecution) ID() string

func (*R1005FilelessExecution) Name

func (rule *R1005FilelessExecution) Name() string

func (*R1005FilelessExecution) ProcessEvent

func (rule *R1005FilelessExecution) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1005FilelessExecution) Requirements

func (rule *R1005FilelessExecution) Requirements() ruleengine.RuleSpec

type R1006UnshareSyscall

type R1006UnshareSyscall struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1006UnshareSyscall

func CreateRuleR1006UnshareSyscall() *R1006UnshareSyscall

func (*R1006UnshareSyscall) DeleteRule

func (rule *R1006UnshareSyscall) DeleteRule()

func (*R1006UnshareSyscall) ID

func (rule *R1006UnshareSyscall) ID() string

func (*R1006UnshareSyscall) Name

func (rule *R1006UnshareSyscall) Name() string

func (*R1006UnshareSyscall) ProcessEvent

func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1006UnshareSyscall) Requirements

func (rule *R1006UnshareSyscall) Requirements() ruleengine.RuleSpec

type R1007XMRCryptoMining

type R1007XMRCryptoMining struct {
	BaseRule
}

func CreateRuleR1007XMRCryptoMining

func CreateRuleR1007XMRCryptoMining() *R1007XMRCryptoMining

func (*R1007XMRCryptoMining) DeleteRule

func (rule *R1007XMRCryptoMining) DeleteRule()

func (*R1007XMRCryptoMining) ID

func (rule *R1007XMRCryptoMining) ID() string

func (*R1007XMRCryptoMining) Name

func (rule *R1007XMRCryptoMining) Name() string

func (*R1007XMRCryptoMining) ProcessEvent

func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1007XMRCryptoMining) Requirements

func (rule *R1007XMRCryptoMining) Requirements() ruleengine.RuleSpec

type R1008CryptoMiningDomainCommunication

type R1008CryptoMiningDomainCommunication struct {
	BaseRule
}

func CreateRuleR1008CryptoMiningDomainCommunication

func CreateRuleR1008CryptoMiningDomainCommunication() *R1008CryptoMiningDomainCommunication

func (*R1008CryptoMiningDomainCommunication) DeleteRule

func (rule *R1008CryptoMiningDomainCommunication) DeleteRule()

func (*R1008CryptoMiningDomainCommunication) ID

func (*R1008CryptoMiningDomainCommunication) Name

func (*R1008CryptoMiningDomainCommunication) ProcessEvent

func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1008CryptoMiningDomainCommunication) Requirements

type R1009CryptoMiningRelatedPort

type R1009CryptoMiningRelatedPort struct {
	BaseRule
}

func CreateRuleR1009CryptoMiningRelatedPort

func CreateRuleR1009CryptoMiningRelatedPort() *R1009CryptoMiningRelatedPort

func (*R1009CryptoMiningRelatedPort) DeleteRule

func (rule *R1009CryptoMiningRelatedPort) DeleteRule()

func (*R1009CryptoMiningRelatedPort) ID

func (*R1009CryptoMiningRelatedPort) Name

func (rule *R1009CryptoMiningRelatedPort) Name() string

func (*R1009CryptoMiningRelatedPort) ProcessEvent

func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType, event interface{}, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1009CryptoMiningRelatedPort) Requirements

func (rule *R1009CryptoMiningRelatedPort) Requirements() ruleengine.RuleSpec

type R1010SymlinkCreatedOverSensitiveFile

type R1010SymlinkCreatedOverSensitiveFile struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1010SymlinkCreatedOverSensitiveFile

func CreateRuleR1010SymlinkCreatedOverSensitiveFile() *R1010SymlinkCreatedOverSensitiveFile

func (*R1010SymlinkCreatedOverSensitiveFile) DeleteRule

func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule()

func (*R1010SymlinkCreatedOverSensitiveFile) ID

func (*R1010SymlinkCreatedOverSensitiveFile) Name

func (*R1010SymlinkCreatedOverSensitiveFile) ProcessEvent

func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1010SymlinkCreatedOverSensitiveFile) Requirements

func (*R1010SymlinkCreatedOverSensitiveFile) SetParameters

func (rule *R1010SymlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})

type R1011LdPreloadHook

type R1011LdPreloadHook struct {
	BaseRule
}

func CreateRuleR1011LdPreloadHook

func CreateRuleR1011LdPreloadHook() *R1011LdPreloadHook

func (*R1011LdPreloadHook) DeleteRule

func (rule *R1011LdPreloadHook) DeleteRule()

func (*R1011LdPreloadHook) ID

func (rule *R1011LdPreloadHook) ID() string

func (*R1011LdPreloadHook) Name

func (rule *R1011LdPreloadHook) Name() string

func (*R1011LdPreloadHook) ProcessEvent

func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event interface{}, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1011LdPreloadHook) Requirements

func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec

type R1012HardlinkCreatedOverSensitiveFile

type R1012HardlinkCreatedOverSensitiveFile struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1012HardlinkCreatedOverSensitiveFile

func CreateRuleR1012HardlinkCreatedOverSensitiveFile() *R1012HardlinkCreatedOverSensitiveFile

func (*R1012HardlinkCreatedOverSensitiveFile) DeleteRule

func (rule *R1012HardlinkCreatedOverSensitiveFile) DeleteRule()

func (*R1012HardlinkCreatedOverSensitiveFile) ID

func (*R1012HardlinkCreatedOverSensitiveFile) Name

func (*R1012HardlinkCreatedOverSensitiveFile) ProcessEvent

func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event interface{}, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1012HardlinkCreatedOverSensitiveFile) Requirements

func (*R1012HardlinkCreatedOverSensitiveFile) SetParameters

func (rule *R1012HardlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})

type RuleCreatorImpl

type RuleCreatorImpl struct {
	// contains filtered or unexported fields
}

func NewRuleCreator

func NewRuleCreator() *RuleCreatorImpl

func (*RuleCreatorImpl) CreateRuleByID

func (r *RuleCreatorImpl) CreateRuleByID(id string) ruleengine.RuleEvaluator

func (*RuleCreatorImpl) CreateRuleByName

func (r *RuleCreatorImpl) CreateRuleByName(name string) ruleengine.RuleEvaluator

func (*RuleCreatorImpl) CreateRulesByTags

func (r *RuleCreatorImpl) CreateRulesByTags(tags []string) []ruleengine.RuleEvaluator

func (*RuleCreatorImpl) GetAllRuleDescriptors

func (r *RuleCreatorImpl) GetAllRuleDescriptors() []RuleDescriptor

type RuleDescriptor

type RuleDescriptor struct {
	// Rule ID
	ID string
	// Rule Name
	Name string
	// Rule Description
	Description string
	// Priority
	Priority int
	// Tags
	Tags []string
	// Rule requirements
	Requirements ruleengine.RuleSpec
	// Create a rule function
	RuleCreationFunc func() ruleengine.RuleEvaluator
}

func (*RuleDescriptor) HasTags

func (r *RuleDescriptor) HasTags(tags []string) bool

type RuleObjectCacheMock

type RuleObjectCacheMock struct {
	// contains filtered or unexported fields
}

func (*RuleObjectCacheMock) ApplicationProfileCache

func (r *RuleObjectCacheMock) ApplicationProfileCache() objectcache.ApplicationProfileCache

func (*RuleObjectCacheMock) GetApiServerIpAddress

func (r *RuleObjectCacheMock) GetApiServerIpAddress() string

func (*RuleObjectCacheMock) GetApplicationProfile

func (r *RuleObjectCacheMock) GetApplicationProfile(string) *v1beta1.ApplicationProfile

func (*RuleObjectCacheMock) GetNetworkNeighborhood

func (r *RuleObjectCacheMock) GetNetworkNeighborhood(string) *v1beta1.NetworkNeighborhood

func (*RuleObjectCacheMock) GetPodSpec

func (r *RuleObjectCacheMock) GetPodSpec(_, _ string) *corev1.PodSpec

func (*RuleObjectCacheMock) GetPodStatus

func (r *RuleObjectCacheMock) GetPodStatus(_, _ string) *corev1.PodStatus

func (*RuleObjectCacheMock) GetPods

func (r *RuleObjectCacheMock) GetPods() []*corev1.Pod

func (*RuleObjectCacheMock) K8sObjectCache

func (r *RuleObjectCacheMock) K8sObjectCache() objectcache.K8sObjectCache

func (*RuleObjectCacheMock) NetworkNeighborhoodCache

func (r *RuleObjectCacheMock) NetworkNeighborhoodCache() objectcache.NetworkNeighborhoodCache

func (*RuleObjectCacheMock) SetApplicationProfile

func (r *RuleObjectCacheMock) SetApplicationProfile(profile *v1beta1.ApplicationProfile)

func (*RuleObjectCacheMock) SetNetworkNeighborhood

func (r *RuleObjectCacheMock) SetNetworkNeighborhood(nn *v1beta1.NetworkNeighborhood)

func (*RuleObjectCacheMock) SetPodSpec

func (r *RuleObjectCacheMock) SetPodSpec(podSpec *corev1.PodSpec)

func (*RuleObjectCacheMock) SetPodStatus

func (r *RuleObjectCacheMock) SetPodStatus(podStatus *corev1.PodStatus)

type RuleRequirements

type RuleRequirements struct {
	// Needed events for the rule.
	EventTypes []utils.EventType
}

func (*RuleRequirements) RequiredEventTypes

func (r *RuleRequirements) RequiredEventTypes() []utils.EventType

Event types required for the rule

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL