Overview
In this section you can find the reference documentation for Tracee's policies.
A policy is a yaml document where you can specify a scope and associate it with a set of rules. A scope defines the workloads to which the policy applies. A rule defines events to be matched and actions to take on them.
You can load multiple (up to 64) policies into Tracee using the --policy flag providing a path to the policy file.
Following is a sample policy:
name: overview policy
description: sample overview policy
scope:
- global
defaultActions:
- log
rules:
- event: dropped_executable
- event: security_file_open
filters:
- args.pathname=/tmp/*
- event: sched_process_exec
filters:
- uid=0
- event: close
filters:
- retval!=0
This policy applies to any workload (global) and will log the dropped_executable, security_file_open, sched_process_exec and close events. Several filters are set to log only specific events:
-
An argument filter (args.pathname) is set on the security_file_open event to log only files which were opened from the /tmp directory
-
A context filter (uid) is set on the sched_process_exec event to log only processes executed by the root user (uid 0)
-
A return value filter (retval) is set on the close event to log only failed close syscalls
While specifying event filters is optional, policies must have the name
, description
, scope
, defaultAction
, and rules
fields.
Note
A current limitation is that only one rule can be defined per any event type in a policy
More information about defining a scope and the available filters can be found in the next sections.