rules

package
v0.68.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 28, 2025 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Overview

Package rules holds rules related files

Package rules holds rules related files

Index

Constants

View Source 
const (
	PolicyProviderTypeDir      = "file"          // PolicyProviderTypeDir defines directory policy provider
	PolicyProviderTypeRC       = "remote-config" // PolicyProviderTypeRC defines RC policy provider
	PolicyProviderTypeBundled  = "bundled"       // PolicyProviderTypeBundled defines the bundled policy provider
	PolicyProviderTypeWorkload = "workload"      // PolicyProviderTypeWorkload defines the workload policy provider
)
View Source 
const (
	// ScopeProcess is the scope for process variables
	ScopeProcess = "process"
	// ScopeContainer is the scope for container variables
	ScopeContainer = "container"
)
View Source 
const DefaultPolicyName = "default.policy"

DefaultPolicyName is the name of the default policy the default policy has a slightly privileged position when loading the rules

View Source 
const (
	// ExecutionContextTagName is the name of the execution context tag
	ExecutionContextTagName = "execution_context"
)
View Source 
const (
	// ScopeCGroup is the scope for cgroup variables
	ScopeCGroup = "cgroup"
)

Variables

View Source 
var (
	// ErrRuleWithoutID is returned when there is no ID
	ErrRuleWithoutID = errors.New("no rule ID")

	// ErrRuleWithoutExpression is returned when there is no expression
	ErrRuleWithoutExpression = errors.New("no rule expression")

	// ErrRuleIDPattern is returned when there is no expression
	ErrRuleIDPattern = errors.New("rule ID pattern error")

	// ErrRuleWithoutEvent is returned when no event type was inferred from the rule
	ErrRuleWithoutEvent = errors.New("no event in the rule definition")

	// ErrInternalIDConflict is returned when a user defined rule use an internal ID
	ErrInternalIDConflict = errors.New("internal rule ID conflict")

	// ErrEventTypeNotEnabled is returned when an event is not enabled
	ErrEventTypeNotEnabled = errors.New("event type not enabled")

	// ErrCannotMergeExpression is returned when trying to merge SECL expression
	ErrCannotMergeExpression = errors.New("cannot merge expression")

	// ErrRuleAgentVersion is returned when there is an agent version error
	ErrRuleAgentVersion = errors.New("agent version incompatible")

	// ErrRuleAgentFilter is returned when an agent rule was filtered
	ErrRuleAgentFilter = errors.New("agent rule filtered")

	// ErrMultipleEventCategories is returned when multile event categories are in the same expansion
	ErrMultipleEventCategories = errors.New("multiple event categories in the same rule expansion")

	// ErrPolicyIsEmpty is returned when a policy has no rules or macros
	ErrPolicyIsEmpty = errors.New("the policy is empty")
)
View Source 
var VariableScopes = []string{
	ScopeCGroup,
	ScopeProcess,
	ScopeContainer,
}

VariableScopes is the list of scopes for variables

Functions

func GetRuleEventType added in v0.34.0 

func GetRuleEventType(rule *eval.Rule) (eval.EventType, error)

GetRuleEventType return the rule EventType. Currently rules support only one eventType

func IsScopeVariable added in v0.68.0 

func IsScopeVariable(varName string) bool

IsScopeVariable returns true if the variable name is a scope variable

func NewEvalOpts added in v0.43.0 

func NewEvalOpts() *eval.Opts

NewEvalOpts returns eval options

Types

type Action added in v0.57.0 

type Action struct {
	Def                 *ActionDefinition
	InternalCallback    *InternalCallbackDefinition
	FilterEvaluator     *eval.RuleEvaluator
	ScopeFieldEvaluator eval.Evaluator
}

Action represents the action to take when a rule is triggered It can either come from policy a definition or be an internal callback

func (*Action) CompileFilter added in v0.57.0 

func (a *Action) CompileFilter(parsingContext *ast.ParsingContext, model eval.Model, evalOpts *eval.Opts) error

CompileFilter compiles the filter expression

func (*Action) CompileScopeField added in v0.68.0 

func (a *Action) CompileScopeField(model eval.Model) error

CompileScopeField compiles the scope field

func (*Action) IsAccepted added in v0.57.0 

func (a *Action) IsAccepted(ctx *eval.Context) bool

IsAccepted returns whether a filter is accepted and has to be executed

type ActionDefinition added in v0.35.0 

type ActionDefinition struct {
	Filter   *string             `yaml:"filter" json:"filter,omitempty"`
	Set      *SetDefinition      `yaml:"set" json:"set,omitempty" jsonschema:"oneof_required=SetAction"`
	Kill     *KillDefinition     `yaml:"kill" json:"kill,omitempty" jsonschema:"oneof_required=KillAction"`
	CoreDump *CoreDumpDefinition `yaml:"coredump" json:"coredump,omitempty" jsonschema:"oneof_required=CoreDumpAction"`
	Hash     *HashDefinition     `yaml:"hash" json:"hash,omitempty" jsonschema:"oneof_required=HashAction"`
	Log      *LogDefinition      `yaml:"log" json:"log,omitempty" jsonschema:"oneof_required=LogAction"`
}

