share

const (
	// All PERM_xyz_BASIC permissions can be enabled/disabled indirectly by enabling/disabling some composite permission(s)
	PERM_IBMSA                 = 0x00000001 // hidden(non-configurable by user), only for IBM SA to set up with NV
	PERM_FED                   = 0x00000002 // hidden(non-configurable by user), only for fedAdmin role
	PERM_NV_RESOURCE           = 0x00000004 // hidden(non-configurable by user), for accessing controller/enforcer/scanner. No custom role can have this permission.
	PERM_RUNTIME_SCAN_BASIC    = 0x00000008 // platform/host/container scan. namespaced
	PERM_REG_SCAN              = 0x00000010 // namespaced
	PERM_CICD_SCAN             = 0x00000020 // (modify only) for scanning serverless & container image
	PERM_INFRA_BASIC           = 0x00000040 // for accessing host/platform/domain.
	PERM_NETWORK_POLICY_BASIC  = 0x00000080 // network policy. namespaced
	PERM_SYSTEM_POLICY_BASIC   = 0x00000100 // file/process profiles, response rules, dlp. namespaced
	PERM_GROUP_BASIC           = 0x00000200 // group. namespaced
	PERM_ADM_CONTROL           = 0x00000400
	PERM_COMPLIANCE_BASIC      = 0x00000800 // namespaced
	PERM_AUDIT_EVENTS          = 0x00001000 // (view only) namespaced
	PERM_SECURITY_EVENTS_BASIC = 0x00002000 // (view only) namespaced
	PERM_EVENTS                = 0x00004000 // (view only) namespaced
	PERM_AUTHENTICATION        = 0x00008000 // for ldap/SAML/OpenID configuration
	PERM_AUTHORIZATION         = 0x00010000 // for users/roles configuration. namespaced(None user who is admin of domain A can create/config/delete another None user who has role in dmain A). namespaced
	PERM_SYSTEM_CONFIG         = 0x00020000 // include license
	PERM_CLOUD                 = 0x00040000 // for cloud services like aws lambda
	PERM_WORKLOAD_BASIC        = 0x00080000 // workload(pod). namespaced
	PERM_VULNERABILITY         = 0x00100000 // for vulnerability profile

	// composite permissions (~= permanent boost)
	PERMS_RUNTIME_SCAN     = PERM_RUNTIME_SCAN_BASIC | PERM_WORKLOAD_BASIC | PERM_INFRA_BASIC
	PERMS_RUNTIME_POLICIES = PERM_GROUP_BASIC | PERM_NETWORK_POLICY_BASIC | PERM_SYSTEM_POLICY_BASIC | PERM_WORKLOAD_BASIC
	PERMS_COMPLIANCE       = PERM_COMPLIANCE_BASIC | PERM_WORKLOAD_BASIC | PERM_INFRA_BASIC
	PERMS_SECURITY_EVENTS  = PERM_SECURITY_EVENTS_BASIC | PERM_WORKLOAD_BASIC
	PERMS_PWD_PROFILE      = PERM_AUTHORIZATION | PERM_SYSTEM_CONFIG

	// Effective permissions for domain admin/reader roles. Even for the reserved admin/reader roles assigned to domain, they cannot access controller/enforcer objects(PERM_NV_RESOURCE)
	PERMS_DOMAIN_READ = PERM_RUNTIME_SCAN_BASIC | PERM_REG_SCAN | PERM_NETWORK_POLICY_BASIC | PERM_SYSTEM_POLICY_BASIC | PERM_GROUP_BASIC | PERM_WORKLOAD_BASIC |
		PERM_COMPLIANCE_BASIC | PERM_AUTHORIZATION | PERM_SYSTEM_CONFIG | PERM_AUDIT_EVENTS | PERM_SECURITY_EVENTS_BASIC | PERM_EVENTS // all read permissions a domain admin could have eventually
	PERMS_DOMAIN_WRITE = PERM_RUNTIME_SCAN_BASIC | PERM_REG_SCAN | PERM_NETWORK_POLICY_BASIC | PERM_SYSTEM_POLICY_BASIC | PERM_GROUP_BASIC | PERM_WORKLOAD_BASIC |
		PERM_COMPLIANCE_BASIC | PERM_AUTHORIZATION // all write permissions a domain admin could have eventually
	PERMS_DOMAIN = PERMS_DOMAIN_READ | PERMS_DOMAIN_WRITE // sum of all permissions that are supporedt in domain

	// customer-configurable permissions: (PERM_NV_RESOURCE is non-customer-configurable permission)
	PERMS_GLOBAL_CONFIGURABLE_READ  = PERM_ADM_CONTROL | PERM_AUTHENTICATION | PERM_CLOUD | PERM_INFRA_BASIC | PERM_VULNERABILITY | PERMS_DOMAIN_READ                                        // sum of all configurable(non-hidden) read permissions
	PERMS_GLOBAL_CONFIGURABLE_WRITE = PERM_ADM_CONTROL | PERM_AUTHENTICATION | PERM_CLOUD | PERM_INFRA_BASIC | PERM_VULNERABILITY | PERMS_DOMAIN_WRITE | PERM_SYSTEM_CONFIG | PERM_CICD_SCAN // sum of all configurable(non-hidden) write permissions

