Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rework for Docker rules #294

Closed
chemamartinez opened this issue Feb 22, 2019 · 1 comment
Closed

Rework for Docker rules #294

chemamartinez opened this issue Feb 22, 2019 · 1 comment
Assignees
@cristgl
Labels
bug enhancement

Comments

@chemamartinez
Copy link
Contributor

Some of the events from the Docker listener are no generating the correct rule. For example, the docker exec command is triggering the rule 87903.

It is necessary to review what events and rules are generated in each case to fix and enrich the Docker ruleset.
@cristgl
Copy link
Contributor

cristgl commented Feb 22, 2019
edited

These are the different Docker commands, the events generated, rule IDs matched and alerts triggered. Now updated with the new rules added at #293.

Docker command Rule ID Event Alerts
docker create 87901 status: create Container created
docker start 87903 status: start Container started
docker run 87901, 87903 status: create, start Container started, Container created
docker exec 87907 status: exec_create, exec_start, exec_die Command run in container
docker exec shell 87908 status: exec_create, exec_start, exec_die Started shell session in container
docker stop 87921, 87904, 87902 status: kill, die, stop, destroy Container killed, Container stopped, Container destroyed
docker restart 87921, 87904, 87903, 87909 status: kill, die, stop, start, restart Container killed, Container stopped, Container started
docker volume create 87913 action: create Volume created
docker volume rm 87914 action: destroy Volume destroyed
docker pause 87905 status: pause Container paused
docker unpause 87906 status: unpause Container unpaused
docker attach 87919 status: attach Container attached standard input, output and error
docker commit 87905, 87916, 87915, 87906 status: pause, tag, commit, unpause Container paused, Image tagged, Container committed, Container unpaused
docker cp 87910, 87911 status: extract-to-dir, status: archive-path Copied a file from host to container, Copied a file from container to host
docker rmi 87917, 87918 status: untag, delete Image untagged, Container deleted
docker rm 87902 status: destroy Container destroyed
docker update 87922 status: update Container updated its configuration
docker top 87923 status: top Container displayed its running processes
docker kill 87921, 87926 status: kill, die Container killed
docker pull 87928 status: pull Image pulled
docker build 87918 status: tag Image tagged
docker swarm init 87950, 87930 status: node update, network create Node updated, Network created
docker swarm join 87949, 87950 status: node create, node update Node created, Node updated
docker swarm update 87950 status: node update Node updated
docker node update 87950 status: node update Node updated
docker node promote 87951 status: node update Node updated
docker node demote 87951 status: node update Node updated
docker config create 87937 status: config create Container config created
docker config rm 87938 status: config remove Container config removed
docker rename 87935 status: rename Container renamed
docker save 87934 status: save Image saved
docker load 87933 status: load Image loaded
docker import 87920 status: tag, import Image tagged, Image imported
docker run -d -P --name redis --network simple-network redis 87932, 87930, 87915, 87903 status: pull, create, volume mount, start Container pulled, Container created, Volume mounted, Container started
docker network rm 87931 status: network destroy Network deleted
docker network connect 87928 status: network connect Network connected
docker network disconnect 87929 status: network disconnect Network disconnected
docker network create 87930 status: network create Description example: $(docker.Actor.Attributes.type) network created -> bridge network created (with a lowercase letter)
docker secret create 87940 status: secret create Secret created
docker secret rm 87941 status: secret remove Secret deleted
docker plugin install 87943, 87944, 87950 status: plugin pull, plugin enable, node update Plugin pulled, Plugin enabled, Node updated
docker plugin disable 87945, 87950 status: plugin disable, node update Plugin disabled, Node updated
docker plugin remove 87946 status: plugin remove Plugin removed

This was referenced Feb 22, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cristgl cristgl

Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cristgl @chemamartinez