github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-09 10:07:57 +00:00
Code Issues Projects Releases Wiki Activity

docs(proposals/20200828-structured-exception-handling): indentation

Browse Source 
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
This commit is contained in:
Leonardo Grasso 2020-11-11 16:40:38 +01:00 committed by poiana
parent b7bda6d892
commit 581d67fa08
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
proposals/20200828-structured-exception-handling.md
View File

@ -67,7 +67,7 @@ An important way to customize rules and macros is to use `append: true` to add t
desc: Detect package repositories get updated desc: Detect package repositories get updated
condition: > condition: >
((open_write and access_repositories) or (modify and modify_repositories)) ((open_write and access_repositories) or (modify and modify_repositories))
` and not package_mgmt_procs and not package_mgmt_procs
and not exe_running_docker_save and not exe_running_docker_save
and not user_known_update_package_registry and not user_known_update_package_registry
``` ```
@ -149,7 +149,7 @@ To address some of these problems, we will add the notion of Exceptions as top l
comps: [=, startswith] comps: [=, startswith]
- name: proc_filenames - name: proc_filenames
fields: [proc.name, fd.name] fields: [proc.name, fd.name]
comps: [=, in] comps: [=, in]
- name: filenames - name: filenames
fields: fd.filename fields: fd.filename
comps: in comps: in
@ -188,8 +188,8 @@ Exception values will most commonly be defined in rules with append: true. Here'
- [docker.io/alpine, /usr/libexec/alpine] - [docker.io/alpine, /usr/libexec/alpine]
- name: proc_filenames - name: proc_filenames
values: values:
- [apt, apt_files] - [apt, apt_files]
- [rpm, [/bin/cp, /bin/pwd]] - [rpm, [/bin/cp, /bin/pwd]]
- name: filenames - name: filenames
values: [python, go] values: [python, go]
``` ```
@ -238,4 +238,3 @@ However, there are a few changes we'll have to make to Falco rules file parsing:
* Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects. * Similarly, Falco will reject rule objects with exception keys. We'll also probably want to change Falco to allow unknown keys inside rule/macro/list/exception objects.