policies: rename list fields to be plural

deploy/helm/tracee/templates/tracee-policies.yaml

@@ -9,7 +9,8 @@ data:
   signatures.yaml: |-
     name: signature_events
     description: traces all signature events
-    defaultAction: log
+    defaultActions:
+      - log
     scope:
       - global
     rules:

deploy/kubernetes/tracee/tracee.yaml

@@ -11,7 +11,8 @@ data:
   signatures.yaml: |-
     name: signature_events
     description: traces all signature events
-    defaultAction: log
+    defaultActions:
+      - log
     scope:
       - global
     rules:

docs/docs/events/overview.md

@@ -22,7 +22,8 @@ name: sample policy
 description: traces execve events
 scope:
   - global
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: execve
 EOF

docs/docs/policies/actions.md

@@ -1,8 +1,8 @@
 # Actions
 
-## DefaultAction
+## DefaultActions
 
-Every policy must have a `defaultAction`. Actions are taken when there is match on some rule declared at the policy. The following actions are currently supported:
+Every policy must have at least one action in `defaultActions`. Actions are taken when there is match on some rule declared at the policy. The following actions are currently supported:
 
 - `log` - output events in a specified foramt (table, json etc) - default is table. The path to file is stdout.
 - `forward` - send events in json format using the Forward protocol to a Fluent receiver
@@ -17,7 +17,8 @@ name: log_sample_policy
 description: log sample policy
 scope:
   - global
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: dropped_executable
 ```
@@ -49,7 +50,8 @@ name: webhook_sample_policy
 description: webhook_sample_policy
 scope:
   - global
-defaultAction: webhook
+defaultActions: 
+  - webhook
 rules:
   - event: dropped_executable
 ```
@@ -67,7 +69,8 @@ name: forward_sample_policy
 description: forward_sample_policy
 scope:
   - global
-defaultAction: forward
+defaultActions: 
+  - forward
 rules:
   - event: dropped_executable
 ```
@@ -87,7 +90,8 @@ name: log_sample_policy
 description: log sample policy
 scope:
   - global
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: dropped_executable
 ```
@@ -110,7 +114,8 @@ name: override_action_sample
 description: override action sample
 scope:
   - global
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: dropped_executable
     action:

docs/docs/policies/index.md

@@ -11,17 +11,18 @@ name: overview policy
 description: sample overview policy
 scope:
   - global
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: dropped_executable
   - event: security_file_open
-    filter:
+    filters:
         - args.pathname=/tmp/*
   - event: sched_process_exec
-    filter: 
+    filters: 
         - uid=0
   - event: close
-    filter:
+    filters:
         - retval!=0
 ```
 

docs/docs/policies/rules.md

@@ -7,19 +7,20 @@ Rules determine which events a policy should trace.
 An event can match all occurrences of events for a specific scope, or specific events depending on its filters.
 Events support three types of filters: `context`, `arguments` and `return value`. 
 
-## Context filter
+## Context filters
 
 Context is data which is collected along the event. They can be filtered like:
 
 ```yaml
 name: sample_context_filter
 description: sample context filter
-defaultAction: log
+defaultActions: 
+    - log
 scope:
     - global
 rules:
     event: sched_process_exec
-    filter:
+    filters:
         - pid=1000
 ```
 
@@ -29,151 +30,151 @@ The context filters supported are:
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - pid=1000
 ```
 
 #### tid, threadId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - tid=13819
 ```
 
 #### ppid, parentProcessId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - ppid=1000
 ```
 
 #### hostTid, hostThreadId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - hostTid=1000
 ```
 
 #### hostPid
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - hostPid=1000
 ```
 
 #### hostParentProcessId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - hostParentProcessId=1
 ```
 
 #### uid, userId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - uid=0
 ```
 
 #### mntns, mountNamespace
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - mntns=4026531840
 ```
 
 #### pidns, pidNamespace
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - pidns=4026531836
 ```
 
 #### comm, processName
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - comm=uname
 ```
 
 #### hostName
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - hostName=hostname
 ```
 
 #### cgroupId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - cgroupId=5247
 ```
 
 #### container
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - container=66c2778945e29dfd36532d63c38c2ce4ed1
 ```
 
 #### containerId
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - containerId=66c2778945e29dfd36532d63c38c2ce4ed1
 ```
 
 #### containerImage
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - containerImage=ubuntu:latest
 ```
 
 #### containerName  
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - containerName=test
 ```
 
 #### podName
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - podName=daemonset/test
 ```
 
 #### podNamespace
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - podNamespace=production
 ```
 
 #### podUid
 
 ```yaml
 event: sched_process_exec
-filter:
+filters:
     - podUid=66c2778945e29dfd36532d63c38c2ce4ed16a002c44cb254b8e
 ```
 
@@ -185,12 +186,13 @@ Events have arguments, which can be filtered.
 ```yaml
 name: sample_argument_filter
 description: sample argument filter
-defaultAction: log
+defaultActions: 
+    - log
 scope:
     - global
 rules:
     event: security_file_open
-    filter:
+    filters:
         - args.pathname=/tmp*
 ```
 
@@ -211,11 +213,12 @@ Return values can also be filtered.
 ```yaml
 name: sample_return_value
 description: sample return filter
-defaultAction: log
+defaultActions: 
+    - log
 scope:
     - global
 rules:
     event: close
-    filter:
+    filters:
         - retval!=0
 ```

docs/tutorials/k8s-policies.md

@@ -58,7 +58,8 @@ signatures.yaml:
 ----
 name: signature_events
 description: traces all signature events
-defaultAction: log
+defaultActions: 
+  - log
 scope:
   - global
 rules:
@@ -108,13 +109,14 @@ To add a new policy for tracking execve events, append the following YAML block
 
 ```yaml
 events.yaml: |-
-	name: execve_event
-	description: traces all execve events
-	defaultAction: log
-	scope:
-		- global
-	rules:
-		- event: execve
+  name: execve_event
+  description: traces all execve events
+  defaultActions:
+    - log
+  scope:
+    - global
+  rules:
+    - event: execve
 ```
 Save and close the file. The changes will be applied automatically.
 

examples/policies/container_dns_events.yaml

@@ -2,7 +2,8 @@ name: container_dns_events
 description: traces dns events from containers
 scope:
   - container
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: net_packet_dns_request
   - event: net_packet_dns_response

examples/policies/context_comm.yaml

@@ -2,9 +2,10 @@ name: context_comm
 description: traces openat done by ls
 scope: 
   - global
-defaultAction: log
+defaultActions: 
+  - log
 rules:
   - event: openat
-    filter:
+    filters:
       - comm=ls