From cc1892177abb3ad519a591a8295d688faabf6e45 Mon Sep 17 00:00:00 2001
From: kaizhe <derek0405@gmail.com>
Date: Tue, 17 Dec 2019 15:18:57 -0800
Subject: [PATCH] falco rule naming convention

Signed-off-by: kaizhe <derek0405@gmail.com>
---
 proposals/20191217-rules-naming-convention.md | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 proposals/20191217-rules-naming-convention.md

diff --git a/proposals/20191217-rules-naming-convention.md b/proposals/20191217-rules-naming-convention.md
new file mode 100644
index 00000000..36e9eaa4
--- /dev/null
+++ b/proposals/20191217-rules-naming-convention.md
@@ -0,0 +1,54 @@
+# Falco rule naming convention
+
+<!-- toc -->
+
+- [Summary](#summary)
+- [Motivation](#motivation)
+  * [Goals](#goals)
+  * [Non-Goals](#non-goals)
+- [Proposal](#proposal)
+  * [Use cases](#use-cases)
+  * [Diagrams](#diagrams)
+  * [Design Details](#design-details)
+
+<!-- tocstop -->
+
+## Summary
+
+Propose some basic naming conventions when new lists, macros, rules are introduced. 
+
+## Motivation
+
+We want to help people from the community to contribute to falco rules. It will help improving the security content provided by Falco out of the box. Since people have different preference of naming things, it's necessary to set forth some basic naming convention for people to follow when creating new rules, macros and lists.
+
+### Goals
+
+People will have to follow the naming conventions rules when introducing new falco rules, macros and lists.
+
+### Non-Goals
+
+There will be no intention to cover Falco syntax in this proposal.
+
+## Proposal
+
+### Use cases
+
+When new PRs are created in the area of rules, reviewers need to examine whether there are new rules, macros or lists are introduced. If yes, check wether follow the naming convention.
+
+### Diagrams
+
+N/A
+
+### Design Details
+
+#### Rule
+- Rule Name: Use phrases with capitalizing every word except preposition (e.g. `Search Private Keys or Passwords`)
+- Description: Use sentence always starting with "Detect" and ending with period. (e.g. `Detect grep private keys or passwords activity.`)
+- Output: Use sentence. Must at least include output fields (user=%user.name command=%proc.cmdline container_id=%container.id)
+- Tags: Use at least one of the following: [network, process, filesystem]. Also encourage to use mitre_* tags if applicable
+
+#### Macro
+- Macro Name: Use lowercase_separated_by_underscores (e.g. `parent_java_running_zookeeper`)
+
+#### List
+- List Name: Use lowercase_separated_by_underscores (e.g. `protected_shell_spawning_binaries`)