Rules¶
Rules are part of the Tracee Policy, which defines which events to trace. The events that are part of a specific policy are recorded in the rules
section of the Tracee Policy. It is possible to define multiple events within each policy. The events section provides further information on the type of events that Tracee can track.
Below are several examples on configuring events in the Tracee Policy.
Events¶
Every event that is specified within the rules
section supports three types of filters: context
, arguments
and return value
.
Type of Events¶
Example Scope Section referencing the open
syscall:
spec:
scope:
- global
rules:
event: open
The name of the syscall is going to be the name of the event.
Network Events can be specified from the list of Available network events
.
For example:
spec:
scope:
- global
rules:
event: net_packet_ipv4
To specify one of the behavioral signatures as an event, use the name of the signature from the table in the documentation as the event name:
spec:
scope:
- global
rules:
event: anti_debugging
Any of the extra events listed in the Tracee documentation can be listed in the Tracee Policy.
For instance, to specify the do_sigaction event, provide the name in the YAML manifest:
spec:
scope:
- global
rules:
event: do_sigaction
Context filters¶
Context is data which is collected along the event. They can be filtered like:
apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
name: sample-context-filter
annotations:
description: sample context filter
spec:
scope:
- global
rules:
event: sched_process_exec
filters:
- pid=1000
The context filters supported are:
p, pid, processId¶
event: sched_process_exec
filters:
- pid=1000
tid, threadId¶
event: sched_process_exec
filters:
- tid=13819
ppid, parentProcessId¶
event: sched_process_exec
filters:
- ppid=1000
hostTid, hostThreadId¶
event: sched_process_exec
filters:
- hostTid=1000
hostPid¶
event: sched_process_exec
filters:
- hostPid=1000
hostParentProcessId¶
event: sched_process_exec
filters:
- hostParentProcessId=1
uid, userId¶
event: sched_process_exec
filters:
- uid=0
mntns, mountNamespace¶
event: sched_process_exec
filters:
- mntns=4026531840
pidns, pidNamespace¶
event: sched_process_exec
filters:
- pidns=4026531836
comm, processName¶
event: sched_process_exec
filters:
- comm=uname
hostName¶
event: sched_process_exec
filters:
- hostName=hostname
cgroupId¶
event: sched_process_exec
filters:
- cgroupId=5247
container¶
event: sched_process_exec
filters:
- container=66c2778945e29dfd36532d63c38c2ce4ed1
containerId¶
event: sched_process_exec
filters:
- containerId=66c2778945e29dfd36532d63c38c2ce4ed1
containerImage¶
event: sched_process_exec
filters:
- containerImage=ubuntu:latest
containerName¶
event: sched_process_exec
filters:
- containerName=test
podName¶
event: sched_process_exec
filters:
- podName=daemonset/test
podNamespace¶
event: sched_process_exec
filters:
- podNamespace=production
podUid¶
event: sched_process_exec
filters:
- podUid=66c2778945e29dfd36532d63c38c2ce4ed16a002c44cb254b8e
Argument filter¶
Events have arguments, which can be filtered.
apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
name: sample-argument-filter
annotations:
description: sample argument filter
spec:
scope:
- global
rules:
event: security_file_open
filters:
- args.pathname=/tmp*
Arguments can be found on the respective event definition, in this case security_file_open, or the user can test the event output in CLI before defining a policy, e.g:
tracee -e security_file_open --output json
{"timestamp":1680182976364916505,"threadStartTime":1680179107675006774,"processorId":0,"processId":676,"cgroupId":5247,"threadId":676,"parentProcessId":1,"hostProcessId":676,"hostThreadId":676,"hostParentProcessId":1,"userId":131,"mountNamespace":4026532574,"pidNamespace":4026531836,"processName":"systemd-oomd","hostName":"josedonizetti-x","container":{},"kubernetes":{},"eventId":"730","eventName":"security_file_open","matchedPolicies":[""],"argsNum":6,"returnValue":0,"syscall":"openat","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"args":[{"name":"pathname","type":"const char*","value":"/proc/meminfo"},{"name":"flags","type":"string","value":"O_RDONLY|O_LARGEFILE"},{"name":"dev","type":"dev_t","value":45},{"name":"inode","type":"unsigned long","value":4026532041},{"name":"ctime","type":"unsigned long","value":1680179108391999988},{"name":"syscall_pathname","type":"const char*","value":"/proc/meminfo"}]}
Return value filter¶
Return values can also be filtered.
apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
name: sample-return-value
annotations:
description: sample return value
spec:
scope:
- global
rules:
event: close
filters:
- retval!=0