ActionDefinition describes a rule action section

func (*ActionDefinition) Check added in v0.35.0 

func (a *ActionDefinition) Check(opts PolicyLoaderOpts) error

Check returns an error if the action in invalid

func (*ActionDefinition) Name added in v0.59.0 

func (a *ActionDefinition) Name() ActionName

Name returns the name of the action

type ActionName added in v0.51.0 

type ActionName = string

ActionName defines an action name 

const (
	// KillAction name of the kill action
	KillAction ActionName = "kill"
	// SetAction name of the set action
	SetAction ActionName = "set"
	// CoreDumpAction name of the core dump action
	CoreDumpAction ActionName = "coredump"
	// HashAction name of the hash action
	HashAction ActionName = "hash"
	// LogAction name of the log action
	LogAction ActionName = "log"
)

type AgentVersionFilter added in v0.39.0 

type AgentVersionFilter struct {
	// contains filtered or unexported fields
}

AgentVersionFilter defines a agent version filter

func NewAgentVersionFilter added in v0.40.0 

func NewAgentVersionFilter(version *semver.Version) (*AgentVersionFilter, error)

NewAgentVersionFilter returns a new agent version based rule filter

func (*AgentVersionFilter) IsMacroAccepted added in v0.40.0 

func (r *AgentVersionFilter) IsMacroAccepted(macro *MacroDefinition) (bool, error)

IsMacroAccepted checks whether the macro is accepted

func (*AgentVersionFilter) IsRuleAccepted added in v0.40.0 

func (r *AgentVersionFilter) IsRuleAccepted(rule *RuleDefinition) (bool, error)

IsRuleAccepted checks whether the rule is accepted

type Approvers 

type Approvers map[eval.Field]FilterValues

Approvers are just filter values indexed by field

type CollectedEvent added in v0.48.0 

type CollectedEvent struct {
	Type       string
	EvalResult bool
	Fields     map[string]interface{}
}

CollectedEvent defines a collected event

type CombinePolicy added in v0.35.0 

type CombinePolicy = string

CombinePolicy represents the policy to use to combine rules and macros 

const (
	NoPolicy       CombinePolicy = ""
	MergePolicy    CombinePolicy = "merge"
	OverridePolicy CombinePolicy = "override"
)

Combine policies

type CoreDumpDefinition added in v0.55.0 

type CoreDumpDefinition struct {
	Process       bool `yaml:"process" json:"process,omitempty" jsonschema:"anyof_required=CoreDumpWithProcess"`
	Mount         bool `yaml:"mount" json:"mount,omitempty" jsonschema:"anyof_required=CoreDumpWithMount"`
	Dentry        bool `yaml:"dentry" json:"dentry,omitempty" jsonschema:"anyof_required=CoreDumpWithDentry"`
	NoCompression bool `yaml:"no_compression" json:"no_compression,omitempty"`
}

CoreDumpDefinition describes the 'coredump' action

type DiscarderInvalidReport added in v0.68.0 

type DiscarderInvalidReport struct {
	RuleID eval.RuleID `json:"rule_id"`
	Field  eval.Field  `json:"field"`
}

DiscarderInvalidReport is a report of an invalid discarder

type DiscardersReport added in v0.68.0 

type DiscardersReport struct {
	Supported []eval.Field             `json:"supported"`
	Invalid   []DiscarderInvalidReport `json:"invalid"`
}

DiscardersReport is a report of the discarders in the ruleset

type ErrActionFilter added in v0.51.0 

type ErrActionFilter struct {
	Expression string
	Err        error
}

ErrActionFilter is on filter definition error

func (ErrActionFilter) Error added in v0.51.0 

func (e ErrActionFilter) Error() string

type ErrActionNotAvailable added in v0.59.0 

type ErrActionNotAvailable struct {
	ActionName string
	EventType  eval.EventType
}

ErrActionNotAvailable is returned when an action is not available

func (*ErrActionNotAvailable) Error added in v0.59.0 

func (e *ErrActionNotAvailable) Error() string

type ErrFieldNotAvailable added in v0.57.0 

type ErrFieldNotAvailable struct {
	Field        eval.Field
	EventType    eval.EventType
	RestrictedTo []eval.EventType
}

ErrFieldNotAvailable is returned when a field is not available

func (*ErrFieldNotAvailable) Error added in v0.57.0 

func (e *ErrFieldNotAvailable) Error() string

type ErrFieldTypeUnknown 

type ErrFieldTypeUnknown struct {
	Field string
}

ErrFieldTypeUnknown is returned when a field has an unknown type

func (*ErrFieldTypeUnknown) Error 

func (e *ErrFieldTypeUnknown) Error() string

type ErrMacroLoad 

type ErrMacroLoad struct {
	Macro *PolicyMacro
	Err   error
}

ErrMacroLoad is on macro definition error

func (ErrMacroLoad) Error 

func (e ErrMacroLoad) Error() string

type ErrNoApprover 

type ErrNoApprover struct {
	Fields []string
}

ErrNoApprover is returned when no approver was found for a set of rules

func (ErrNoApprover) Error 

func (e ErrNoApprover) Error() string

type ErrNoEventTypeBucket 

type ErrNoEventTypeBucket struct {
	EventType string
}

ErrNoEventTypeBucket is returned when no bucket could be found for an event type

func (ErrNoEventTypeBucket) Error 

func (e ErrNoEventTypeBucket) Error() string

type ErrPolicyLoad 

type ErrPolicyLoad struct {
	Name    string
	Version string
	Source  string
	Err     error
}