	// Effective permissions for reserved fedAdmin/fedReader/admin/reader roles on global domain, only they have PERM_NV_RESOURCE permission
	PERMS_CLUSTER_READ  = PERM_NV_RESOURCE | PERMS_GLOBAL_CONFIGURABLE_READ
	PERMS_CLUSTER_WRITE = PERM_NV_RESOURCE | PERMS_GLOBAL_CONFIGURABLE_WRITE
	PERMS_CLUSTER       = PERMS_CLUSTER_READ | PERMS_CLUSTER_WRITE // sum of all permissions that are supported in cluster
	PERMS_FED_READ      = PERM_FED | PERMS_CLUSTER_READ
	PERMS_FED_WRITE     = PERM_FED | PERMS_CLUSTER_WRITE
	PERMS_FED           = PERMS_FED_READ | PERMS_FED_WRITE // sum of all permissions that are supported in fed
)

const (
	PERM_IBMSA_ID                 = "ibmsa"       // hidden to user in 4.0
	PERM_FED_ID                   = "fed"         // hidden to user when it's not master cluster
	PERM_NV_RESOURCE_ID           = "nv_resource" // hidden to user in 4.0
	PERM_REG_SCAN_ID              = "reg_scan"
	PERM_CICD_SCAN_ID             = "ci_scan"
	PERM_ADM_CONTROL_ID           = "admctrl"
	PERM_AUDIT_EVENTS_ID          = "audit_events"
	PERM_EVENTS_ID                = "events"
	PERM_AUTHENTICATION_ID        = "authentication"
	PERM_AUTHORIZATION_ID         = "authorization"
	PERM_SYSTEM_CONFIG_ID         = "config"
	PERM_CLOUD_ID                 = "cloud"
	PERM_INFRA_BASIC_ID           = "infra_basic"
	PERM_RUNTIME_SCAN_BASIC_ID    = "rt_scan_basic"
	PERM_NETWORK_POLICY_BASIC_ID  = "nw_policy_basic"
	PERM_SYSTEM_POLICY_BASIC_ID   = "sys_policy_basic"
	PERM_GROUP_BASIC_ID           = "group_basic"
	PERM_COMPLIANCE_BASIC_ID      = "compliance_basic"
	PERM_SECURITY_EVENTS_BASIC_ID = "security_events_basic"
	PERM_WORKLOAD_BASIC_ID        = "workload_basic"
	PERM_VULNERABILITY_ID         = "vulnerability"

	// complex permissions, can be seen by customers
	PERMS_RUNTIME_SCAN_ID     = "rt_scan"         // == PERM_RUNTIME_SCAN_BASIC | PERM_WORKLOAD_BASIC | PERM_INFRA_BASIC
	PERMS_RUNTIME_POLICIES_ID = "rt_policy"       // == PERM_GROUP_BASIC + PERM_NETWORK_POLICY_BASIC | PERM_SYSTEM_POLICY_BASIC | PERM_WORKLOAD_BASIC
	PERMS_COMPLIANCE_ID       = "compliance"      // == PERM_COMPLIANCE_BASIC | PERM_WORKLOAD_BASIC | PERM_INFRA_BASIC
	PERMS_SECURITY_EVENTS_ID  = "security_events" // == PERM_SECURITY_EVENTS_BASIC | PERM_WORKLOAD_BASIC
)

const (
	CFGEndpointSystem           = "system"
	CFGEndpointEULA             = "eula"
	CFGEndpointScan             = "scan"
	CFGEndpointUser             = "user"
	CFGEndpointServer           = "server"
	CFGEndpointGroup            = "group"
	CFGEndpointPolicy           = "policy"
	CFGEndpointLicense          = "license"
	CFGEndpointResponseRule     = "response_rule"
	CFGEndpointProcessProfile   = "process_profile"
	CFGEndpointRegistry         = "registry"
	CFGEndpointDomain           = "domain"
	CFGEndpointFileMonitor      = "file_monitor"
	CFGEndpointFileAccessRule   = "file_rule"
	CFGEndpointAdmissionControl = "admission_control"
	CFGEndpointCrd              = "crd"
	CFGEndpointFederation       = "federation"
	CFGEndpointDlpRule          = "dlp_rule"
	CFGEndpointDlpGroup         = "dlp_group"
	CFGEndpointWafRule          = "waf_rule"
	CFGEndpointWafGroup         = "waf_group"
	CFGEndpointScript           = "script"
	CFGEndpointCloud            = "cloud"
	CFGEndpointCompliance       = "compliance"
	CFGEndpointVulnerability    = "vulnerability"
	CFGEndpointUserRole         = "user_role"
	CFGEndpointPwdProfile       = "pwd_profile"
)

