Documentation
¶
Index ¶
Constants ¶
View Source
const ( KindSignaturesConfig = "SignaturesConfig" APIVersionV1Alpha1 = "tracee.nextlinux.github.io/v1alpha1" )
Variables ¶
This section is empty.
Functions ¶
func NewSignature ¶
func NewSignature(config SignatureConfig) (detect.Signature, error)
NewSignature constructs a Common Expression Language (CEL) signature based on the specified SignatureConfig.
Types ¶
type SignatureConfig ¶
type SignatureConfig struct {
// Metadata represents signature metadata.
Metadata detect.SignatureMetadata `yaml:"metadata"`
// EventSelectors to dispatch events only to these signatures that know how
// to evaluate them.
EventSelectors []detect.SignatureEventSelector `yaml:"eventSelectors"`
// Expression is a CEL expression that is used to evaluate events.
// To indicate a possible threat the Expression must evaluate to `true`,
// otherwise event is considered innocent.
Expression string `yaml:"expression"`
}
SignatureConfig represents CEL signature definition that's typically loaded from a configuration YAML file.
type SignaturesConfig ¶
type SignaturesConfig struct {
// Kind indicates type of config loaded from a YAML file.
Kind string `yaml:"kind"`
// APIVersion is used to version config properties.
APIVersion string `yaml:"apiVersion"`
// Signatures defines CEL SignatureConfig.
Signatures []SignatureConfig `yaml:"signatures"`
}
SignaturesConfig represents multiple CEL signature definitions that are typically loaded from a configuration YAML file.
func NewConfigFromFile ¶
func NewConfigFromFile(filePath string) (SignaturesConfig, error)
NewConfigFromFile loads CEL SignaturesConfig from the specified file.
func NewConfigsFromDir ¶
func NewConfigsFromDir(dirPath string) ([]SignaturesConfig, error)
NewConfigsFromDir loads CEL SignatureConfig objects from the specified directory.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.