ErrPolicyLoad is returned on policy file error

func (ErrPolicyLoad) Error 

func (e ErrPolicyLoad) Error() string

type ErrRuleLoad 

type ErrRuleLoad struct {
	Rule *PolicyRule
	Err  error
}

ErrRuleLoad is on rule definition error

func (ErrRuleLoad) Error 

func (e ErrRuleLoad) Error() string

func (ErrRuleLoad) Type added in v0.41.0 

func (e ErrRuleLoad) Type() RuleLoadErrType

Type return the type of the error

type ErrRuleSyntax added in v0.41.0 

type ErrRuleSyntax struct {
	Err error
}

ErrRuleSyntax is returned when there is a syntax error

func (*ErrRuleSyntax) Error added in v0.41.0 

func (e *ErrRuleSyntax) Error() string

type ErrScopeField added in v0.68.0 

type ErrScopeField struct {
	Expression string
	Err        error
}

ErrScopeField is return on scope field definition error

func (ErrScopeField) Error added in v0.68.0 

func (e ErrScopeField) Error() string

type ErrValueTypeUnknown 

type ErrValueTypeUnknown struct {
	Field string
}

ErrValueTypeUnknown is returned when the value of a field has an unknown type

func (*ErrValueTypeUnknown) Error 

func (e *ErrValueTypeUnknown) Error() string

type EventCollector added in v0.48.0 

type EventCollector struct {
}

EventCollector defines an event collector

func (*EventCollector) CollectEvent added in v0.48.0 

func (ec *EventCollector) CollectEvent(_ *RuleSet, _ *eval.Context, _ eval.Event, _ bool)

CollectEvent collects event

func (*EventCollector) Stop added in v0.48.0 

func (ec *EventCollector) Stop() []CollectedEvent

Stop stops the event collector

type FieldCapabilities 

type FieldCapabilities []*FieldCapability

FieldCapabilities holds a list of field capabilities

func (*FieldCapabilities) Clone added in v0.68.0 

func (fcs *FieldCapabilities) Clone() FieldCapabilities

Clone returns a copy of the FieldCapabilities

func (FieldCapabilities) GetFields 

func (fcs FieldCapabilities) GetFields() []eval.Field

GetFields returns all the fields of FieldCapabilities

type FieldCapability 

type FieldCapability struct {
	Field                  eval.Field
	TypeBitmask            eval.FieldValueType
	ValidateFnc            func(FilterValue) bool
	FilterWeight           int
	FilterMode             FilterMode
	RangeFilterValue       *RangeFilterValue
	HandleNotApproverValue func(valueType eval.FieldValueType, value interface{}) (eval.FieldValueType, interface{}, bool)
}

FieldCapability represents a field and the type of its value (scalar, pattern, bitmask, ...)

func (FieldCapability) TypeMatches added in v0.59.0 

func (fc FieldCapability) TypeMatches(kind eval.FieldValueType) bool

TypeMatches return if a type is supported

func (FieldCapability) Validate added in v0.59.0 

func (fc FieldCapability) Validate(filterValue FilterValue) bool

Validate validate the filter value

type FilterMode added in v0.57.0 

type FilterMode int

FilterMode defines a filter mode 

const (
	// DefaultMode enabled approver and discarder
	DefaultMode FilterMode = iota
	// ApproverOnlyMode not used to generate a discarder
	ApproverOnlyMode
)

type FilterValue 

type FilterValue struct {
	Field eval.Field          `json:"field"`
	Value interface{}         `json:"value"`
	Type  eval.FieldValueType `json:"type"`
	Mode  FilterMode          `json:"mode"`
}

FilterValue represents a field, its value, its type and whether it's a used to compare with or against its value

type FilterValues 

type FilterValues []FilterValue

FilterValues is a list of FilterValue

func (FilterValues) Merge 

func (fv FilterValues) Merge(n ...FilterValue) FilterValues

Merge merges to FilterValues ensuring there is no duplicate value

type HashDefinition added in v0.55.0 

type HashDefinition struct{}

HashDefinition describes the 'hash' section of a rule action

type HookPointArg added in v0.56.0 

type HookPointArg struct {
	N    int
	Kind string
}

HookPointArg represents the definition of a hook point argument

type HumanReadableDuration added in v0.62.0 

type HumanReadableDuration struct {
	time.Duration
}

HumanReadableDuration represents a duration that can unmarshalled from YAML from a human readable format (like `10m`) or from a regular integer

func (*HumanReadableDuration) GetDuration added in v0.62.0 

func (d *HumanReadableDuration) GetDuration() time.Duration

GetDuration returns the duration embedded in the HumanReadableDuration, or 0 if nil

func (*HumanReadableDuration) MarshalYAML added in v0.62.0 

func (d *HumanReadableDuration) MarshalYAML() (interface{}, error)

MarshalYAML marshals a duration to a human readable format

func (*HumanReadableDuration) UnmarshalYAML added in v0.62.0 

func (d *HumanReadableDuration) UnmarshalYAML(n *yaml.Node) error

UnmarshalYAML unmarshals a duration from a human readable format or from an integer

type InternalCallbackDefinition added in v0.49.0 

type InternalCallbackDefinition struct{}

InternalCallbackDefinition describes an internal rule action

type KillDefinition added in v0.50.0 

type KillDefinition struct {
	Signal                    string `yaml:"signal" json:"signal" jsonschema:"description=A valid signal name,example=SIGKILL,example=SIGTERM"`
	Scope                     string `yaml:"scope" json:"scope,omitempty" jsonschema:"enum=process,enum=container"`
	DisableContainerDisarmer  bool   `` /* 185-byte string literal not displayed */
	DisableExecutableDisarmer bool   `` /* 188-byte string literal not displayed */
}