const (
	GroupKindContainer string = "container"
	GroupKindAddress   string = "address"
	GroupKindIPService string = "ip_service"
	GroupKindExternal  string = "external"
	GroupKindNode      string = "node"
)

const (
	CLUSResCfgRule     = "rule"
	CLUSResCfgRuleList = "rules"
)

const (
	// host: address is meaningful only on local host. Native container IP has this scope.
	CLUSIPAddrScopeLocalhost = "host"
	// global: address is global
	CLUSIPAddrScopeGlobal = "global"
	// nat: address for NAT access. Typically, this the address of the host.
	CLUSIPAddrScopeNAT = "nat"
)

const (
	Learned = iota + 1
	UserCreated
	GroundCfg
	FederalCfg
	SystemDefined
)

const (
	WireInline  string = "inline"
	WireDefault string = "default"
)

const (
	SpecInternalTunnelIP = "tunnelip"
	SpecInternalSvcIP    = "svcip"
	SpecInternalHostIP   = "hostip"
	SpecInternalDevIP    = "devip"
	SpecInternalUwlIP    = "uwlip"
	SpecInternalExtIP    = "extip"
)

const (
	BenchLevelPass  = "PASS"
	BenchLevelInfo  = "INFO"
	BenchLevelWarn  = "WARN"
	BenchLevelHigh  = "HIGH"
	BenchLevelNote  = "NOTE"
	BenchLevelError = "ERROR"
	BenchProfileL1  = "Level 1"
	BenchProfileL2  = "Level 2"
)

const (
	ScanFlagCVE    = 0x01
	ScanFlagLayers = 0x02
	ScanFlagFiles  = 0x04
)

const (
	AdmCtrlModeMonitor = "monitor"
	AdmCtrlModeProtect = "protect"

	AdmClientModeSvc = "service"
	AdmClientModeUrl = "url"

	AdmCtrlActionAllow = PolicyActionAllow
	AdmCtrlActionDeny  = PolicyActionDeny
)

const (
	CLUSAdmissionCfgCert     = "cert"
	CLUSAdmissionCfgState    = "state"
	CLUSAdmissionCfgRule     = "rule"
	CLUSAdmissionCfgRuleList = "rules"
	CLUSAdmissionStatistics  = "statistics"
)

const (
	FedAdmCtrlExceptRulesType  = "fed_admctrl_exception"
	FedAdmCtrlDenyRulesType    = "fed_admctrl_deny"
	FedNetworkRulesType        = "fed_netwwork_rule"
	FedResponseRulesType       = "fed_response_rule"
	FedGroupType               = "fed_group"
	FedFileMonitorProfilesType = "fed_file_profile"
	FedProcessProfilesType     = "fed_process_profile"
	FedSystemConfigType        = "fed_system_config"
)

const (
	CriticalAdmCtrlExceptRulesType = "critical_allow"
	CrdAdmCtrlExceptRulesType      = "crd_allow"
	CrdAdmCtrlDenyRulesType        = "crd_deny"
)

const (
	DefaultComplianceProfileName    = "default"
	DefaultVulnerabilityProfileName = "default"
	DefaultPolicyName               = "default" // mapping of ScopeLocal
	FedPolicyName                   = "fed"     // mapping of ScopeFed
)

const (
	ScopeLocal = "local"
	ScopeFed   = "fed"
	ScopeAll   = ""
	ScopeError = "error"
)

const (
	StartPingFedJoints = iota + 1
	StopPingFedJoints
	StartPollFedMaster
	StopPollFedMaster
	InstantPollFedMaster
	InstantPingFedJoints
	JointLoadOwnKeys
	MasterLoadJointKeys
	PurgeJointKeys
	MasterUnloadJointKeys
	StartPostToIBMSA
	StopPostToIBMSA
	PostToIBMSA
	RestartWebhookServer
)

const (
	CLUSFedMembershipSubKey     = "membership"
	CLUSFedClustersListSubKey   = "clusters_list"
	CLUSFedClustersStatusSubKey = "clusters_status"
	CLUSFedClustersSubKey       = "clusters"
	CLUSFedRulesRevisionSubKey  = "rules_revision"
	CLUSFedToPingPollSubKey     = "ping_poll"
)

const (
	CLUSFedMembershipKey     = CLUSConfigFederationStore + CLUSFedMembershipSubKey     // stores CLUSFedMembership
	CLUSFedClustersListKey   = CLUSConfigFederationStore + CLUSFedClustersListSubKey   // stores CLUSFedJoinedClusterList
	CLUSFedClustersStatusKey = CLUSConfigFederationStore + CLUSFedClustersStatusSubKey // each subkey stores CLUSFedClusterStatus
	CLUSFedClustersKey       = CLUSConfigFederationStore + CLUSFedClustersSubKey       // each subkey stores CLUSFedJointClusterInfo
	CLUSFedRulesRevisionKey  = CLUSConfigFederationStore + CLUSFedRulesRevisionSubKey  // stores CLUSFedRulesRevision
	CLUSFedToPingPollKey     = CLUSConfigFederationStore + CLUSFedToPingPollSubKey     // stores CLUSFedDoPingPoll
	CLUSFedSystemKey         = CLUSConfigFederationStore + CFGEndpointSystem           // stores CLUSFedSystemConfig
)

const (
	DlpPatternContextURI     string = "url"
	DlpPatternContextHEAD    string = "header"
	DlpPatternContextBODY    string = "body"
	DlpPatternContextPACKET  string = "packet"
	DlpPatternContextDefault string = "body"
)

const (
	CLUSDlpDefaultSensor = "sensor.dlpdfltnv"
	CLUSDlpSsnSensor     = "sensor.ssn"
	CLUSDlpCcSensor      = "sensor.creditcard"
	CLUSWafDefaultSensor = "sensor.wafdfltnv"
)

const (
	DlpRuleNameCreditCard string = "rule.creditcard"
	DlpRuleNameCcAxp      string = "rule.americanexpress"
	DlpRuleNameCcDiscover string = "rule.discover"
	DlpRuleNameCcMaster   string = "rule.master"
	DlpRuleNameCcVisa     string = "rule.visa"
	DlpRuleNameCcDinerV1  string = "rule.diner1"
	DlpRuleNameCcDinerV2  string = "rule.diner2"
	DlpRuleNameCcJcb      string = "rule.jcb"
	DlpRuleNameSsn        string = "rule.ssn"
)

const (
	DlpWlRuleIn  = "inside"
	DlpWlRuleOut = "outside"
	WafWlRuleIn  = "wafinside"
	WafWlRuleOut = "wafoutside"
)

const (
	SecretPrivateKey string = "privatekey" // Private Key
	SecretX509       string = "x.509"      // X.509 certificates (ignored)
	SecretProgram    string = "program"    // in specific program files
	SecretRegular    string = "regular"    // in other regular files
)

const (
	IMPORT_PREPARE     = "preparing"
	IMPORT_RUNNING     = "importing"
	IMPORT_DONE        = "done"
	IMPORT_NO_RESPONSE = "no_response"
)

const (
	PREFIX_IMPORT_CONFIG       = "import_"
	PREFIX_IMPORT_GROUP_POLICY = "group_import_"
	PREFIX_IMPORT_ADMCTRL      = "admctrl_import_"
	PREFIX_IMPORT_WAF          = "waf_import_"
)

const (
	IMPORT_TYPE_CONFIG       = ""
	IMPORT_TYPE_GROUP_POLICY = "group"
	IMPORT_TYPE_ADMCTRL      = "admctrl"
	IMPORT_TYPE_WAF          = "waf"
)

const (
	ReviewTypeCRD           = iota + 1
	ReviewTypeImportGroup   // interactive import
	ReviewTypeImportAdmCtrl // interactive import
	ReviewTypeImportWAF     // interactive import
)

const (
	ReviewTypeDisplayCRD       = "CRD"
	ReviewTypeDisplayGroup     = "Group Policy"                     // interactive import
	ReviewTypeDisplayAdmission = "Admission Control Configurations" // interactive import
	ReviewTypeDisplayWAF       = "WAF Configurations"               // interactive import
)

const (
	CriteriaKeyImage     string = "image"
	CriteriaKeyHost      string = "node"
	CriteriaKeyWorkload  string = "container"
	CriteriaKeyService   string = "service"
	CriteriaKeyAddress   string = "address"
	CriteriaKeyLabel     string = "label"
	CriteriaKeyDomain    string = "domain"
	CriteriaKeyNamespace string = "namespace"
	// CriteriaKeyApp      string = "application"
	// CriteriaKeyWorkloadID string = "container_id"
	// CriteriaKeyGroup      string = "nv.group"
	// CriteriaKeyCIDR       string = "cidr"
	CriteriaKeyUser                string = "user"
	CriteriaKeyK8sGroups           string = "userGroups"
	CriteriaKeyImageRegistry       string = "imageRegistry"
	CriteriaKeyLabels              string = "labels"
	CriteriaKeyMountVolumes        string = "mountVolumes"
	CriteriaKeyEnvVars             string = "envVars"
	CriteriaKeyBaseImage           string = "baseImage"
	CriteriaKeyCVENames            string = "cveNames"
	CriteriaKeyCVEHighCount        string = "cveHighCount"
	CriteriaKeyCVEMediumCount      string = "cveMediumCount"
	CriteriaKeyCVEHighWithFixCount string = "cveHighWithFixCount"
	CriteriaKeyCVEScore            string = "cveScore"
	CriteriaKeyCVEScoreCount       string = "cveScoreCount"
	CriteriaKeyImageScanned        string = "imageScanned"
	CriteriaKeyImageSigned         string = "imageSigned"
	CriteriaKeyRunAsRoot           string = "runAsRoot"
	CriteriaKeyRunAsPrivileged     string = "runAsPrivileged"
	CriteriaKeyImageCompliance     string = "imageCompliance" // secrets, setIdPerm from scanning image results
	CriteriaKeyEnvVarSecrets       string = "envVarSecrets"   // secrets from yaml resources
	CriteriaKeyImageNoOS           string = "imageNoOS"
	CriteriaKeySharePidWithHost    string = "sharePidWithHost"
	CriteriaKeyShareIpcWithHost    string = "shareIpcWithHost"
	CriteriaKeyShareNetWithHost    string = "shareNetWithHost"
	CriteriaKeyAllowPrivEscalation string = "allowPrivEscalation"
	CriteriaKeyPspCompliance       string = "pspCompliance" // psp compliance violation
	CriteriaKeyRequestLimit        string = "resourceLimit"
)

const (
	SubCriteriaPublishDays   string = "publishDays"
	SubCriteriaCount         string = "count"
	SubCriteriaCpuRequest    string = "cpuRequest"
	SubCriteriaCpuLimit      string = "cpuLimit"
	SubCriteriaMemoryRequest string = "memoryRequest"
	SubCriteriaMemoryLimit   string = "memoryLimit"
)

const (
	CriteriaOpEqual             string = "="
	CriteriaOpNotEqual          string = "!="
	CriteriaOpContains          string = "contains"
	CriteriaOpPrefix            string = "prefix"
	CriteriaOpRegex             string = "regex"
	CriteriaOpNotRegex          string = "!regex"
	CriteriaOpBiggerEqualThan   string = ">="
	CriteriaOpBiggerThan        string = ">"
	CriteriaOpLessEqualThan     string = "<="
	CriteriaOpContainsAll       string = "containsAll"
	CriteriaOpContainsAny       string = "containsAny"
	CriteriaOpNotContainsAny    string = "notContainsAny"
	CriteriaOpContainsOtherThan string = "containsOtherThan"
)

const (
	CriteriaValueTrue  string = "true"
	CriteriaValueFalse string = "false"
)

const (
	NeuVectorLabelImage string = "neuvector.image"
	NeuVectorLabelRole  string = "neuvector.role"

	NeuVectorRoleController string = "controller"
	NeuVectorRoleEnforcer   string = "enforcer"
	NeuVectorRoleManager    string = "manager"
)

const (
	PolicyModeLearn       string = "Discover"
	PolicyModeEvaluate    string = "Monitor"
	PolicyModeEnforce     string = "Protect"
	PolicyModeUnavailable string = "N/A"
)

const (
	ProfileBasic  string = "Default"
	ProfileShield string = "Shield"

	ProfileCrdBasic  string = "default"
	ProfileCrdShield string = "shield"
)

const (
	PolicyActionOpen     string = "open" // Policy is not enforced
	PolicyActionLearn    string = "learn"
	PolicyActionAllow    string = "allow"
	PolicyActionDeny     string = "deny"
	PolicyActionViolate  string = "violate"
	PolicyActionCheckApp string = "check_app"
)

const (
	VulnSeverityCritical string = "Critical"
	VulnSeverityHigh     string = "High"
	VulnSeverityMedium   string = "Medium"
	VulnSeverityLow      string = "Low"
)

const (
	DlpRuleActionAllow   string = "allow"
	DlpRuleActionDrop    string = "deny"
	DlpRuleStatusEnable  string = "enable"
	DlpRuleStatusDisable string = "disable"
	DlpRuleSeverityInfo  string = "info"
	DlpRuleSeverityLow   string = "low"
	DlpRuleSeverityMed   string = "medium"
	DlpRuleSeverityHigh  string = "high"
	DlpRuleSeverityCrit  string = "critical"
)

const (
	PlatformDocker     = "Docker"
	PlatformAmazonECS  = "Amazon-ECS"
	PlatformKubernetes = "Kubernetes"
	PlatformRancher    = "Rancher"
	PlatformAliyun     = "Aliyun"

	FlavorSwarm     = "Swarm"
	FlavorUCP       = "UCP"
	FlavorOpenShift = "OpenShift"
	FlavorRancher   = "Rancher"
	FlavorIKE       = "IKE"
	FlavorGKE       = "GKE"

	NetworkFlannel   = "Flannel"
	NetworkCalico    = "Calico"
	NetworkDefault   = "Default"
	NetworkProxyMesh = "ProxyMeshLo"
)

const (
	ENV_PLATFORM_INFO = "NV_PLATFORM_INFO"
	ENV_SYSTEM_GROUPS = "NV_SYSTEM_GROUPS"
	ENV_DISABLE_PCAP  = "DISABLE_PACKET_CAPTURE"
)

const (
	ENV_PLT_PLATFORM    = "platform"
	ENV_PLT_INTF_PREFIX = "if-"
	ENV_PLT_INTF_HOST   = "host"
	ENV_PLT_INTF_GLOBAL = "global"
)

