Documentation
¶
Index ¶
Constants ¶
const ( // RuleVersion is the version of Rule RuleVersion string = "v1" )
Variables ¶
var RuleGvr = schema.GroupVersionResource{ Group: types.RuleGroup, Version: RuleVersion, Resource: types.RulePlural, }
Functions ¶
This section is empty.
Types ¶
type FieldRequirement ¶ added in v0.3.111
type FieldRequirement struct {
All bool
Patterns []PatternObject
Declared bool
}
FieldRequirement is the per-field declaration. After unmarshalling, exactly one of (All, Patterns) is meaningful. Declared=true when the YAML key was present, letting the spec compiler distinguish absent-from-this-rule vs explicitly declared.
func (FieldRequirement) MarshalJSON ¶ added in v0.3.111
func (f FieldRequirement) MarshalJSON() ([]byte, error)
MarshalJSON for FieldRequirement: emits "all" or the pattern list.
func (*FieldRequirement) UnmarshalJSON ¶ added in v0.3.111
func (f *FieldRequirement) UnmarshalJSON(data []byte) error
UnmarshalJSON for FieldRequirement: accepts the string "all" or a non-empty JSON array of PatternObject.
func (*FieldRequirement) UnmarshalYAML ¶ added in v0.3.111
func (f *FieldRequirement) UnmarshalYAML(unmarshal func(any) error) error
UnmarshalYAML for FieldRequirement: accepts the string "all" or a non-empty sequence of pattern objects.
type PatternObject ¶ added in v0.3.111
type PatternObject struct {
Exact string `json:"exact,omitempty" yaml:"exact,omitempty"`
Prefix string `json:"prefix,omitempty" yaml:"prefix,omitempty"`
Suffix string `json:"suffix,omitempty" yaml:"suffix,omitempty"`
Contains string `json:"contains,omitempty" yaml:"contains,omitempty"`
}
PatternObject — exactly one of {Exact, Prefix, Suffix, Contains} is non-empty. Multi-key or empty objects are rejected at unmarshal time.
func (*PatternObject) UnmarshalJSON ¶ added in v0.3.111
func (p *PatternObject) UnmarshalJSON(data []byte) error
UnmarshalJSON rejects unknown fields in a PatternObject so typos in rule YAML/JSON are caught at load time rather than silently ignored.
func (*PatternObject) UnmarshalYAML ¶ added in v0.3.111
func (p *PatternObject) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML rejects unknown fields in a PatternObject.
type ProfileDataRequired ¶ added in v0.3.111
type ProfileDataRequired struct {
Opens FieldRequirement `json:"opens,omitempty" yaml:"opens,omitempty"`
Execs FieldRequirement `json:"execs,omitempty" yaml:"execs,omitempty"`
Capabilities FieldRequirement `json:"capabilities,omitempty" yaml:"capabilities,omitempty"`
Syscalls FieldRequirement `json:"syscalls,omitempty" yaml:"syscalls,omitempty"`
Endpoints FieldRequirement `json:"endpoints,omitempty" yaml:"endpoints,omitempty"`
EgressDomains FieldRequirement `json:"egressDomains,omitempty" yaml:"egressDomains,omitempty"`
EgressAddresses FieldRequirement `json:"egressAddresses,omitempty" yaml:"egressAddresses,omitempty"`
IngressDomains FieldRequirement `json:"ingressDomains,omitempty" yaml:"ingressDomains,omitempty"`
IngressAddresses FieldRequirement `json:"ingressAddresses,omitempty" yaml:"ingressAddresses,omitempty"`
}
ProfileDataRequired declares the per-rule profile fields the rule queries. Nil means the rule reads no profile data.
func (*ProfileDataRequired) UnmarshalJSON ¶ added in v0.3.111
func (p *ProfileDataRequired) UnmarshalJSON(data []byte) error
UnmarshalJSON rejects unknown fields.
func (*ProfileDataRequired) UnmarshalYAML ¶ added in v0.3.111
func (p *ProfileDataRequired) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML rejects unknown fields.
type Rule ¶
type Rule struct {
Enabled bool `json:"enabled" yaml:"enabled"`
ID string `json:"id" yaml:"id"`
Name string `json:"name" yaml:"name"`
Description string `json:"description" yaml:"description"`
Expressions RuleExpressions `json:"expressions" yaml:"expressions"`
ProfileDependency armotypes.ProfileDependency `json:"profileDependency" yaml:"profileDependency"`
ProfileDataRequired *ProfileDataRequired `json:"profileDataRequired,omitempty" yaml:"profileDataRequired,omitempty"`
Severity int `json:"severity" yaml:"severity"`
SupportPolicy bool `json:"supportPolicy" yaml:"supportPolicy"`
Tags []string `json:"tags" yaml:"tags"`
State map[string]any `json:"state,omitempty" yaml:"state,omitempty"`
AgentVersionRequirement string `json:"agentVersionRequirement" yaml:"agentVersionRequirement"`
IsTriggerAlert bool `json:"isTriggerAlert" yaml:"isTriggerAlert"`
MitreTactic string `json:"mitreTactic" yaml:"mitreTactic"`
MitreTechnique string `json:"mitreTechnique" yaml:"mitreTechnique"`
Prefilter *prefilter.Params `json:"-" yaml:"-"`
}
type RuleExpression ¶
type RuleExpressions ¶
type RuleExpressions struct {
Message string `json:"message" yaml:"message"`
UniqueID string `json:"uniqueId" yaml:"uniqueId"`
RuleExpression []RuleExpression `json:"ruleExpression" yaml:"ruleExpression"`
}
Source Files