KillDefinition describes the 'kill' section of a rule action

type LogDefinition added in v0.66.0 

type LogDefinition struct {
	Level   string
	Message string
}

LogDefinition describes the 'log' section of a rule action

type MacroDefinition 

type MacroDefinition struct {
	ID                     MacroID       `yaml:"id" json:"id"`
	Expression             string        `yaml:"expression" json:"expression,omitempty" jsonschema:"oneof_required=MacroWithExpression"`
	Description            string        `yaml:"description" json:"description,omitempty"`
	AgentVersionConstraint string        `yaml:"agent_version" json:"agent_version,omitempty"`
	Filters                []string      `yaml:"filters" json:"filters,omitempty"`
	Values                 []string      `yaml:"values" json:"values,omitempty" jsonschema:"oneof_required=MacroWithValues"`
	Combine                CombinePolicy `yaml:"combine" json:"combine,omitempty" jsonschema:"enum=merge,enum=override"`
}

MacroDefinition holds the definition of a macro

type MacroFilter added in v0.40.0 

type MacroFilter interface {
	IsMacroAccepted(*MacroDefinition) (bool, error)
}

MacroFilter definition of a macro filter

type MacroID 

type MacroID = string

MacroID represents the ID of a macro

type MultiDiscarder added in v0.54.0 

type MultiDiscarder struct {
	Entries        []MultiDiscarderEntry
	FinalField     string
	FinalEventType model.EventType
}

MultiDiscarder represents a multi discarder, i.e. a discarder across multiple rule buckets

type MultiDiscarderEntry added in v0.54.0 

type MultiDiscarderEntry struct {
	Field     string
	EventType model.EventType
}

MultiDiscarderEntry represents a multi discarder entry (a field, and associated event type)

type OnDemandHookPoint added in v0.56.0 

type OnDemandHookPoint struct {
	Name      string
	IsSyscall bool
	Args      []HookPointArg
}

OnDemandHookPoint represents a hook point definition

type Opts 

type Opts struct {
	SupportedDiscarders        map[eval.Field]bool
	SupportedMultiDiscarders   []*MultiDiscarder
	ExcludedRuleFromDiscarders map[eval.RuleID]bool
	ReservedRuleIDs            []RuleID
	EventTypeEnabled           map[eval.EventType]bool
	StateScopes                map[Scope]VariableProviderFactory
	Logger                     log.Logger
	// contains filtered or unexported fields
}

Opts defines rules set options

func NewBothOpts added in v0.55.0 

func NewBothOpts(eventTypeEnabled map[eval.EventType]bool) (*Opts, *eval.Opts)

NewBothOpts returns rule and eval options

func NewRuleOpts added in v0.55.0 

func NewRuleOpts(eventTypeEnabled map[eval.EventType]bool) *Opts

NewRuleOpts returns rule options

func (*Opts) WithEventTypeEnabled added in v0.34.0 

func (o *Opts) WithEventTypeEnabled(eventTypes map[eval.EventType]bool) *Opts

WithEventTypeEnabled set event types enabled

func (*Opts) WithExcludedRuleFromDiscarders added in v0.68.0 

func (o *Opts) WithExcludedRuleFromDiscarders(excludedRuleFromDiscarders map[eval.RuleID]bool) *Opts

WithExcludedRuleFromDiscarders set excluded rule from discarders

func (*Opts) WithLogger added in v0.34.0 

func (o *Opts) WithLogger(logger log.Logger) *Opts

WithLogger set logger

func (*Opts) WithReservedRuleIDs added in v0.34.0 

func (o *Opts) WithReservedRuleIDs(ruleIDs []RuleID) *Opts

WithReservedRuleIDs set reserved rule ids

func (*Opts) WithRuleActionPerformedCb added in v0.59.0 

func (o *Opts) WithRuleActionPerformedCb(cb RuleActionPerformedCb) *Opts

WithRuleActionPerformedCb sets the rule action performed callback

func (*Opts) WithStateScopes added in v0.35.0 

func (o *Opts) WithStateScopes(stateScopes map[Scope]VariableProviderFactory) *Opts

WithStateScopes set state scopes

func (*Opts) WithSupportedDiscarders added in v0.34.0 

func (o *Opts) WithSupportedDiscarders(discarders map[eval.Field]bool) *Opts

WithSupportedDiscarders set supported discarders

func (*Opts) WithSupportedMultiDiscarder added in v0.54.0 

func (o *Opts) WithSupportedMultiDiscarder(discarders []*MultiDiscarder) *Opts

WithSupportedMultiDiscarder set supported multi discarders

type OverrideField added in v0.52.0 

type OverrideField = string

OverrideField defines a combine field 

const (
	// OverrideAllFields used to override all the fields
	OverrideAllFields OverrideField = "all"
	// OverrideActionFields used to override the actions
	OverrideActionFields OverrideField = "actions"
	// OverrideEveryField used to override the every field
	OverrideEveryField OverrideField = "every"
	// OverrideTagsField used to override the tags
	OverrideTagsField OverrideField = "tags"
	// OverrideProductTagsField used to override the product_tags field
	OverrideProductTagsField OverrideField = "product_tags"
)

type OverrideOptions added in v0.52.0 

type OverrideOptions struct {
	Fields []OverrideField `yaml:"fields" json:"fields" jsonschema:"enum=all,enum=expression,enum=actions,enum=every,enum=tags"`
}

