Skip to content

Rules

Rules determine which events a policy should trace.

Events

An event can match all occurrences of events for a specific scope, or specific events depending on its filters. Events support three types of filters: context, arguments and return value.

Context filters

Context is data which is collected along the event. They can be filtered like:

name: sample_context_filter
description: sample context filter
defaultActions: 
    - log
scope:
    - global
rules:
    event: sched_process_exec
    filters:
        - pid=1000

The context filters supported are:

p, pid, processId

event: sched_process_exec
filters:
    - pid=1000

tid, threadId

event: sched_process_exec
filters:
    - tid=13819

ppid, parentProcessId

event: sched_process_exec
filters:
    - ppid=1000

hostTid, hostThreadId

event: sched_process_exec
filters:
    - hostTid=1000

hostPid

event: sched_process_exec
filters:
    - hostPid=1000

hostParentProcessId

event: sched_process_exec
filters:
    - hostParentProcessId=1

uid, userId

event: sched_process_exec
filters:
    - uid=0

mntns, mountNamespace

event: sched_process_exec
filters:
    - mntns=4026531840

pidns, pidNamespace

event: sched_process_exec
filters:
    - pidns=4026531836

comm, processName

event: sched_process_exec
filters:
    - comm=uname

hostName

event: sched_process_exec
filters:
    - hostName=hostname

cgroupId

event: sched_process_exec
filters:
    - cgroupId=5247

container

event: sched_process_exec
filters:
    - container=66c2778945e29dfd36532d63c38c2ce4ed1

containerId

event: sched_process_exec
filters:
    - containerId=66c2778945e29dfd36532d63c38c2ce4ed1

containerImage

event: sched_process_exec
filters:
    - containerImage=ubuntu:latest

containerName

event: sched_process_exec
filters:
    - containerName=test

podName

event: sched_process_exec
filters:
    - podName=daemonset/test

podNamespace

event: sched_process_exec
filters:
    - podNamespace=production

podUid

event: sched_process_exec
filters:
    - podUid=66c2778945e29dfd36532d63c38c2ce4ed16a002c44cb254b8e

Argument filter

Events have arguments, which can be filtered.

name: sample_argument_filter
description: sample argument filter
defaultActions: 
    - log
scope:
    - global
rules:
    event: security_file_open
    filters:
        - args.pathname=/tmp*

Arguments can be found on the respective event definition, in this case security_file_open, or the user can test the event output in CLI before defining a policy, e.g:

tracee -f e=security_file_open --output json
{"timestamp":1680182976364916505,"threadStartTime":1680179107675006774,"processorId":0,"processId":676,"cgroupId":5247,"threadId":676,"parentProcessId":1,"hostProcessId":676,"hostThreadId":676,"hostParentProcessId":1,"userId":131,"mountNamespace":4026532574,"pidNamespace":4026531836,"processName":"systemd-oomd","hostName":"josedonizetti-x","container":{},"kubernetes":{},"eventId":"730","eventName":"security_file_open","matchedPolicies":[""],"argsNum":6,"returnValue":0,"syscall":"openat","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"args":[{"name":"pathname","type":"const char*","value":"/proc/meminfo"},{"name":"flags","type":"string","value":"O_RDONLY|O_LARGEFILE"},{"name":"dev","type":"dev_t","value":45},{"name":"inode","type":"unsigned long","value":4026532041},{"name":"ctime","type":"unsigned long","value":1680179108391999988},{"name":"syscall_pathname","type":"const char*","value":"/proc/meminfo"}]}

Return value filter

Return values can also be filtered.

name: sample_return_value
description: sample return filter
defaultActions: 
    - log
scope:
    - global
rules:
    event: close
    filters:
        - retval!=0