const (
	RegistryTypeAWSECR           = "Amazon ECR Registry"
	RegistryTypeAzureACR         = "Azure Container Registry"
	RegistryTypeDocker           = "Docker Registry"
	RegistryTypeGCR              = "Google Container Registry"
	RegistryTypeJFrog            = "JFrog Artifactory"
	RegistryTypeOpenShift        = "OpenShift Registry"
	RegistryTypeRedhat_Deprecate = "Red Hat/OpenShift Registry"
	RegistryTypeRedhat           = "Red Hat Public Registry"
	RegistryTypeSonatypeNexus    = "Sonatype Nexus"
	RegistryTypeGitlab           = "Gitlab"
	RegistryTypeIBMCloud         = "IBM Cloud Container Registry"
)

const (
	JFrogModeRepositoryPath = "Repository Path"
	JFrogModeSubdomain      = "Subdomain"
	JFrogModePort           = "Port"
)

const (
	EventRuntime          string = "security-event" // EventThreat + EventIncident + EventViolation + EventDlp +EventWaf
	EventEvent            string = "event"
	EventActivity         string = "activity"
	EventCVEReport        string = "cve-report"
	EventThreat           string = "threat"
	EventIncident         string = "incident"
	EventViolation        string = "violation"
	EventBenchmark_UNUSED string = "benchmark"
	EventCompliance       string = "compliance"
	EventAdmCtrl          string = "admission-control"
	EventDlp              string = "dlp"
	EventServerless       string = "serverless"
	EventWaf              string = "waf"
)

const (
	RuleAttribGroup    string = "group"
	RuleAttribCriteria string = "criteria"
	RuleAttribAction   string = "action"
	RuleAttribLogLevel string = "log-level"
)

const (
	EventCondTypeName        string = "name"
	EventCondTypeCVEName     string = "cve-name"
	EventCondTypeCVEHigh     string = "cve-high"
	EventCondTypeCVEMedium   string = "cve-medium"
	EventCondTypeLevel       string = "level"
	EventCondTypeProc        string = "process"
	EventCondTypeBenchNumber string = "number"
)

const (
	EventActionQuarantine  string = "quarantine"
	EventActionSuppressLog string = "suppress-log"
	EventActionWebhook     string = "webhook"
)

const (
	FileAccessBehaviorBlock   = "block_access"
	FileAccessBehaviorMonitor = "monitor_change"
)

const (
	// show only
	CloudResDataLost = "data_lost"
	// transient state
	CloudResScheduled  = "scheduled"
	CloudResScanning   = "scanning"
	CloudResSuspending = "suspending"
	// final state
	CloudResSuspend = "suspend"
	CloudResReady   = "ready"
	CloudResError   = "error"
)

const (
	CloudAws   = "aws_cloud"
	CloudAzure = "azure_cloud"
)

const (
	AwsLambdaFunc  = "aws_lambda_func"
	AwsLambdaLayer = "aws_lambda_layer"
	AwsLambdaApp   = "aws_lambda_app"
	AwsLambdaRt    = "aws_lambda_runtime"
)

const (
	AccessAllAsReader = "*" // Namespace user can read, global user follow roles
)

const AwsNvSecKey string = "nvsecKey"

const CLUSAgentStore string = CLUSObjectStore + "agent/"

const CLUSAuditLogStore string = CLUSObjectStore + "auditlog/"

const CLUSBenchStore string = "bench/"

const CLUSCertStore string = CLUSObjectStore + "cert/"

const CLUSCloudStore string = CLUSObjectStore + "cloud/"

const CLUSConfigAdmissionControlStore string = CLUSConfigStore + CFGEndpointAdmissionControl + "/"

const CLUSConfigCloudStore string = CLUSConfigStore + CFGEndpointCloud + "/"

const CLUSConfigComplianceProfileStore string = CLUSConfigComplianceStore + "profile/"

const CLUSConfigComplianceStore string = CLUSConfigStore + CFGEndpointCompliance + "/"

const CLUSConfigCrdStore string = CLUSConfigStore + CFGEndpointCrd + "/"

const CLUSConfigDlpGroupStore string = CLUSConfigStore + CFGEndpointDlpGroup + "/"

const CLUSConfigDlpRuleStore string = CLUSConfigStore + CFGEndpointDlpRule + "/"

const CLUSConfigDomainStore string = CLUSConfigStore + CFGEndpointDomain + "/"

const CLUSConfigEULAKey string = CLUSConfigStore + CFGEndpointEULA

const CLUSConfigFedAdmCtrlKey string = CLUSConfigAdmissionControlStore + "fed/"

const CLUSConfigFedResponseRuleKey string = CLUSConfigResponseRuleStore + "fed/"

const CLUSConfigFederationStore string = CLUSConfigStore + CFGEndpointFederation + "/"

const CLUSConfigFileAccessRuleStore string = CLUSConfigStore + CFGEndpointFileAccessRule + "/"

const CLUSConfigFileMonitorStore string = CLUSConfigStore + CFGEndpointFileMonitor + "/"

const CLUSConfigGroupStore string = CLUSConfigStore + CFGEndpointGroup + "/"

