ruleengine

package
v0.2.210 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2024 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	R0001ID   = "R0001"
	R0001Name = "Unexpected process launched"
)
View Source 
const (
	R0002ID   = "R0002"
	R0002Name = "Unexpected file access"
)
View Source 
const (
	R0003ID   = "R0003"
	R0003Name = "Unexpected system call"
)
View Source 
const (
	R0004ID   = "R0004"
	R0004Name = "Unexpected capability used"
)
View Source 
const (
	R0005ID   = "R0005"
	R0005Name = "Unexpected domain request"
)
View Source 
const (
	R0006ID   = "R0006"
	R0006Name = "Unexpected Service Account Token Access"
)
View Source 
const (
	R0007ID   = "R0007"
	R0007Name = "Kubernetes Client Executed"
)
View Source 
const (
	R0008ID   = "R0008"
	R0008Name = "Read Environment Variables from procfs"
)
View Source 
const (
	R0009ID   = "R0009"
	R0009Name = "eBPF Program Load"
)
View Source 
const (
	R0010ID   = "R0010"
	R0010Name = "Unexpected Sensitive File Access"
)
View Source 
const (
	R0011ID   = "R0011"
	R0011Name = "Unexpected Egress Network Traffic"
)
View Source 
const (
	R1000ID   = "R1000"
	R1000Name = "Exec from malicious source"
)
View Source 
const (
	R1001ID   = "R1001"
	R1001Name = "Exec Binary Not In Base Image"
)
View Source 
const (
	R1002ID   = "R1002"
	R1002Name = "Kernel Module Load"
)
View Source 
const (
	R1003ID   = "R1003"
	R1003Name = "Malicious SSH Connection"
)
View Source 
const (
	R1004ID   = "R1004"
	R1004Name = "Exec from mount"
)
View Source 
const (
	R1005ID   = "R1005"
	R1005Name = "Fileless Execution"
)
View Source 
const (
	R1006ID   = "R1006"
	R1006Name = "Unshare System Call usage"
)
View Source 
const (
	R1007ID   = "R1007"
	R1007Name = "XMR Crypto Mining Detection"
)
View Source 
const (
	R1008ID   = "R1008"
	R1008Name = "Crypto Mining Domain Communication"
)
View Source 
const (
	R1009ID   = "R1009"
	R1009Name = "Crypto Mining Related Port Communication"
)
View Source 
const (
	R1010ID   = "R1010"
	R1010Name = "Symlink Created Over Sensitive File"
)
View Source 
const (
	R1011ID         = "R1011"
	R1011Name       = "LD_PRELOAD Hook"
	LD_PRELOAD_FILE = "/etc/ld.so.preload"
	JAVA_COMM       = "java"
)
View Source 
const (
	R1012ID   = "R1012"
	R1012Name = "Hardlink Created Over Sensitive File"
)
View Source 
const (
	R1015ID   = "R1015"
	R1015Name = "Malicious Ptrace Usage"
)
View Source 
const (
	RulePriorityNone        = 0
	RulePriorityLow         = 1
	RulePriorityMed         = 5
	RulePriorityHigh        = 8
	RulePriorityCritical    = 10
	RulePrioritySystemIssue = 1000
)

