-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rules update: create placeholder macros for customization #1294
Conversation
Signed-off-by: kaizhe <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, thanks!
Would you please just update the release-note block as per guidelines? :)
/milestone 0.24.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok @Kaizhe, thanks again for submitting this.
I went through all the edits and double-checked them.
I also wrote the release notes as per contributing guidelines for this PR in order to get in line for merge!
rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs
rule(Schedule Cron Jobs): exclude known cron jobs
rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update
rule(Update Package Registry): exclude known package registry update
rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info
rule(Read ssh information): do not throw for activities known to read SSH info
rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files
rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files
rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files
rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database
rule(Write below rpm database): do not throw for activities known to write RPM database
rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB
rule(DB program spawned process): do not throw for processes known to spawn DB
rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories
rule(Modify binary dirs): do not throw for activities known to modify bin directories
rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories
rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories
rule(macro user_known_system_user_login): new macro to exclude known system user logins
rule(System user interactive): do not throw for known system user logins
rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities
rule(User mgmt binaries): do not throw for activities known to do user managements activities
rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev
rule(Create files below dev): do not throw for activities known to create files below dev
rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server
rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server
rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools
rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools
rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands
rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands
rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files
rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files
rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers)
rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers)
rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers
rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers
rule(Container Drift Detected (open create)): do not throw for activities known to create executables in containers
rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s)
rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s)
rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s)
rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s)
rule(macro trusted_pod): defines trusted pods by an image list
rule(Pod Created in Kube Namespace): do not throw for trusted pods
rule(macro trusted_sa): define trusted ServiceAccount
rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount
I'm going to edit the PR corpus to include what above.
LGTM label has been added. Git tree hash: 6779ab3bb4471868c354302bb988c00b60d33c9f
|
@leodido thank you so much! I planed to do it yesterday but got distracted by other stuff. Thanks again bro! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: kaizhe [email protected]
What type of PR is this?
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
add placeholder macros for easy customization
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: