Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rules update: create placeholder macros for customization #1294

Merged
merged 1 commit into from
Jul 3, 2020

Conversation

Kaizhe
Copy link
Contributor

@Kaizhe Kaizhe commented Jul 1, 2020

Signed-off-by: kaizhe derek0405@gmail.com

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

add placeholder macros for easy customization

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs  
rule(Schedule Cron Jobs): exclude known cron jobs 
rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update 
rule(Update Package Registry): exclude known package registry update
rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info 
rule(Read ssh information): do not throw for activities known to read SSH info
rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files
rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files
rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files
rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database
rule(Write below rpm database): do not throw for activities known to write RPM database
rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB
rule(DB program spawned process): do not throw for processes known to spawn DB
rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories
rule(Modify binary dirs): do not throw for activities known to modify bin directories
rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories
rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories
rule(macro user_known_system_user_login): new macro to exclude known system user logins
rule(System user interactive): do not throw for known system user logins
rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities
rule(User mgmt binaries): do not throw for activities known to do user managements activities
rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev
rule(Create files below dev): do not throw for activities known to create files below dev
rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server
rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server
rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools
rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools
rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands
rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands
rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files
rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files
rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers)
rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers)
rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers
rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers
rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers
rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s)
rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s)
rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s)
rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s)
rule(macro trusted_pod): defines trusted pods by an image list 
rule(Pod Created in Kube Namespace): do not throw for trusted pods
rule(macro trusted_sa): define trusted ServiceAccount
rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount 

Signed-off-by: kaizhe <derek0405@gmail.com>
@Kaizhe Kaizhe requested a review from mstemm July 1, 2020 21:57
@poiana poiana requested a review from mfdii July 1, 2020 21:57
@Kaizhe Kaizhe requested review from leodido and removed request for mfdii July 1, 2020 21:57
@poiana poiana added the size/L label Jul 1, 2020
Copy link
Member

@leodido leodido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job, thanks!

Would you please just update the release-note block as per guidelines? :)

@leodido
Copy link
Member

leodido commented Jul 2, 2020

/milestone 0.24.0

@poiana poiana added this to the 0.24.0 milestone Jul 2, 2020
Copy link
Member

@leodido leodido left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok @Kaizhe, thanks again for submitting this.

I went through all the edits and double-checked them.

I also wrote the release notes as per contributing guidelines for this PR in order to get in line for merge!


rule(macro user_known_cron_jobs): new macro to be overridden to list known cron jobs  
rule(Schedule Cron Jobs): exclude known cron jobs 
rule(macro user_known_update_package_registry): new macro to be overridden to list known package registry update 
rule(Update Package Registry): exclude known package registry update
rule(macro user_known_read_ssh_information_activities): new macro to be overridden to list known activities that read SSH info 
rule(Read ssh information): do not throw for activities known to read SSH info
rule(macro user_known_read_sensitive_files_activities): new macro to be overridden to list activities known to read sensitive files
rule(Read sensitive file trusted after startup): do not throw for activities known to read sensitive files
rule(Read sensitive file untrusted): do not throw for activities known to read sensitive files
rule(macro user_known_write_rpm_database_activities): new macro to be overridden to list activities known to write RPM database
rule(Write below rpm database): do not throw for activities known to write RPM database
rule(macro user_known_db_spawned_processes): new macro to be overridden to list processes known to spawn DB
rule(DB program spawned process): do not throw for processes known to spawn DB
rule(macro user_known_modify_bin_dir_activities): new macro to be overridden to list activities known to modify bin directories
rule(Modify binary dirs): do not throw for activities known to modify bin directories
rule(macro user_known_mkdir_bin_dir_activities): new macro to be overridden to list activities known to create directories below bin directories
rule(Mkdir binary dirs): do not throw for activities known to create directories below bin directories
rule(macro user_known_system_user_login): new macro to exclude known system user logins
rule(System user interactive): do not throw for known system user logins
rule(macro user_known_user_management_activities): new macro to be overridden to list activities known to do user managements activities
rule(User mgmt binaries): do not throw for activities known to do user managements activities
rule(macro user_known_create_files_below_dev_activities): new macro to be overridden to list activities known to create files below dev
rule(Create files below dev): do not throw for activities known to create files below dev
rule(macro user_known_contact_k8s_api_server_activities): new macro to be overridden to list activities known to contact Kubernetes API server
rule(Contact K8S API Server From Container): do not throw for activities known to contact Kubernetes API server
rule(macro user_known_network_tool_activities): new macro to be overridden to list activities known to spawn/use network tools
rule(Launch Suspicious Network Tool in Container): do not throw for activities known to spawn/use network tools
rule(macro user_known_remove_data_activities): new macro to be overridden to list activities known to perform data remove commands
rule(Remove Bulk Data from Disk): do not throw for activities known to perform data remove commands
rule(macro user_known_create_hidden_file_activities): new macro to be overridden to list activities known to create hidden files
rule(Create Hidden Files or Directories): do not throw for activities known to create hidden files
rule(macro user_known_stand_streams_redirect_activities): new macro to be overridden to list activities known to redirect stream to network connection (in containers)
rule(Redirect STDOUT/STDIN to Network Connection in Container): do not throw for activities known to redirect stream to network connection (in containers)
rule(macro user_known_container_drift_activities): new macro to be overridden to list activities known to create executables in containers
rule(Container Drift Detected (chmod)): do not throw for activities known to give execution permissions to files in containers
rule(Container Drift Detected (open+create)): do not throw for activities known to create executables in containers
rule(macro user_known_node_port_service): do not throw for services known to start with a NopePort service type (k8s)
rule(Create NodePort Service): do not throw for services known to start with a NopePort service type (k8s)
rule(macro user_known_exec_pod_activities): do not throw for activities known to attach/exec to a pod (k8s)
rule(Attach/Exec Pod): do not throw for activities known to attach/exec to a pod (k8s)
rule(macro trusted_pod): defines trusted pods by an image list 
rule(Pod Created in Kube Namespace): do not throw for trusted pods
rule(macro trusted_sa): define trusted ServiceAccount
rule(Service Account Created in Kube Namespace): do not throw for trusted ServiceAccount 

I'm going to edit the PR corpus to include what above.

@poiana
Copy link
Contributor

poiana commented Jul 3, 2020

LGTM label has been added.

Git tree hash: 6779ab3bb4471868c354302bb988c00b60d33c9f

@poiana poiana added the approved label Jul 3, 2020
@Kaizhe
Copy link
Contributor Author

Kaizhe commented Jul 3, 2020

@leodido thank you so much! I planed to do it yesterday but got distracted by other stuff. Thanks again bro!

Copy link
Contributor

@fntlnz fntlnz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job as always @Kaizhe
Thanks @leodido for taking care of the release notes

@poiana
Copy link
Contributor

poiana commented Jul 3, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fntlnz, leodido

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit d8d2182 into master Jul 3, 2020
@poiana poiana deleted the kh_add-placeholders branch July 3, 2020 18:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants