github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-06 03:16:46 +00:00
Code Issues Projects Releases Wiki Activity

falco rule naming convention

Browse Source 
Signed-off-by: kaizhe <derek0405@gmail.com>
This commit is contained in:
kaizhe 2019-12-17 15:18:57 -08:00 committed by Leo Di Donato
parent 2041932ad2
commit cc1892177a
1 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
proposals/20191217-rules-naming-convention.md Normal file
View File

@ -0,0 +1,54 @@
# Falco rule naming convention
<!-- toc -->
- [Summary](#summary)
- [Motivation](#motivation)
* [Goals](#goals)
* [Non-Goals](#non-goals)
- [Proposal](#proposal)
* [Use cases](#use-cases)
* [Diagrams](#diagrams)
* [Design Details](#design-details)
<!-- tocstop -->
## Summary
Propose some basic naming conventions when new lists, macros, rules are introduced.
## Motivation
We want to help people from the community to contribute to falco rules. It will help improving the security content provided by Falco out of the box. Since people have different preference of naming things, it's necessary to set forth some basic naming convention for people to follow when creating new rules, macros and lists.
### Goals
People will have to follow the naming conventions rules when introducing new falco rules, macros and lists.
### Non-Goals
There will be no intention to cover Falco syntax in this proposal.
## Proposal
### Use cases
When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention.
### Diagrams
N/A
### Design Details
#### Rule
- Rule Name: Use phrases with capitalizing every word except preposition (e.g. `Search Private Keys or Passwords`)
- Description: Use sentence always starting with "Detect" and ending with period. (e.g. `Detect grep private keys or passwords activity.`)
- Output: Use sentence. Must at least include output fields (user=%user.name command=%proc.cmdline container_id=%container.id)
- Tags: Use at least one of the following: [network, process, filesystem]. Also encourage to use mitre_* tags if applicable
#### Macro
- Macro Name: Use lowercase_separated_by_underscores (e.g. `parent_java_running_zookeeper`)
#### List
- List Name: Use lowercase_separated_by_underscores (e.g. `protected_shell_spawning_binaries`)