docs: changes to the policies documentation #3416

AnaisUrlichs · 2023-08-25T12:23:22Z

#3403

and

#3398

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

docs/docs/policies/rules.md

josedonizetti · 2023-08-25T17:11:59Z

docs/docs/policies/rules.md

+	scope:
+	    - global
+	rules:
+	    event: TRC-101


Suggested change

event: TRC-101

event: TRC-101

TRCs are internal ids, we need to use the event name, soon TRCs won't be exposed anymore.
eg:

tracee/signatures/golang/proc_mem_access.go

Line 32 in 5d12c73

EventName: "proc_mem_access",

What do you mean by soon TRCs won't be exposed anymore?

We will remove the TRCs ids from tracee.

@AnaisUrlichs This one still needs to be fixed before we can merge this PR

I changed it

Co-authored-by: Jose Donizetti <jdbjunior@gmail.com>

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

AnaisUrlichs · 2023-09-01T11:02:21Z

docs/docs/policies/index.md

@@ -43,6 +43,6 @@ This policy applies to any workload (global) and will log the dropped_executable
 While specifying event filters is optional, policies must have the `name`, `description`, `scope` and `rules` fields.

 !!! Note
-    A current limitation is that only one rule can be defined per any event type in a policy
+    Note that only one rule can be defined per any event type in a policy


I don't see why this is a limitation -- I know users should be aware of it but I would not call it a limitation

Ok, but I would add the word "currently" since we want to support more than one rule per event in the future

oki, sounds good, will add it

AnaisUrlichs · 2023-09-01T11:06:31Z

@yanivagman @itaysk I have added the names for the behavioral signatures -- I think they are all added correctly but for the following, I could not find the right name && the list provided by tracee list misses one. While the table in the docs has 31 events -- the list in the rules section of the CLI only has 30 events

this one currently is wrong and misses the event name:

Note the name here for the event on the left is just the placeholder

yanivagman · 2023-09-03T18:58:59Z

@yanivagman @itaysk I have added the names for the behavioral signatures -- I think they are all added correctly but for the following, I could not find the right name && the list provided by tracee list misses one. While the table in the docs has 31 events -- the list in the rules section of the CLI only has 30 events

this one currently is wrong and misses the event name:

Note the name here for the event on the left is just the placeholder

This is its name: https://github.com/aquasecurity/tracee/blob/main/signatures/golang/kubernetes_certificate_theft_attempt.go#L31

Not sure why it is not printed in the list

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

docs/docs/events/builtin/signatures.md

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

AnaisUrlichs added 2 commits August 25, 2023 13:08

adding event information for Tracee Policy based on aquasecurity#3403

823e009

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

small correction based on aquasecurity#3398 to Tracee event intro

aa2f7d0

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

github-actions bot assigned AnaisUrlichs Aug 25, 2023

github-actions bot added the kind/documentation label Aug 25, 2023

AnaisUrlichs requested review from yanivagman and josedonizetti August 25, 2023 12:23

josedonizetti requested changes Aug 25, 2023

View reviewed changes

AnaisUrlichs and others added 3 commits August 29, 2023 14:12

Update docs/docs/policies/rules.md

e9c0933

Co-authored-by: Jose Donizetti <jdbjunior@gmail.com>

Update docs/docs/policies/rules.md

e0877f7

Co-authored-by: Jose Donizetti <jdbjunior@gmail.com>

adding behavioral signature event names

576a5c2

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

AnaisUrlichs commented Sep 1, 2023

View reviewed changes

modifications to events and rules related docs based on PR comments

3cff376

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

This was linked to issues Sep 12, 2023

docs: syscalls as Tracee events #3403

Closed

docs: Why does it say "tracee will start with a sane default" #3398

Closed

AnaisUrlichs requested a review from josedonizetti September 12, 2023 12:07

josedonizetti reviewed Sep 12, 2023

View reviewed changes

docs/docs/events/builtin/signatures.md Outdated Show resolved Hide resolved

removing signature ID from behavioural signatures

8502f82

Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>

AnaisUrlichs requested a review from josedonizetti September 18, 2023 08:37

josedonizetti approved these changes Sep 18, 2023

View reviewed changes

josedonizetti merged commit 2ba983d into aquasecurity:main Sep 18, 2023
2 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

docs: changes to the policies documentation #3416

docs: changes to the policies documentation #3416

AnaisUrlichs commented Aug 25, 2023

josedonizetti Aug 25, 2023

AnaisUrlichs Aug 29, 2023

josedonizetti Aug 29, 2023

josedonizetti Aug 31, 2023

AnaisUrlichs Sep 1, 2023

AnaisUrlichs Sep 1, 2023

yanivagman Sep 3, 2023

AnaisUrlichs Sep 4, 2023

AnaisUrlichs commented Sep 1, 2023

yanivagman commented Sep 3, 2023

docs: changes to the policies documentation #3416

docs: changes to the policies documentation #3416

Conversation

AnaisUrlichs commented Aug 25, 2023

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

AnaisUrlichs commented Sep 1, 2023

yanivagman commented Sep 3, 2023