Variables

View Source 
var (
	ContainerNotFound = errors.New("container not found")
	ProfileNotFound   = errors.New("application profile not found")
)
View Source 
var CommonlyUsedCryptoMinersPorts = []uint16{
	3333,
	45700,
}
View Source 
var LD_PRELOAD_ENV_VARS = []string{"LD_PRELOAD", "LD_AUDIT", "LD_LIBRARY_PATH"}
View Source 
var R0001UnexpectedProcessLaunchedRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0001ID,
	Name:        R0001Name,
	Description: "Detecting exec calls that are not whitelisted by application profile",
	Tags:        []string{"exec", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0001UnexpectedProcessLaunched()
	},
}
View Source 
var R0002UnexpectedFileAccessRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0002ID,
	Name:        R0002Name,
	Description: "Detecting file access that are not whitelisted by application profile. File access is defined by the combination of path and flags",
	Tags:        []string{"open", "whitelisted"},
	Priority:    RulePriorityLow,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.OpenEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0002UnexpectedFileAccess()
	},
}
View Source 
var R0003UnexpectedSystemCallRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0003ID,
	Name:        R0003Name,
	Description: "Detecting unexpected system calls that are not whitelisted by application profile.",
	Tags:        []string{"syscall", "whitelisted"},
	Priority:    RulePriorityLow,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0003UnexpectedSystemCall()
	},
}
View Source 
var R0004UnexpectedCapabilityUsedRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0004ID,
	Name:        R0004Name,
	Description: "Detecting unexpected capabilities that are not whitelisted by application profile. Every unexpected capability is identified in context of a syscall and will be alerted only once per container.",
	Tags:        []string{"capabilities", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.CapabilitiesEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0004UnexpectedCapabilityUsed()
	},
}
View Source 
var R0005UnexpectedDomainRequestRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0005ID,
	Name:        R0005Name,
	Description: "Detecting unexpected domain requests that are not whitelisted by application profile.",
	Tags:        []string{"dns", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.DnsEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0005UnexpectedDomainRequest()
	},
}
View Source 
var R0006UnexpectedServiceAccountTokenAccessRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0006ID,
	Name:        R0006Name,
	Description: "Detecting unexpected access to service account token.",
	Tags:        []string{"token", "malicious", "security", "kubernetes"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0006UnexpectedServiceAccountTokenAccess()
	},
}
View Source 
var R0007KubernetesClientExecutedDescriptor = ruleengine.RuleDescriptor{
	ID:          R0007ID,
	Name:        R0007Name,
	Description: "Detecting exececution of kubernetes client",
	Priority:    RulePriorityHigh,
	Tags:        []string{"exec", "malicious", "whitelisted"},
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType, utils.NetworkEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0007KubernetesClientExecuted()
	},
}
View Source 
var R0008ReadEnvironmentVariablesProcFSRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0008ID,
	Name:        R0008Name,
	Description: "Detecting reading environment variables from procfs.",
	Tags:        []string{"env", "malicious", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0008ReadEnvironmentVariablesProcFS()
	},
}
View Source 
var R0009EbpfProgramLoadRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0009ID,
	Name:        R0009Name,
	Description: "Detecting eBPF program load.",
	Tags:        []string{"syscall", "ebpf"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0009EbpfProgramLoad()
	},
}
View Source 
var R0010UnexpectedSensitiveFileAccessRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0010ID,
	Name:        R0010Name,
	Description: "Detecting access to sensitive files.",
	Tags:        []string{"files", "malicious", "whitelisted"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0010UnexpectedSensitiveFileAccess()
	},
}
View Source 
var R0011UnexpectedEgressNetworkTrafficRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R0011ID,
	Name:        R0011Name,
	Description: "Detecting unexpected egress network traffic that is not whitelisted by application profile.",
	Tags:        []string{"dns", "whitelisted", "network"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.NetworkEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR0011UnexpectedEgressNetworkTraffic()
	},
}
View Source 
var R1000ExecFromMaliciousSourceDescriptor = ruleengine.RuleDescriptor{
	ID:          R1000ID,
	Name:        R1000Name,
	Description: "Detecting exec calls that are from malicious source like: /dev/shm, /proc/self",
	Priority:    RulePriorityMed,
	Tags:        []string{"exec", "signature"},
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1000ExecFromMaliciousSource()
	},
}
View Source 
var R1001ExecBinaryNotInBaseImageRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1001ID,
	Name:        R1001Name,
	Description: "Detecting exec calls of binaries that are not included in the base image",
	Tags:        []string{"exec", "malicious", "binary", "base image"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1001ExecBinaryNotInBaseImage()
	},
}
View Source 
var R1002LoadKernelModuleRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1002ID,
	Name:        R1002Name,
	Description: "Detecting Kernel Module Load.",
	Tags:        []string{"syscall", "kernel", "module", "load"},
	Priority:    RulePriorityCritical,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1002LoadKernelModule()
	},
}
View Source 
var R1003MaliciousSSHConnectionRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1003ID,
	Name:        R1003Name,
	Description: "Detecting ssh connection to disallowed port",
	Tags:        []string{"ssh", "connection", "port", "malicious"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.SSHEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1003MaliciousSSHConnection()
	},
}
View Source 
var R1004ExecFromMountRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1004ID,
	Name:        R1004Name,
	Description: "Detecting exec calls from mounted paths.",
	Tags:        []string{"exec", "mount"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{utils.ExecveEventType},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1004ExecFromMount()
	},
}
View Source 
var R1005FilelessExecutionRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1005ID,
	Name:        R1005Name,
	Description: "Detecting Fileless Execution",
	Tags:        []string{"fileless", "execution"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.ExecveEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1005FilelessExecution()
	},
}
View Source 
var R1006UnshareSyscallRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1006ID,
	Name:        R1006Name,
	Description: "Detecting Unshare System Call usage, which can be used to escape container.",
	Tags:        []string{"syscall", "escape", "unshare"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SyscallEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1006UnshareSyscall()
	},
}
View Source 
var R1007XMRCryptoMiningRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1007ID,
	Name:        R1007Name,
	Description: "Detecting XMR Crypto Miners by randomx algorithm usage.",
	Tags:        []string{"crypto", "miners", "malicious"},
	Priority:    RulePriorityCritical,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.RandomXEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1007XMRCryptoMining()
	},
}
View Source 
var R1008CryptoMiningDomainCommunicationRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1008ID,
	Name:        R1008Name,
	Description: "Detecting Crypto miners communication by domain",
	Tags:        []string{"network", "crypto", "miners", "malicious", "dns"},
	Priority:    RulePriorityCritical,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.DnsEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1008CryptoMiningDomainCommunication()
	},
}
View Source 
var R1009CryptoMiningRelatedPortRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1009ID,
	Name:        R1009Name,
	Description: "Detecting Crypto Miners by suspicious port usage.",
	Tags:        []string{"network", "crypto", "miners", "malicious"},
	Priority:    RulePriorityLow,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.NetworkEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1009CryptoMiningRelatedPort()
	},
}
View Source 
var R1010SymlinkCreatedOverSensitiveFileRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1010ID,
	Name:        R1010Name,
	Description: "Detecting symlink creation over sensitive files.",
	Tags:        []string{"files", "malicious"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.SymlinkEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1010SymlinkCreatedOverSensitiveFile()
	},
}
View Source 
var R1011LdPreloadHookRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1011ID,
	Name:        R1011Name,
	Description: "Detecting ld_preload hook techniques.",
	Tags:        []string{"exec", "malicious"},
	Priority:    RulePriorityMed,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.ExecveEventType,
			utils.OpenEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1011LdPreloadHook()
	},
}
View Source 
var R1012HardlinkCreatedOverSensitiveFileRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1012ID,
	Name:        R1012Name,
	Description: "Detecting hardlink creation over sensitive files.",
	Tags:        []string{"files", "malicious"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.HardlinkEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1012HardlinkCreatedOverSensitiveFile()
	},
}
View Source 
var R1015MaliciousPtraceUsageRuleDescriptor = ruleengine.RuleDescriptor{
	ID:          R1015ID,
	Name:        R1015Name,
	Description: "Detecting potentially malicious ptrace usage.",
	Tags:        []string{"process", "malicious"},
	Priority:    RulePriorityHigh,
	Requirements: &RuleRequirements{
		EventTypes: []utils.EventType{
			utils.PtraceEventType,
		},
	},
	RuleCreationFunc: func() ruleengine.RuleEvaluator {
		return CreateRuleR1015MaliciousPtraceUsage()
	},
}
View Source 
var SensitiveFiles = []string{
	"/etc/shadow",
	"/etc/sudoers",
	"/etc/ssh/sshd_config",
	"/etc/ssh/ssh_config",
	"/etc/pam.d",
}

SensitiveFiles is a list of sensitive files that should not be accessed by the application unexpectedly.

Functions

func GetLdHookVar added in v0.2.178 

func GetLdHookVar(envVars map[string]string) (string, bool)

func ReadPortRange added in v0.2.133 

func ReadPortRange() ([2]uint16, error)

ReadPortRange reads the two port numbers from /proc/sys/net/ipv4/ip_local_port_range

Types

type BaseRule 

type BaseRule struct {
	// contains filtered or unexported fields
}

func (*BaseRule) GetParameters 

func (br *BaseRule) GetParameters() map[string]interface{}

func (*BaseRule) SetParameters 

func (br *BaseRule) SetParameters(parameters map[string]interface{})

type GenericRuleFailure 

type GenericRuleFailure struct {
	BaseRuntimeAlert       apitypes.BaseRuntimeAlert
	RuntimeProcessDetails  apitypes.ProcessTree
	TriggerEvent           igtypes.Event
	RuleAlert              apitypes.RuleAlert
	RuntimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails
	RuleID                 string
	Extra                  interface{}
	CloudServices          []string
}

func (*GenericRuleFailure) GetBaseRuntimeAlert 

func (rule *GenericRuleFailure) GetBaseRuntimeAlert() apitypes.BaseRuntimeAlert

func (*GenericRuleFailure) GetCloudServices added in v0.2.197 

func (rule *GenericRuleFailure) GetCloudServices() []string

func (*GenericRuleFailure) GetExtra added in v0.2.197 

func (rule *GenericRuleFailure) GetExtra() interface{}

func (*GenericRuleFailure) GetRuleAlert 

func (rule *GenericRuleFailure) GetRuleAlert() apitypes.RuleAlert

func (*GenericRuleFailure) GetRuleId 

func (rule *GenericRuleFailure) GetRuleId() string

func (*GenericRuleFailure) GetRuntimeAlertK8sDetails 

func (rule *GenericRuleFailure) GetRuntimeAlertK8sDetails() apitypes.RuntimeAlertK8sDetails

func (*GenericRuleFailure) GetRuntimeProcessDetails 

func (rule *GenericRuleFailure) GetRuntimeProcessDetails() apitypes.ProcessTree

func (*GenericRuleFailure) GetTriggerEvent 

func (rule *GenericRuleFailure) GetTriggerEvent() igtypes.Event

func (*GenericRuleFailure) SetBaseRuntimeAlert 

func (rule *GenericRuleFailure) SetBaseRuntimeAlert(baseRuntimeAlert apitypes.BaseRuntimeAlert)

func (*GenericRuleFailure) SetCloudServices added in v0.2.197 

func (rule *GenericRuleFailure) SetCloudServices(cloudServices []string)

func (*GenericRuleFailure) SetRuleAlert 

func (rule *GenericRuleFailure) SetRuleAlert(ruleAlert apitypes.RuleAlert)

func (*GenericRuleFailure) SetRuntimeAlertK8sDetails 

func (rule *GenericRuleFailure) SetRuntimeAlertK8sDetails(runtimeAlertK8sDetails apitypes.RuntimeAlertK8sDetails)

func (*GenericRuleFailure) SetRuntimeProcessDetails 

func (rule *GenericRuleFailure) SetRuntimeProcessDetails(runtimeProcessDetails apitypes.ProcessTree)

func (*GenericRuleFailure) SetTriggerEvent 

func (rule *GenericRuleFailure) SetTriggerEvent(triggerEvent igtypes.Event)

func (*GenericRuleFailure) SetWorkloadDetails 

func (rule *GenericRuleFailure) SetWorkloadDetails(workloadDetails string)

type R0001UnexpectedProcessLaunched 

type R0001UnexpectedProcessLaunched struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0001UnexpectedProcessLaunched 

func CreateRuleR0001UnexpectedProcessLaunched() *R0001UnexpectedProcessLaunched

func (*R0001UnexpectedProcessLaunched) ID 

func (rule *R0001UnexpectedProcessLaunched) ID() string

func (*R0001UnexpectedProcessLaunched) Name 

func (rule *R0001UnexpectedProcessLaunched) Name() string

func (*R0001UnexpectedProcessLaunched) ProcessEvent 

func (rule *R0001UnexpectedProcessLaunched) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0001UnexpectedProcessLaunched) Requirements 

func (rule *R0001UnexpectedProcessLaunched) Requirements() ruleengine.RuleSpec

func (*R0001UnexpectedProcessLaunched) SetParameters 

func (rule *R0001UnexpectedProcessLaunched) SetParameters(params map[string]interface{})

type R0002UnexpectedFileAccess 

type R0002UnexpectedFileAccess struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0002UnexpectedFileAccess 

func CreateRuleR0002UnexpectedFileAccess() *R0002UnexpectedFileAccess

func (*R0002UnexpectedFileAccess) DeleteRule 

func (rule *R0002UnexpectedFileAccess) DeleteRule()