OverrideOptions defines combine options

type PoliciesDirProvider added in v0.38.0 

type PoliciesDirProvider struct {
	PoliciesDir string
}

PoliciesDirProvider defines a new policy dir provider

func NewPoliciesDirProvider added in v0.38.0 

func NewPoliciesDirProvider(policiesDir string) (*PoliciesDirProvider, error)

NewPoliciesDirProvider returns providers for the given policies dir

func (*PoliciesDirProvider) Close added in v0.38.0 

func (p *PoliciesDirProvider) Close() error

Close stops policy provider interface

func (*PoliciesDirProvider) LoadPolicies added in v0.38.0 

func (p *PoliciesDirProvider) LoadPolicies(macroFilters []MacroFilter, ruleFilters []RuleFilter) ([]*Policy, *multierror.Error)

LoadPolicies implements the policy provider interface

func (*PoliciesDirProvider) SetOnNewPoliciesReadyCb added in v0.38.0 

func (p *PoliciesDirProvider) SetOnNewPoliciesReadyCb(_ func())

SetOnNewPoliciesReadyCb implements the policy provider interface

func (*PoliciesDirProvider) Start added in v0.38.0 

func (p *PoliciesDirProvider) Start()

Start starts the policy dir provider

func (*PoliciesDirProvider) Type added in v0.47.0 

func (p *PoliciesDirProvider) Type() string

Type returns the type of policy dir provider

type Policy 

type Policy struct {
	// Def is the policy definition
	Def *PolicyDef
	// Info contains the policy information such as its name, source and type
	Info PolicyInfo
	// contains filtered or unexported fields
}

Policy represents a policy which is composed of a list of rules, macros and on-demand hook points

func LoadPolicy 

func LoadPolicy(info *PolicyInfo, reader io.Reader, macroFilters []MacroFilter, ruleFilters []RuleFilter) (*Policy, error)

LoadPolicy load a policy

func LoadPolicyFromDefinition added in v0.57.0 

func LoadPolicyFromDefinition(info *PolicyInfo, def *PolicyDef, macroFilters []MacroFilter, ruleFilters []RuleFilter) (*Policy, error)

LoadPolicyFromDefinition load a policy from a definition

func (*Policy) GetAcceptedMacros added in v0.57.0 

func (p *Policy) GetAcceptedMacros() []*PolicyMacro

GetAcceptedMacros returns the list of accepted macros that are part of the policy

func (*Policy) GetAcceptedRules added in v0.57.0 

func (p *Policy) GetAcceptedRules() []*PolicyRule

GetAcceptedRules returns the list of accepted rules that are part of the policy

func (*Policy) SetInternalCallbackAction added in v0.57.0 

func (p *Policy) SetInternalCallbackAction(ruleID ...RuleID)

SetInternalCallbackAction adds an internal callback action for the given rule IDs

type PolicyDef added in v0.38.0 

type PolicyDef struct {
	Version string             `yaml:"version,omitempty" json:"version"`
	Macros  []*MacroDefinition `yaml:"macros,omitempty" json:"macros,omitempty"`
	Rules   []*RuleDefinition  `yaml:"rules" json:"rules"`
}

PolicyDef represents a policy file definition

type PolicyInfo added in v0.67.0 

type PolicyInfo struct {
	// Name is the name of the policy
	Name string
	// Source is the source of the policy
	Source string
	// Type is the type of the policy
	Type PolicyType
	// Version is the version of the policy, this field is copied from the policy definition
	Version string
	// IsInternal is true if the policy is internal
	IsInternal bool
}

PolicyInfo contains information about a policy that aren't part of the policy definition

func (*PolicyInfo) Equals added in v0.67.0 

func (pi *PolicyInfo) Equals(other *PolicyInfo) bool

Equals compares two PolicyInfo objects and returns true if they are equal

type PolicyLoader added in v0.38.0 

type PolicyLoader struct {
	sync.RWMutex

	Providers []PolicyProvider
	// contains filtered or unexported fields
}

PolicyLoader defines a policy loader

func NewPolicyLoader added in v0.38.0 

func NewPolicyLoader(providers ...PolicyProvider) *PolicyLoader

NewPolicyLoader returns a new loader

func (*PolicyLoader) Close added in v0.38.0 

func (p *PolicyLoader) Close()

Close stops the loader

func (*PolicyLoader) LoadPolicies added in v0.38.0 

func (p *PolicyLoader) LoadPolicies(opts PolicyLoaderOpts) ([]*Policy, *multierror.Error)

LoadPolicies gathers the policies in the correct precedence order and ensuring there's only 1 default policy. RC Default replaces Local Default and takes precedence above any other policies, and RC Custom takes precedence over Local Custom.

func (*PolicyLoader) NewPolicyReady added in v0.38.0 

func (p *PolicyLoader) NewPolicyReady() <-chan struct{}

NewPolicyReady returns chan to listen new policy ready event

func (*PolicyLoader) SetProviders added in v0.38.0 

func (p *PolicyLoader) SetProviders(providers []PolicyProvider)

SetProviders set providers

type PolicyLoaderOpts added in v0.39.0 

type PolicyLoaderOpts struct {
	MacroFilters       []MacroFilter
	RuleFilters        []RuleFilter
	DisableEnforcement bool
}

PolicyLoaderOpts options used during the loading

type PolicyMacro added in v0.57.0 

type PolicyMacro struct {
	Def      *MacroDefinition
	Accepted bool
	Error    error
	Policy   *Policy
}

PolicyMacro represents a macro loaded from a policy

func (*PolicyMacro) MergeWith added in v0.57.0 

func (m *PolicyMacro) MergeWith(m2 *PolicyMacro) error

MergeWith merges macro m2 into m

type PolicyProvider added in v0.38.0 

type PolicyProvider interface {
	LoadPolicies([]MacroFilter, []RuleFilter) ([]*Policy, *multierror.Error)
	SetOnNewPoliciesReadyCb(func())

	Start()
	Close() error

	// Type returns the type of policy provider, like 'directoryPolicyProvider'
	Type() string
}

PolicyProvider defines a rule provider

type PolicyRule added in v0.57.0 

type PolicyRule struct {
	Def        *RuleDefinition
	Actions    []*Action
	Accepted   bool
	Error      error
	Policy     PolicyInfo
	ModifiedBy []PolicyInfo
	UsedBy     []PolicyInfo
}

PolicyRule represents a rule loaded from a policy

func (*PolicyRule) MergeWith added in v0.57.0 

func (r *PolicyRule) MergeWith(r2 *PolicyRule)

MergeWith merges rule r2 into r

type PolicyType added in v0.64.0 

type PolicyType string

PolicyType represents the type of a policy 

const (
	// DefaultPolicyType is the default policy type
	DefaultPolicyType PolicyType = "default"
	// CustomPolicyType is the custom policy type
	CustomPolicyType PolicyType = "custom"
	// InternalPolicyType is the policy for internal use (bundled_policy_provider)
	InternalPolicyType PolicyType = "internal"
	// SelftestPolicy is the policy for self tests
	SelftestPolicy PolicyType = "selftest"
)

type RangeFilterValue added in v0.59.0 

type RangeFilterValue struct {
	Min int
	Max int
}

RangeFilterValue defines a range value

type Rule 

type Rule struct {
	*PolicyRule
	*eval.Rule
}

Rule presents a rule in a ruleset

type RuleActionPerformedCb added in v0.59.0 

type RuleActionPerformedCb func(r *Rule, action *ActionDefinition)

RuleActionPerformedCb describes the callback function called after a rule action is performed

type RuleBucket 

type RuleBucket struct {
	// contains filtered or unexported fields
}

RuleBucket groups rules with the same event type

func (*RuleBucket) AddRule 

func (rb *RuleBucket) AddRule(rule *Rule) error

AddRule adds a rule to the bucket

func (*RuleBucket) GetRules 

func (rb *RuleBucket) GetRules() []*Rule

GetRules returns the bucket rules

type RuleDefinition 

type RuleDefinition struct {
	ID                     RuleID                 `yaml:"id,omitempty" json:"id"`
	Version                string                 `yaml:"version,omitempty" json:"version,omitempty"`
	Expression             string                 `yaml:"expression" json:"expression,omitempty"`
	Description            string                 `yaml:"description,omitempty" json:"description,omitempty"`
	Tags                   map[string]string      `yaml:"tags,omitempty" json:"tags,omitempty"`
	ProductTags            []string               `yaml:"product_tags,omitempty" json:"product_tags,omitempty"`
	AgentVersionConstraint string                 `yaml:"agent_version,omitempty" json:"agent_version,omitempty"`
	Filters                []string               `yaml:"filters,omitempty" json:"filters,omitempty"`
	Disabled               bool                   `yaml:"disabled,omitempty" json:"disabled,omitempty"`
	Combine                CombinePolicy          `yaml:"combine,omitempty" json:"combine,omitempty" jsonschema:"enum=override"`
	OverrideOptions        OverrideOptions        `yaml:"override_options,omitempty" json:"override_options,omitempty"`
	Actions                []*ActionDefinition    `yaml:"actions,omitempty" json:"actions,omitempty"`
	Every                  *HumanReadableDuration `yaml:"every,omitempty" json:"every,omitempty"`
	RateLimiterToken       []string               `yaml:"limiter_token,omitempty" json:"limiter_token,omitempty"`
	Silent                 bool                   `yaml:"silent,omitempty" json:"silent,omitempty"`
	GroupID                string                 `yaml:"group_id,omitempty" json:"group_id,omitempty"`
}

RuleDefinition holds the definition of a rule

func (*RuleDefinition) GetTag added in v0.44.0 

func (rd *RuleDefinition) GetTag(tagKey string) (string, bool)

GetTag returns the tag value associated with a tag key

type RuleFilter added in v0.39.0 

type RuleFilter interface {
	IsRuleAccepted(*RuleDefinition) (bool, error)
}

RuleFilter definition of a rule filter

type RuleID 

type RuleID = string

RuleID represents the ID of a rule

type RuleIDFilter added in v0.39.0 

type RuleIDFilter struct {
	ID string
}

RuleIDFilter defines a ID based filter

func (*RuleIDFilter) IsRuleAccepted added in v0.40.0 

func (r *RuleIDFilter) IsRuleAccepted(rule *RuleDefinition) (bool, error)