const CLUSConfigLicenseKey string = CLUSConfigStore + CFGEndpointLicense

const CLUSConfigPolicyStore string = CLUSConfigStore + CFGEndpointPolicy + "/"

const CLUSConfigProcessProfileStore string = CLUSConfigStore + CFGEndpointProcessProfile + "/"

const CLUSConfigPwdProfileStore string = CLUSConfigStore + CFGEndpointPwdProfile + "/"

const CLUSConfigRegistryStore string = CLUSConfigStore + CFGEndpointRegistry + "/"

const CLUSConfigResponseRuleStore string = CLUSConfigStore + CFGEndpointResponseRule + "/"

const CLUSConfigScanKey string = CLUSConfigStore + CFGEndpointScan

const CLUSConfigScriptStore string = CLUSConfigStore + CFGEndpointScript + "/"

const CLUSConfigServerStore string = CLUSConfigStore + CFGEndpointServer + "/"

const CLUSConfigStore string = CLUSObjectStore + "config/"

const CLUSConfigSystemKey string = CLUSConfigStore + CFGEndpointSystem

const CLUSConfigUserRoleStore string = CLUSConfigStore + CFGEndpointUserRole + "/"

const CLUSConfigUserStore string = CLUSConfigStore + CFGEndpointUser + "/"

const CLUSConfigVulnerabilityProfileStore string = CLUSConfigVulnerabilityStore + "profile/"

const CLUSConfigVulnerabilityStore string = CLUSConfigStore + CFGEndpointVulnerability + "/"

const CLUSConfigWafGroupStore string = CLUSConfigStore + CFGEndpointWafGroup + "/"

const CLUSConfigWafRuleStore string = CLUSConfigStore + CFGEndpointWafRule + "/"

const CLUSControllerStore string = CLUSObjectStore + "controller/"

const CLUSCrdProcStore string = "crdcontent/"

const CLUSCtrlConfigLoadedKey string = CLUSStateStore + "ctrl_cfg_load"

const CLUSCtrlDistLockStore string = CLUSStateStore + "dist_lock/"

const CLUSCtrlEnabledValue string = "ok"

const CLUSCtrlInstallationKey string = CLUSStateStore + "installation"

const CLUSCtrlNodeAdmissionKey string = CLUSStateStore + "ctrl_ready" // node admission

const CLUSCtrlUsageReportStore string = CLUSStateStore + "usage_report/"

const CLUSCtrlVerKey string = CLUSStateStore + "ctrl_ver"

const CLUSDefPwdProfileName = "default"

const CLUSEventLogStore string = CLUSObjectStore + "eventlog/"

const CLUSExpiredTokenStore string = CLUSStateStore + "expired_token/"

const CLUSFqdnIpStore string = CLUSFqdnStore + "ip/" //not to be watched by consul

const CLUSFqdnStore string = "fqdn/" //not to be watched by consul

const CLUSHostStore string = CLUSObjectStore + "host/"

const CLUSImportStatusSubKey = "status"

const CLUSImportStore string = CLUSStateStore + "import/"

const CLUSIncidentLogStore string = CLUSObjectStore + "incidentlog/"

const CLUSLicenseStore string = CLUSObjectStore + "license/"

const CLUSLockAdmCtrlKey string = CLUSLockStore + "adm_ctrl"

const CLUSLockCloudKey string = CLUSLockStore + "cloud"

const CLUSLockConfigKey string = CLUSLockStore + "all"

const CLUSLockCrdQueueKey string = CLUSLockStore + "crd_queue"

const CLUSLockFedKey string = CLUSLockStore + "federation"

const CLUSLockPolicyKey string = CLUSLockStore + "policy"

const CLUSLockScannerKey string = CLUSLockStore + "scanner"

const CLUSLockServerKey string = CLUSLockStore + "server"

const CLUSLockStore string = "lock/"

const CLUSLockUpgradeKey string = CLUSLockStore + "upgrade"

const CLUSLockUserKey string = CLUSLockStore + "user"

const CLUSNetworkEPStore string = CLUSObjectStore + "networkep/"

const CLUSNetworkStore string = "network/"

const CLUSNodeCommonProfileStore string = CLUSNodeCommonStoreKey + CLUSWorkloadProfileStore

const CLUSNodeCommonStoreKey string = CLUSNodeStore + ProfileCommonGroup + "/"

const CLUSNodeStore string = "node/"

const CLUSObjectStore string = "object/"

const CLUSRecalPolicyStore string = CLUSRecalculateStore + "policy/" //not to be watched by consul

const CLUSRecalculateStore string = "recalculate/" //not to be watched by consul

const CLUSReservedUuidAnchorMode string = "00000000-0000-0000-0000-000000000005" // rejected by anchor mode

const CLUSReservedUuidDockerCp string = "00000000-0000-0000-0000-000000000004" // docker cp

const CLUSReservedUuidNotAlllowed string = "00000000-0000-0000-0000-000000000000" // processes beyond white list

