mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 19:44:57 +00:00
6445cdb950
* Use correct copyright years. Also include the start year. * Improve copyright notices. Use the proper start year instead of just 2018. Add the right owner Draios dba Sysdig. Add copyright notices to some files that were missing them.
204 lines
6.0 KiB
YAML
204 lines
6.0 KiB
YAML
#
|
|
# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
|
|
#
|
|
# This file is part of falco.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
- rule: no_warnings
|
|
desc: Rule with no warnings
|
|
condition: evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: no_evttype
|
|
desc: No evttype at all
|
|
condition: proc.name=foo
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: evttype_not_equals
|
|
desc: Using != for event type
|
|
condition: evt.type!=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_not
|
|
desc: condition starts with not
|
|
condition: not evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_after_evttype
|
|
desc: != after evt.type, not affecting results
|
|
condition: evt.type=execve and proc.name!=foo
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_after_evttype
|
|
desc: not operator after evt.type, not affecting results
|
|
condition: evt.type=execve and not proc.name=foo
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_trailing_evttypes
|
|
desc: evttype at beginning and end
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_multtrailing_evttypes
|
|
desc: one evttype at beginning, multiple at end
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_multtrailing_evttypes_using_in
|
|
desc: one evttype at beginning, multiple at end, using in
|
|
condition: evt.type=execve and proc.name=foo or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_at_end
|
|
desc: not_equals at final evttype
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open or evt.type!=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_at_end
|
|
desc: not operator for final evttype
|
|
condition: evt.type=execve and proc.name=foo or evt.type=open or not evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_trailing_evttype
|
|
desc: a not before a trailing event type
|
|
condition: evt.type=execve and not proc.name=foo or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_trailing_evttype
|
|
desc: a != before a trailing event type
|
|
condition: evt.type=execve and proc.name!=foo or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_and_not
|
|
desc: both != and not before event types
|
|
condition: evt.type=execve and proc.name!=foo or evt.type=open or not evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_in
|
|
desc: != before an in with event types
|
|
condition: evt.type=execve and proc.name!=foo or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_in
|
|
desc: a not before an in with event types
|
|
condition: evt.type=execve and not proc.name=foo or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_in_before_in
|
|
desc: a not with in before an in with event types
|
|
condition: evt.type=execve and not proc.name in (foo, bar) or evt.type in (open, connect)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: evttype_in
|
|
desc: using in for event types
|
|
condition: evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: evttype_in_plus_trailing
|
|
desc: using in for event types and a trailing evttype
|
|
condition: evt.type in (execve, open) and proc.name=foo or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_in_not_equals_before_evttype
|
|
desc: initial in() for event types, then a != before an additional event type
|
|
condition: evt.type in (execve, open) and proc.name!=foo or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: leading_in_not_equals_at_evttype
|
|
desc: initial in() for event types, then a != with an additional event type
|
|
condition: evt.type in (execve, open) or evt.type!=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_with_evttypes
|
|
desc: not in for event types
|
|
condition: not evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_with_evttypes_addl
|
|
desc: not in for event types, and an additional event type
|
|
condition: not evt.type in (execve, open) or evt.type=connect
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_evttype
|
|
desc: != before any event type
|
|
condition: proc.name!=foo and evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_equals_before_in_evttype
|
|
desc: != before any event type using in
|
|
condition: proc.name!=foo and evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_evttype
|
|
desc: not operator before any event type
|
|
condition: not proc.name=foo and evt.type=execve
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: not_before_evttype_using_in
|
|
desc: not operator before any event type using in
|
|
condition: not proc.name=foo and evt.type in (execve, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes
|
|
desc: event types appearing multiple times
|
|
condition: evt.type=open or evt.type=open
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes_with_in
|
|
desc: event types appearing multiple times with in
|
|
condition: evt.type in (open, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes_with_separate_in
|
|
desc: event types appearing multiple times with separate ins
|
|
condition: evt.type in (open) or evt.type in (open, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|
|
- rule: repeated_evttypes_with_mix
|
|
desc: event types appearing multiple times with mix of = and in
|
|
condition: evt.type=open or evt.type in (open, open)
|
|
output: "None"
|
|
priority: WARNING
|
|
|