func (*R0002UnexpectedFileAccess) ID 

func (rule *R0002UnexpectedFileAccess) ID() string

func (*R0002UnexpectedFileAccess) Name 

func (rule *R0002UnexpectedFileAccess) Name() string

func (*R0002UnexpectedFileAccess) ProcessEvent 

func (rule *R0002UnexpectedFileAccess) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0002UnexpectedFileAccess) Requirements 

func (rule *R0002UnexpectedFileAccess) Requirements() ruleengine.RuleSpec

func (*R0002UnexpectedFileAccess) SetParameters 

func (rule *R0002UnexpectedFileAccess) SetParameters(parameters map[string]interface{})

type R0003UnexpectedSystemCall 

type R0003UnexpectedSystemCall struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0003UnexpectedSystemCall 

func CreateRuleR0003UnexpectedSystemCall() *R0003UnexpectedSystemCall

func (*R0003UnexpectedSystemCall) DeleteRule 

func (rule *R0003UnexpectedSystemCall) DeleteRule()

func (*R0003UnexpectedSystemCall) ID 

func (rule *R0003UnexpectedSystemCall) ID() string

func (*R0003UnexpectedSystemCall) Name 

func (rule *R0003UnexpectedSystemCall) Name() string

func (*R0003UnexpectedSystemCall) ProcessEvent 

func (rule *R0003UnexpectedSystemCall) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0003UnexpectedSystemCall) Requirements 

func (rule *R0003UnexpectedSystemCall) Requirements() ruleengine.RuleSpec

type R0004UnexpectedCapabilityUsed 

type R0004UnexpectedCapabilityUsed struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0004UnexpectedCapabilityUsed 

func CreateRuleR0004UnexpectedCapabilityUsed() *R0004UnexpectedCapabilityUsed

func (*R0004UnexpectedCapabilityUsed) DeleteRule 

func (rule *R0004UnexpectedCapabilityUsed) DeleteRule()

func (*R0004UnexpectedCapabilityUsed) ID 

func (rule *R0004UnexpectedCapabilityUsed) ID() string

func (*R0004UnexpectedCapabilityUsed) Name 

func (rule *R0004UnexpectedCapabilityUsed) Name() string

func (*R0004UnexpectedCapabilityUsed) ProcessEvent 

func (rule *R0004UnexpectedCapabilityUsed) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0004UnexpectedCapabilityUsed) Requirements 

func (rule *R0004UnexpectedCapabilityUsed) Requirements() ruleengine.RuleSpec

type R0005UnexpectedDomainRequest 

type R0005UnexpectedDomainRequest struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0005UnexpectedDomainRequest 

func CreateRuleR0005UnexpectedDomainRequest() *R0005UnexpectedDomainRequest

func (*R0005UnexpectedDomainRequest) DeleteRule 

func (rule *R0005UnexpectedDomainRequest) DeleteRule()

func (*R0005UnexpectedDomainRequest) ID 

func (rule *R0005UnexpectedDomainRequest) ID() string

func (*R0005UnexpectedDomainRequest) Name 

func (rule *R0005UnexpectedDomainRequest) Name() string

func (*R0005UnexpectedDomainRequest) ProcessEvent 

func (rule *R0005UnexpectedDomainRequest) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0005UnexpectedDomainRequest) Requirements 

func (rule *R0005UnexpectedDomainRequest) Requirements() ruleengine.RuleSpec

type R0006UnexpectedServiceAccountTokenAccess 

type R0006UnexpectedServiceAccountTokenAccess struct {
	BaseRule
}

func CreateRuleR0006UnexpectedServiceAccountTokenAccess 

func CreateRuleR0006UnexpectedServiceAccountTokenAccess() *R0006UnexpectedServiceAccountTokenAccess

func (*R0006UnexpectedServiceAccountTokenAccess) DeleteRule 

func (rule *R0006UnexpectedServiceAccountTokenAccess) DeleteRule()

func (*R0006UnexpectedServiceAccountTokenAccess) ID 

func (rule *R0006UnexpectedServiceAccountTokenAccess) ID() string

func (*R0006UnexpectedServiceAccountTokenAccess) Name 

func (rule *R0006UnexpectedServiceAccountTokenAccess) Name() string

func (*R0006UnexpectedServiceAccountTokenAccess) ProcessEvent 

func (rule *R0006UnexpectedServiceAccountTokenAccess) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0006UnexpectedServiceAccountTokenAccess) Requirements 

func (rule *R0006UnexpectedServiceAccountTokenAccess) Requirements() ruleengine.RuleSpec

type R0007KubernetesClientExecuted 

type R0007KubernetesClientExecuted struct {
	BaseRule
}

func CreateRuleR0007KubernetesClientExecuted 

func CreateRuleR0007KubernetesClientExecuted() *R0007KubernetesClientExecuted

func (*R0007KubernetesClientExecuted) DeleteRule 

func (rule *R0007KubernetesClientExecuted) DeleteRule()

func (*R0007KubernetesClientExecuted) ID 

func (rule *R0007KubernetesClientExecuted) ID() string

func (*R0007KubernetesClientExecuted) Name 

func (rule *R0007KubernetesClientExecuted) Name() string

func (*R0007KubernetesClientExecuted) ProcessEvent 

func (rule *R0007KubernetesClientExecuted) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0007KubernetesClientExecuted) Requirements 

func (rule *R0007KubernetesClientExecuted) Requirements() ruleengine.RuleSpec

type R0008ReadEnvironmentVariablesProcFS 

type R0008ReadEnvironmentVariablesProcFS struct {
	BaseRule
}

func CreateRuleR0008ReadEnvironmentVariablesProcFS 

func CreateRuleR0008ReadEnvironmentVariablesProcFS() *R0008ReadEnvironmentVariablesProcFS