const CLUSReservedUuidPrefix string = "00000000-0000-0000-0000-0000000000" // reserved the last 2 digits

const CLUSReservedUuidRiskyApp string = "00000000-0000-0000-0000-000000000001" // riskApp

const CLUSReservedUuidRootEscalation string = "00000000-0000-0000-0000-000000000003" // root privilege escallation

const CLUSReservedUuidShieldAllowed string = "00000000-0000-0000-0000-000000000006" // allowed as a family process

const CLUSReservedUuidTunnelProc string = "00000000-0000-0000-0000-000000000002" // tunnel

const (
	CLUSRootCAKey = "rootCA"
)

const CLUSScanDataStore string = CLUSScanStore + "data/"

const CLUSScanStateStore string = CLUSScanStore + "state/"

const CLUSScanStore string = "scan/"

const CLUSScannerDBStore string = CLUSScanStore + "database/"

const CLUSScannerDBVersionID string = "NeuVectorCVEDBVersion" // used for indicate db version changed

const CLUSScannerStatsStore string = CLUSScanStore + "scanner_stats/"

const CLUSScannerStore string = CLUSScanStore + "scanner/"

const CLUSStateStore string = "state/"

const CLUSSysPwdProfileName = "nvsyspwdprofile" // reserved just for referencing active password profile

const CLUSThreatLogStore string = CLUSObjectStore + "threatlog/"

const CLUSUniconfStore string = CLUSObjectStore + "uniconf/" // Target both controller and specific enforcer

const CLUSWorkloadProfileStore string = "profiles/"

const CLUSWorkloadStore string = CLUSObjectStore + "workload/"

const CVEDatabaseFolder = "/etc/neuvector/db/"

const CompactCVEDBName = "cvedb.compact"

const ContainerRuntimeDocker string = "docker"

const ContainerStatsSlots uint = 60 // 5s * 60 = 3m

const CriteriaValueAny string = "any"

const CustomScriptFailedPrefix string = "Failed to run the custom check"

const DefaultCVEDBName = "cvedb"

const DefaultGroupRuleID uint32 = 0

const DefaultOpenShiftRegistryURL = "docker-registry.default.svc"

const (
	DlpRuleKeyPattern string = "pattern"
)

const DlpRuleName string = "dlprule"

const DlpRuleStore string = CLUSNetworkStore + DlpRuleName + "/"

const DlpRulesDefaultName string = "DlpWorkloadRules"

const DomainDelimiter string = "."

const GroupNVProtect string = "NV.Protect"

const HiddenFedDomain string = "$*&().^$"

const IMPORT_QUERY_INTERVAL = 30

const InternalIPNetDefaultName string = "InternalIPNet"

const MaxLambdaHistory = 3

const (
	NEPTypeLB = "netlb"
)

const NV_VBR_PORT_MTU int = 2048 //2k

const NV_VBR_PORT_MTU_JUMBO int = 9216 //9k

const NetworkSystemKey string = CLUSNetworkStore + CFGEndpointSystem

const PolicyFedRuleIDBase = 100000

const PolicyFedRuleIDMax = 110000 // exclusive

const PolicyGroundRuleIDBase = 110000

const PolicyGroundRuleIDMax = 120000

const PolicyIPRulesDefaultName string = "GroupIPRules"

const PolicyIPRulesVersionID string = "NeuVectorPolicyVersion" // used for indicate policy version changed

const PolicyLearnedIDBase = 10000

const ProfileCPUFileFmt string = ProfileFolder + "%scpu.prof"

const ProfileCommonGroup string = "common" // nodes

const ProfileFileAccess string = "fileAccess"

const ProfileFileAccessStore string = CLUSWorkloadProfileStore + ProfileFileAccess + "/"

const ProfileFileMonitor string = "file"

const ProfileFileMonitorStore string = CLUSWorkloadProfileStore + ProfileFileMonitor + "/"

const ProfileFileScriptStore string = CLUSWorkloadProfileStore + ProfileScript + "/"

const ProfileFolder string = "/var/neuvector/profile/"

const ProfileGoroutineFileFmt string = ProfileFolder + "%sgoroutine.prof"

const ProfileGroup string = "group"

const ProfileGroupStore string = CLUSWorkloadProfileStore + ProfileGroup + "/"

const ProfileMemoryFileFmt string = ProfileFolder + "%smemory.prof"

const ProfileProcess string = "process"

const ProfileProcessStore string = CLUSWorkloadProfileStore + ProfileProcess + "/"

const ProfileScript string = "script"

const QuarantineReasonUser string = "user-configured"

const RegularCVEDBName = "cvedb.regular"

const SnifferIdAgentField = 8

const SpecialIPNetDefaultName string = "SpecialIPNet"

const UnusedGroupAgingDefault uint8 = 24 //aging time in Hour

const UnusedGroupAgingMax uint8 = 168 //aging time in Hour,24*7

const WafRuleName string = "wafrule"

const WafRuleStore string = CLUSNetworkStore + WafRuleName + "/"