IsRuleAccepted checks whether the rule is accepted

type RuleLoadErrType added in v0.41.0 

type RuleLoadErrType string

RuleLoadErrType defines an rule error type 

const (
	// AgentVersionErrType agent version incompatible
	AgentVersionErrType RuleLoadErrType = "agent_version_error"
	// AgentFilterErrType agent filter do not match
	AgentFilterErrType RuleLoadErrType = "agent_filter_error"
	// EventTypeNotEnabledErrType event type not enabled
	EventTypeNotEnabledErrType RuleLoadErrType = "event_type_disabled"
	// SyntaxErrType syntax error
	SyntaxErrType RuleLoadErrType = "syntax_error"
	// UnknownErrType undefined error
	UnknownErrType RuleLoadErrType = "error"
)

type RuleSet 

type RuleSet struct {
	// contains filtered or unexported fields
}

RuleSet holds a list of rules, grouped in bucket. An event can be evaluated against it. If the rule matches, the listeners for this rule set are notified

func NewFakeRuleSet added in v0.66.0 

func NewFakeRuleSet(rule *Rule) *RuleSet

NewFakeRuleSet returns a fake and empty ruleset

func NewRuleSet 

func NewRuleSet(model eval.Model, eventCtor func() eval.Event, opts *Opts, evalOpts *eval.Opts) *RuleSet

NewRuleSet returns a new ruleset for the specified data model

func (*RuleSet) AddFields 

func (rs *RuleSet) AddFields(fields []eval.EventType)

AddFields merges the provided set of fields with the existing set of fields of the ruleset

func (*RuleSet) AddListener 

func (rs *RuleSet) AddListener(listener RuleSetListener)

AddListener adds a listener on the ruleset

func (*RuleSet) AddMacro 

func (rs *RuleSet) AddMacro(parsingContext *ast.ParsingContext, pMacro *PolicyMacro) (*eval.Macro, error)

AddMacro parses the macro AST and adds it to the list of macros of the ruleset

func (*RuleSet) AddMacros 

func (rs *RuleSet) AddMacros(parsingContext *ast.ParsingContext, macros []*PolicyMacro) *multierror.Error

AddMacros parses the macros AST and adds them to the list of macros of the ruleset

func (*RuleSet) AddRule 

func (rs *RuleSet) AddRule(parsingContext *ast.ParsingContext, pRule *PolicyRule) (model.EventCategory, error)

AddRule creates the rule evaluator and adds it to the bucket of its events

func (*RuleSet) AddRules 

func (rs *RuleSet) AddRules(parsingContext *ast.ParsingContext, pRules []*PolicyRule) *multierror.Error

AddRules adds rules to the ruleset and generate their partials

func (*RuleSet) CleanupExpiredVariables added in v0.66.0 

func (rs *RuleSet) CleanupExpiredVariables()

CleanupExpiredVariables cleans up all epxired variables in the ruleset

func (*RuleSet) Evaluate 

func (rs *RuleSet) Evaluate(event eval.Event) bool

Evaluate the specified event against the set of rules

func (*RuleSet) EvaluateDiscarders added in v0.45.0 

func (rs *RuleSet) EvaluateDiscarders(event eval.Event)

EvaluateDiscarders evaluates the discarders for the given event if any

func (*RuleSet) GetApprovers 

func (rs *RuleSet) GetApprovers(fieldCaps map[eval.EventType]FieldCapabilities) (map[eval.EventType]Approvers, map[eval.EventType]*Rule, []*Rule, error)

GetApprovers returns all approvers

func (*RuleSet) GetBucket 

func (rs *RuleSet) GetBucket(eventType eval.EventType) *RuleBucket

GetBucket returns rule bucket for the given event type

func (*RuleSet) GetDiscardersReport added in v0.68.0 

func (rs *RuleSet) GetDiscardersReport() (*DiscardersReport, error)

GetDiscardersReport returns a discarders state report

func (*RuleSet) GetEventTypeApprovers added in v0.57.0 

func (rs *RuleSet) GetEventTypeApprovers(eventType eval.EventType, fieldCaps FieldCapabilities) (Approvers, *Rule, []*Rule, error)

GetEventTypeApprovers returns approvers for the given event type and the fields

func (*RuleSet) GetEventTypes 

func (rs *RuleSet) GetEventTypes() []eval.EventType

GetEventTypes returns all the event types handled by the ruleset

func (*RuleSet) GetFieldValues 

func (rs *RuleSet) GetFieldValues(field eval.Field) []eval.FieldValue

GetFieldValues returns all the values of the given field

func (*RuleSet) GetOnDemandHookPoints added in v0.56.0 

func (rs *RuleSet) GetOnDemandHookPoints() ([]OnDemandHookPoint, error)

GetOnDemandHookPoints gets the on-demand hook points

func (*RuleSet) GetRuleBucket added in v0.68.0 

func (rs *RuleSet) GetRuleBucket(eventType eval.EventType) *RuleBucket

GetRuleBucket returns the rule bucket for the given event type

func (*RuleSet) GetRules 

func (rs *RuleSet) GetRules() map[eval.RuleID]*Rule

GetRules returns the active rules

func (*RuleSet) GetVariables added in v0.64.0 

func (rs *RuleSet) GetVariables() map[string]eval.SECLVariable

GetVariables returns the variables store

func (*RuleSet) HasRulesForEventType 

func (rs *RuleSet) HasRulesForEventType(eventType eval.EventType) bool

HasRulesForEventType returns if there is at least one rule for the given event type

func (*RuleSet) IsDiscarder 

func (rs *RuleSet) IsDiscarder(ctx *eval.Context, field eval.Field, rules []*Rule) (bool, *Rule, error)

IsDiscarder partially evaluates an Event against a field

func (*RuleSet) ListFields added in v0.44.0 

func (rs *RuleSet) ListFields() []string

ListFields returns all the fields accessed by all rules of this rule set

func (*RuleSet) ListMacroIDs 

func (rs *RuleSet) ListMacroIDs() []MacroID

ListMacroIDs returns the list of MacroIDs from the ruleset

func (*RuleSet) ListRuleIDs 

func (rs *RuleSet) ListRuleIDs() []RuleID

ListRuleIDs returns the list of RuleIDs from the ruleset

func (*RuleSet) LoadPolicies added in v0.38.0 

func (rs *RuleSet) LoadPolicies(loader *PolicyLoader, opts PolicyLoaderOpts) *multierror.Error