func (*R0008ReadEnvironmentVariablesProcFS) DeleteRule 

func (rule *R0008ReadEnvironmentVariablesProcFS) DeleteRule()

func (*R0008ReadEnvironmentVariablesProcFS) ID 

func (rule *R0008ReadEnvironmentVariablesProcFS) ID() string

func (*R0008ReadEnvironmentVariablesProcFS) Name 

func (rule *R0008ReadEnvironmentVariablesProcFS) Name() string

func (*R0008ReadEnvironmentVariablesProcFS) ProcessEvent 

func (rule *R0008ReadEnvironmentVariablesProcFS) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0008ReadEnvironmentVariablesProcFS) Requirements 

func (rule *R0008ReadEnvironmentVariablesProcFS) Requirements() ruleengine.RuleSpec

type R0009EbpfProgramLoad 

type R0009EbpfProgramLoad struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0009EbpfProgramLoad 

func CreateRuleR0009EbpfProgramLoad() *R0009EbpfProgramLoad

func (*R0009EbpfProgramLoad) DeleteRule 

func (rule *R0009EbpfProgramLoad) DeleteRule()

func (*R0009EbpfProgramLoad) ID 

func (rule *R0009EbpfProgramLoad) ID() string

func (*R0009EbpfProgramLoad) Name 

func (rule *R0009EbpfProgramLoad) Name() string

func (*R0009EbpfProgramLoad) ProcessEvent 

func (rule *R0009EbpfProgramLoad) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0009EbpfProgramLoad) Requirements 

func (rule *R0009EbpfProgramLoad) Requirements() ruleengine.RuleSpec

type R0010UnexpectedSensitiveFileAccess 

type R0010UnexpectedSensitiveFileAccess struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0010UnexpectedSensitiveFileAccess 

func CreateRuleR0010UnexpectedSensitiveFileAccess() *R0010UnexpectedSensitiveFileAccess

func (*R0010UnexpectedSensitiveFileAccess) DeleteRule 

func (rule *R0010UnexpectedSensitiveFileAccess) DeleteRule()

func (*R0010UnexpectedSensitiveFileAccess) ID 

func (rule *R0010UnexpectedSensitiveFileAccess) ID() string

func (*R0010UnexpectedSensitiveFileAccess) Name 

func (rule *R0010UnexpectedSensitiveFileAccess) Name() string

func (*R0010UnexpectedSensitiveFileAccess) ProcessEvent 

func (rule *R0010UnexpectedSensitiveFileAccess) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0010UnexpectedSensitiveFileAccess) Requirements 

func (rule *R0010UnexpectedSensitiveFileAccess) Requirements() ruleengine.RuleSpec

func (*R0010UnexpectedSensitiveFileAccess) SetParameters 

func (rule *R0010UnexpectedSensitiveFileAccess) SetParameters(parameters map[string]interface{})

type R0011UnexpectedEgressNetworkTraffic added in v0.2.128 

type R0011UnexpectedEgressNetworkTraffic struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR0011UnexpectedEgressNetworkTraffic added in v0.2.128 

func CreateRuleR0011UnexpectedEgressNetworkTraffic() *R0011UnexpectedEgressNetworkTraffic

func (*R0011UnexpectedEgressNetworkTraffic) DeleteRule added in v0.2.128 

func (rule *R0011UnexpectedEgressNetworkTraffic) DeleteRule()

func (*R0011UnexpectedEgressNetworkTraffic) ID added in v0.2.128 

func (rule *R0011UnexpectedEgressNetworkTraffic) ID() string

func (*R0011UnexpectedEgressNetworkTraffic) Name added in v0.2.128 

func (rule *R0011UnexpectedEgressNetworkTraffic) Name() string

func (*R0011UnexpectedEgressNetworkTraffic) ProcessEvent added in v0.2.128 

func (rule *R0011UnexpectedEgressNetworkTraffic) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R0011UnexpectedEgressNetworkTraffic) Requirements added in v0.2.128 

func (rule *R0011UnexpectedEgressNetworkTraffic) Requirements() ruleengine.RuleSpec

type R1000ExecFromMaliciousSource 

type R1000ExecFromMaliciousSource struct {
	BaseRule
}

func CreateRuleR1000ExecFromMaliciousSource 

func CreateRuleR1000ExecFromMaliciousSource() *R1000ExecFromMaliciousSource

func (*R1000ExecFromMaliciousSource) ID 

func (rule *R1000ExecFromMaliciousSource) ID() string

func (*R1000ExecFromMaliciousSource) Name 

func (rule *R1000ExecFromMaliciousSource) Name() string

func (*R1000ExecFromMaliciousSource) ProcessEvent 

func (rule *R1000ExecFromMaliciousSource) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1000ExecFromMaliciousSource) Requirements 

func (rule *R1000ExecFromMaliciousSource) Requirements() ruleengine.RuleSpec

type R1001ExecBinaryNotInBaseImage 

type R1001ExecBinaryNotInBaseImage struct {
	BaseRule
}

func CreateRuleR1001ExecBinaryNotInBaseImage 

func CreateRuleR1001ExecBinaryNotInBaseImage() *R1001ExecBinaryNotInBaseImage

func (*R1001ExecBinaryNotInBaseImage) DeleteRule 

func (rule *R1001ExecBinaryNotInBaseImage) DeleteRule()

func (*R1001ExecBinaryNotInBaseImage) ID 

func (rule *R1001ExecBinaryNotInBaseImage) ID() string

func (*R1001ExecBinaryNotInBaseImage) Name 

func (rule *R1001ExecBinaryNotInBaseImage) Name() string

func (*R1001ExecBinaryNotInBaseImage) ProcessEvent 

func (rule *R1001ExecBinaryNotInBaseImage) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1001ExecBinaryNotInBaseImage) Requirements 

func (rule *R1001ExecBinaryNotInBaseImage) Requirements() ruleengine.RuleSpec

type R1002LoadKernelModule 

type R1002LoadKernelModule struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1002LoadKernelModule 

func CreateRuleR1002LoadKernelModule() *R1002LoadKernelModule

func (*R1002LoadKernelModule) DeleteRule 

func (rule *R1002LoadKernelModule) DeleteRule()

func (*R1002LoadKernelModule) ID 

func (rule *R1002LoadKernelModule) ID() string

func (*R1002LoadKernelModule) Name 

func (rule *R1002LoadKernelModule) Name() string

func (*R1002LoadKernelModule) ProcessEvent 

func (rule *R1002LoadKernelModule) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1002LoadKernelModule) Requirements 

func (rule *R1002LoadKernelModule) Requirements() ruleengine.RuleSpec

type R1003MaliciousSSHConnection 

type R1003MaliciousSSHConnection struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1003MaliciousSSHConnection 

func CreateRuleR1003MaliciousSSHConnection() *R1003MaliciousSSHConnection

func (*R1003MaliciousSSHConnection) DeleteRule 

func (rule *R1003MaliciousSSHConnection) DeleteRule()

func (*R1003MaliciousSSHConnection) ID 

func (rule *R1003MaliciousSSHConnection) ID() string

func (*R1003MaliciousSSHConnection) Name 

func (rule *R1003MaliciousSSHConnection) Name() string

func (*R1003MaliciousSSHConnection) ProcessEvent 

func (rule *R1003MaliciousSSHConnection) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1003MaliciousSSHConnection) Requirements 

func (rule *R1003MaliciousSSHConnection) Requirements() ruleengine.RuleSpec

func (*R1003MaliciousSSHConnection) SetParameters 

func (rule *R1003MaliciousSSHConnection) SetParameters(params map[string]interface{})

type R1004ExecFromMount 

type R1004ExecFromMount struct {
	BaseRule
}

func CreateRuleR1004ExecFromMount 

func CreateRuleR1004ExecFromMount() *R1004ExecFromMount

func (*R1004ExecFromMount) DeleteRule 

func (rule *R1004ExecFromMount) DeleteRule()

func (*R1004ExecFromMount) ID 

func (rule *R1004ExecFromMount) ID() string

func (*R1004ExecFromMount) Name 

func (rule *R1004ExecFromMount) Name() string

func (*R1004ExecFromMount) ProcessEvent 

func (rule *R1004ExecFromMount) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1004ExecFromMount) Requirements 

func (rule *R1004ExecFromMount) Requirements() ruleengine.RuleSpec

type R1005FilelessExecution 

type R1005FilelessExecution struct {
	BaseRule
}

func CreateRuleR1005FilelessExecution 

func CreateRuleR1005FilelessExecution() *R1005FilelessExecution

func (*R1005FilelessExecution) DeleteRule 

func (rule *R1005FilelessExecution) DeleteRule()

func (*R1005FilelessExecution) ID 

func (rule *R1005FilelessExecution) ID() string

func (*R1005FilelessExecution) Name 

func (rule *R1005FilelessExecution) Name() string

func (*R1005FilelessExecution) ProcessEvent 

func (rule *R1005FilelessExecution) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1005FilelessExecution) Requirements 

func (rule *R1005FilelessExecution) Requirements() ruleengine.RuleSpec

type R1006UnshareSyscall 

type R1006UnshareSyscall struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1006UnshareSyscall 

func CreateRuleR1006UnshareSyscall() *R1006UnshareSyscall

func (*R1006UnshareSyscall) DeleteRule 

func (rule *R1006UnshareSyscall) DeleteRule()

func (*R1006UnshareSyscall) ID 

func (rule *R1006UnshareSyscall) ID() string

func (*R1006UnshareSyscall) Name 

func (rule *R1006UnshareSyscall) Name() string

func (*R1006UnshareSyscall) ProcessEvent 

func (rule *R1006UnshareSyscall) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1006UnshareSyscall) Requirements 

func (rule *R1006UnshareSyscall) Requirements() ruleengine.RuleSpec

type R1007XMRCryptoMining 

type R1007XMRCryptoMining struct {
	BaseRule
}

func CreateRuleR1007XMRCryptoMining 

func CreateRuleR1007XMRCryptoMining() *R1007XMRCryptoMining

func (*R1007XMRCryptoMining) DeleteRule 

func (rule *R1007XMRCryptoMining) DeleteRule()

func (*R1007XMRCryptoMining) ID 

func (rule *R1007XMRCryptoMining) ID() string

func (*R1007XMRCryptoMining) Name 

func (rule *R1007XMRCryptoMining) Name() string

func (*R1007XMRCryptoMining) ProcessEvent 

func (rule *R1007XMRCryptoMining) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1007XMRCryptoMining) Requirements 

func (rule *R1007XMRCryptoMining) Requirements() ruleengine.RuleSpec

type R1008CryptoMiningDomainCommunication 

type R1008CryptoMiningDomainCommunication struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1008CryptoMiningDomainCommunication 

func CreateRuleR1008CryptoMiningDomainCommunication() *R1008CryptoMiningDomainCommunication

func (*R1008CryptoMiningDomainCommunication) DeleteRule 

func (rule *R1008CryptoMiningDomainCommunication) DeleteRule()

func (*R1008CryptoMiningDomainCommunication) ID 

func (rule *R1008CryptoMiningDomainCommunication) ID() string

func (*R1008CryptoMiningDomainCommunication) Name 

func (rule *R1008CryptoMiningDomainCommunication) Name() string

func (*R1008CryptoMiningDomainCommunication) ProcessEvent 

func (rule *R1008CryptoMiningDomainCommunication) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, _ objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1008CryptoMiningDomainCommunication) Requirements 

func (rule *R1008CryptoMiningDomainCommunication) Requirements() ruleengine.RuleSpec

type R1009CryptoMiningRelatedPort 

type R1009CryptoMiningRelatedPort struct {
	BaseRule
}

func CreateRuleR1009CryptoMiningRelatedPort 

func CreateRuleR1009CryptoMiningRelatedPort() *R1009CryptoMiningRelatedPort

func (*R1009CryptoMiningRelatedPort) DeleteRule 

func (rule *R1009CryptoMiningRelatedPort) DeleteRule()

func (*R1009CryptoMiningRelatedPort) ID 

func (rule *R1009CryptoMiningRelatedPort) ID() string

func (*R1009CryptoMiningRelatedPort) Name 

func (rule *R1009CryptoMiningRelatedPort) Name() string

func (*R1009CryptoMiningRelatedPort) ProcessEvent 

func (rule *R1009CryptoMiningRelatedPort) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectcache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1009CryptoMiningRelatedPort) Requirements 

func (rule *R1009CryptoMiningRelatedPort) Requirements() ruleengine.RuleSpec

type R1010SymlinkCreatedOverSensitiveFile 

type R1010SymlinkCreatedOverSensitiveFile struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1010SymlinkCreatedOverSensitiveFile 

func CreateRuleR1010SymlinkCreatedOverSensitiveFile() *R1010SymlinkCreatedOverSensitiveFile

func (*R1010SymlinkCreatedOverSensitiveFile) DeleteRule 

func (rule *R1010SymlinkCreatedOverSensitiveFile) DeleteRule()

func (*R1010SymlinkCreatedOverSensitiveFile) EvaluateRule added in v0.2.178 

func (rule *R1010SymlinkCreatedOverSensitiveFile) EvaluateRule(eventType utils.EventType, event utils.K8sEvent, _ objectcache.K8sObjectCache) bool

func (*R1010SymlinkCreatedOverSensitiveFile) ID 

func (rule *R1010SymlinkCreatedOverSensitiveFile) ID() string

func (*R1010SymlinkCreatedOverSensitiveFile) Name 

func (rule *R1010SymlinkCreatedOverSensitiveFile) Name() string

func (*R1010SymlinkCreatedOverSensitiveFile) ProcessEvent 

func (rule *R1010SymlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1010SymlinkCreatedOverSensitiveFile) Requirements 

func (rule *R1010SymlinkCreatedOverSensitiveFile) Requirements() ruleengine.RuleSpec

func (*R1010SymlinkCreatedOverSensitiveFile) SetParameters 

func (rule *R1010SymlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})

type R1011LdPreloadHook 

type R1011LdPreloadHook struct {
	BaseRule
}

func CreateRuleR1011LdPreloadHook 

func CreateRuleR1011LdPreloadHook() *R1011LdPreloadHook

func (*R1011LdPreloadHook) DeleteRule 

func (rule *R1011LdPreloadHook) DeleteRule()

func (*R1011LdPreloadHook) EvaluateRule added in v0.2.178 

func (rule *R1011LdPreloadHook) EvaluateRule(eventType utils.EventType, event utils.K8sEvent, k8sObjCache objectcache.K8sObjectCache) bool

func (*R1011LdPreloadHook) ID 

func (rule *R1011LdPreloadHook) ID() string

func (*R1011LdPreloadHook) Name 

func (rule *R1011LdPreloadHook) Name() string

func (*R1011LdPreloadHook) ProcessEvent 

func (rule *R1011LdPreloadHook) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objectCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1011LdPreloadHook) Requirements 

func (rule *R1011LdPreloadHook) Requirements() ruleengine.RuleSpec

type R1012HardlinkCreatedOverSensitiveFile 

type R1012HardlinkCreatedOverSensitiveFile struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1012HardlinkCreatedOverSensitiveFile 

func CreateRuleR1012HardlinkCreatedOverSensitiveFile() *R1012HardlinkCreatedOverSensitiveFile

func (*R1012HardlinkCreatedOverSensitiveFile) DeleteRule 

func (rule *R1012HardlinkCreatedOverSensitiveFile) DeleteRule()

func (*R1012HardlinkCreatedOverSensitiveFile) EvaluateRule added in v0.2.178 

func (rule *R1012HardlinkCreatedOverSensitiveFile) EvaluateRule(eventType utils.EventType, event utils.K8sEvent, _ objectcache.K8sObjectCache) bool

func (*R1012HardlinkCreatedOverSensitiveFile) ID 

func (rule *R1012HardlinkCreatedOverSensitiveFile) ID() string

func (*R1012HardlinkCreatedOverSensitiveFile) Name 

func (rule *R1012HardlinkCreatedOverSensitiveFile) Name() string

func (*R1012HardlinkCreatedOverSensitiveFile) ProcessEvent 

func (rule *R1012HardlinkCreatedOverSensitiveFile) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1012HardlinkCreatedOverSensitiveFile) Requirements 

func (rule *R1012HardlinkCreatedOverSensitiveFile) Requirements() ruleengine.RuleSpec

func (*R1012HardlinkCreatedOverSensitiveFile) SetParameters 

func (rule *R1012HardlinkCreatedOverSensitiveFile) SetParameters(parameters map[string]interface{})

type R1015MaliciousPtraceUsage added in v0.2.161 

type R1015MaliciousPtraceUsage struct {
	BaseRule
	// contains filtered or unexported fields
}