LoadPolicies loads policies from the provided policy loader

func (*RuleSet) NewEvent added in v0.43.0 

func (rs *RuleSet) NewEvent() eval.Event

NewEvent returns a new event using the embedded constructor

func (*RuleSet) NewFakeEvent added in v0.68.0 

func (rs *RuleSet) NewFakeEvent() eval.Event

NewFakeEvent returns a new event using the embedded constructor for fake events

func (*RuleSet) NotifyDiscarderFound 

func (rs *RuleSet) NotifyDiscarderFound(event eval.Event, field eval.Field, eventType eval.EventType)

NotifyDiscarderFound notifies all the ruleset listeners that a discarder was found for an event

func (*RuleSet) NotifyRuleMatch 

func (rs *RuleSet) NotifyRuleMatch(ctx *eval.Context, rule *Rule, event eval.Event)

NotifyRuleMatch notifies all the ruleset listeners that an event matched a rule

func (*RuleSet) PopulateFieldsWithRuleActionsData added in v0.57.0 

func (rs *RuleSet) PopulateFieldsWithRuleActionsData(policyRules []*PolicyRule, opts PolicyLoaderOpts) *multierror.Error

PopulateFieldsWithRuleActionsData populates the fields with the data from the rule actions

func (*RuleSet) SetFakeEventCtor added in v0.56.0 

func (rs *RuleSet) SetFakeEventCtor(fakeEventCtor func() eval.Event)

SetFakeEventCtor sets the fake event constructor to the provided callback

func (*RuleSet) StopEventCollector added in v0.48.0 

func (rs *RuleSet) StopEventCollector() []CollectedEvent

StopEventCollector stops the event collector

func (*RuleSet) WithExcludedRuleFromDiscarders added in v0.68.0 

func (rs *RuleSet) WithExcludedRuleFromDiscarders(excludedRuleFromDiscarders map[eval.RuleID]bool)

WithExcludedRuleFromDiscarders set excluded rule from discarders

type RuleSetListener 

type RuleSetListener interface {
	RuleMatch(ctx *eval.Context, rule *Rule, event eval.Event) bool
	EventDiscarderFound(rs *RuleSet, event eval.Event, field eval.Field, eventType eval.EventType)
}

RuleSetListener describes the methods implemented by an object used to be notified of events on a rule set.

type SECLRuleFilter added in v0.41.0 

type SECLRuleFilter struct {
	// contains filtered or unexported fields
}

SECLRuleFilter defines a SECL rule filter

func NewSECLRuleFilter added in v0.41.0 

func NewSECLRuleFilter(model eval.Model) *SECLRuleFilter

NewSECLRuleFilter returns a new agent version based rule filter

func (*SECLRuleFilter) IsMacroAccepted added in v0.41.0 

func (r *SECLRuleFilter) IsMacroAccepted(macro *MacroDefinition) (bool, error)

IsMacroAccepted checks whether the macro is accepted

func (*SECLRuleFilter) IsRuleAccepted added in v0.41.0 

func (r *SECLRuleFilter) IsRuleAccepted(rule *RuleDefinition) (bool, error)

IsRuleAccepted checks whether the rule is accepted

type Scope added in v0.35.0 

type Scope string

Scope describes the scope variables

type SetDefinition added in v0.35.0 

type SetDefinition struct {
	Name         string                 `yaml:"name" json:"name"`
	Value        interface{}            `yaml:"value" json:"value,omitempty" jsonschema:"oneof_required=SetWithValue,oneof_type=string;integer;boolean;array"`
	DefaultValue interface{}            `yaml:"default_value" json:"default_value,omitempty" jsonschema:"oneof_type=string;integer;boolean;array"`
	Field        string                 `yaml:"field" json:"field,omitempty" jsonschema:"oneof_required=SetWithField"`
	Expression   string                 `yaml:"expression" json:"expression,omitempty"`
	Append       bool                   `yaml:"append" json:"append,omitempty"`
	Scope        Scope                  `yaml:"scope" json:"scope,omitempty" jsonschema:"enum=process,enum=container,enum=cgroup"`
	ScopeField   string                 `yaml:"scope_field" json:"scope_field,omitempty"`
	Size         int                    `yaml:"size" json:"size,omitempty"`
	TTL          *HumanReadableDuration `yaml:"ttl" json:"ttl,omitempty"`
	Private      bool                   `yaml:"private" json:"private,omitempty"`
	Inherited    bool                   `yaml:"inherited" json:"inherited,omitempty"`
}

SetDefinition describes the 'set' section of a rule action

type VariableProvider added in v0.35.0 

type VariableProvider interface {
	NewSECLVariable(name string, value interface{}, opts eval.VariableOpts) (eval.SECLVariable, error)
	CleanupExpiredVariables()
}

VariableProvider is the interface implemented by SECL variable providers (Should be named VariableValueProvider)

type VariableProviderFactory added in v0.35.0 

type VariableProviderFactory func() VariableProvider

VariableProviderFactory describes a function called to instantiate a variable provider

Source Files

View all Source files

Directories

Path Synopsis
Package filter holds filter related files
 Package filter holds filter related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.