func CreateRuleR1015MaliciousPtraceUsage added in v0.2.161 

func CreateRuleR1015MaliciousPtraceUsage() *R1015MaliciousPtraceUsage

func (*R1015MaliciousPtraceUsage) DeleteRule added in v0.2.161 

func (rule *R1015MaliciousPtraceUsage) DeleteRule()

func (*R1015MaliciousPtraceUsage) ID added in v0.2.161 

func (rule *R1015MaliciousPtraceUsage) ID() string

func (*R1015MaliciousPtraceUsage) Name added in v0.2.161 

func (rule *R1015MaliciousPtraceUsage) Name() string

func (*R1015MaliciousPtraceUsage) ProcessEvent added in v0.2.161 

func (rule *R1015MaliciousPtraceUsage) ProcessEvent(eventType utils.EventType, event utils.K8sEvent, objCache objectcache.ObjectCache) ruleengine.RuleFailure

func (*R1015MaliciousPtraceUsage) Requirements added in v0.2.161 

func (rule *R1015MaliciousPtraceUsage) Requirements() ruleengine.RuleSpec

func (*R1015MaliciousPtraceUsage) SetParameters added in v0.2.161 

func (rule *R1015MaliciousPtraceUsage) SetParameters(parameters map[string]interface{})

type RuleCreatorImpl 

type RuleCreatorImpl struct {
	// contains filtered or unexported fields
}

func NewRuleCreator 

func NewRuleCreator() *RuleCreatorImpl

func (*RuleCreatorImpl) CreateRuleByID 

func (r *RuleCreatorImpl) CreateRuleByID(id string) ruleengine.RuleEvaluator

func (*RuleCreatorImpl) CreateRuleByName 

func (r *RuleCreatorImpl) CreateRuleByName(name string) ruleengine.RuleEvaluator

func (*RuleCreatorImpl) CreateRulesByEventType added in v0.2.178 

func (r *RuleCreatorImpl) CreateRulesByEventType(eventType utils.EventType) []ruleengine.RuleEvaluator

func (*RuleCreatorImpl) CreateRulesByTags 

func (r *RuleCreatorImpl) CreateRulesByTags(tags []string) []ruleengine.RuleEvaluator

func (*RuleCreatorImpl) GetAllRuleDescriptors 

func (r *RuleCreatorImpl) GetAllRuleDescriptors() []ruleengine.RuleDescriptor

func (*RuleCreatorImpl) GetAllRuleIDs added in v0.2.178 

func (r *RuleCreatorImpl) GetAllRuleIDs() []string

func (*RuleCreatorImpl) RegisterRule added in v0.2.145 

func (r *RuleCreatorImpl) RegisterRule(rule ruleengine.RuleDescriptor)

type RuleObjectCacheMock 

type RuleObjectCacheMock struct {
	// contains filtered or unexported fields
}

func (*RuleObjectCacheMock) ApplicationProfileCache 

func (r *RuleObjectCacheMock) ApplicationProfileCache() objectcache.ApplicationProfileCache

func (*RuleObjectCacheMock) DnsCache added in v0.2.128 

func (r *RuleObjectCacheMock) DnsCache() objectcache.DnsCache

func (*RuleObjectCacheMock) GetApiServerIpAddress 

func (r *RuleObjectCacheMock) GetApiServerIpAddress() string

func (*RuleObjectCacheMock) GetApplicationProfile 

func (r *RuleObjectCacheMock) GetApplicationProfile(string) *v1beta1.ApplicationProfile

func (*RuleObjectCacheMock) GetNetworkNeighborhood 

func (r *RuleObjectCacheMock) GetNetworkNeighborhood(string) *v1beta1.NetworkNeighborhood

func (*RuleObjectCacheMock) GetPodSpec 

func (r *RuleObjectCacheMock) GetPodSpec(_, _ string) *corev1.PodSpec

func (*RuleObjectCacheMock) GetPodStatus 

func (r *RuleObjectCacheMock) GetPodStatus(_, _ string) *corev1.PodStatus

func (*RuleObjectCacheMock) GetPods 

func (r *RuleObjectCacheMock) GetPods() []*corev1.Pod

func (*RuleObjectCacheMock) K8sObjectCache 

func (r *RuleObjectCacheMock) K8sObjectCache() objectcache.K8sObjectCache

func (*RuleObjectCacheMock) NetworkNeighborhoodCache 

func (r *RuleObjectCacheMock) NetworkNeighborhoodCache() objectcache.NetworkNeighborhoodCache

func (*RuleObjectCacheMock) ResolveIpToDomain added in v0.2.128 

func (r *RuleObjectCacheMock) ResolveIpToDomain(ip string) string

func (*RuleObjectCacheMock) SetApplicationProfile 

func (r *RuleObjectCacheMock) SetApplicationProfile(profile *v1beta1.ApplicationProfile)

func (*RuleObjectCacheMock) SetDnsCache added in v0.2.128 

func (r *RuleObjectCacheMock) SetDnsCache(dnsCache map[string]string)

func (*RuleObjectCacheMock) SetNetworkNeighborhood 

func (r *RuleObjectCacheMock) SetNetworkNeighborhood(nn *v1beta1.NetworkNeighborhood)

func (*RuleObjectCacheMock) SetPodSpec 

func (r *RuleObjectCacheMock) SetPodSpec(podSpec *corev1.PodSpec)

func (*RuleObjectCacheMock) SetPodStatus 

func (r *RuleObjectCacheMock) SetPodStatus(podStatus *corev1.PodStatus)

type RuleRequirements 

type RuleRequirements struct {
	// Needed events for the rule.
	EventTypes []utils.EventType
}

func (*RuleRequirements) RequiredEventTypes 

func (r *RuleRequirements) RequiredEventTypes() []utils.EventType

Event types required for the rule

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.