Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker rules extension #307

Merged
merged 4 commits into from Mar 4, 2019
Merged

Docker rules extension #307

merged 4 commits into from Mar 4, 2019

Conversation

cristgl
Copy link
Contributor

@cristgl cristgl commented Mar 1, 2019

This PR adds some more rules for Docker commands.
Related issue: #294

chemamartinez
chemamartinez suggested changes Mar 1, 2019
View reviewed changes
rules/0560-docker_integration_rules.xml Outdated
<options>no_full_log</options>
</rule>

<rule id="87921" level="5">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Level 7

rules/0560-docker_integration_rules.xml Outdated
<if_sid>87900</if_sid>
<field name="docker.status">^delete$</field>
<description>Container $(docker.Actor.Attributes.name) deleted</description>
<options>no_full_log</options>
</rule>

<rule id="87919" level="3">
<rule id="87922" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^attach$</field>
<description>Container $(docker.Actor.Attributes.name) attached standard input, output and error</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attached local standard input, output, and error streams to container $(docker.Actor.Attributes.name)

rules/0560-docker_integration_rules.xml Outdated
<if_sid>87900</if_sid>
<field name="docker.status">^attach$</field>
<description>Container $(docker.Actor.Attributes.name) attached standard input, output and error</description>
<options>no_full_log</options>
</rule>

<rule id="87920" level="3">
<rule id="87923" level="5">
<if_sid>87900</if_sid>
<field name="docker.status">^export$</field>
<description>Container $(docker.Actor.Attributes.name) exported its filesystem</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Filesystem of container $(docker.Actor.Attributes.name) exported

rules/0560-docker_integration_rules.xml Outdated
<if_sid>87900</if_sid>
<field name="docker.status">^kill$|^die$</field>
<description>Container $(docker.Actor.Attributes.name) received the action: $(docker.status)</description>
<options>no_full_log</options>
</rule>

<rule id="87922" level="3">
<rule id="87925" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^update$</field>
<description>Container $(docker.Actor.Attributes.name) updated its configuration</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configuration of container $(docker.Actor.Attributes.name) updated

rules/0560-docker_integration_rules.xml Outdated
<if_sid>87900</if_sid>
<field name="docker.status">^update$</field>
<description>Container $(docker.Actor.Attributes.name) updated its configuration</description>
<options>no_full_log</options>
</rule>

<rule id="87923" level="3">
<rule id="87926" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^top$</field>
<description>Container $(docker.Actor.Attributes.name) displayed its running processes</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running processes of container $(docker.Actor.Attributes.name) displayed

rules/0560-docker_integration_rules.xml Outdated
<rule id="87950" level="3">
<if_sid>87945</if_sid>
<field name="docker.Action">^create$</field>
<description>Plugin $(docker.Actor.Attributes.name) was created</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plugin $(docker.Actor.Attributes.name) created

rules/0560-docker_integration_rules.xml Outdated
<options>no_full_log</options>
</rule>

<rule id="87951" level="3">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Level 0

rules/0560-docker_integration_rules.xml Outdated
<options>no_full_log</options>
</rule>

<rule id="87957" level="3">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Level 0

rules/0560-docker_integration_rules.xml Outdated
<rule id="87960" level="5">
<if_sid>87957</if_sid>
<field name="docker.Action">^remove$</field>
<description>Service $(docker.Actor.Attributes.name) was deleted</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Service $(docker.Actor.Attributes.name) deleted

rules/0560-docker_integration_rules.xml Outdated
<rule id="87961" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^push$</field>
<description>The image $(docker.Actor.Attributes.name) was pushed</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Image $(docker.Actor.Attributes.name) pushed

@chemamartinez
Copy link
Contributor

Two more changes:

@chemamartinez
Copy link
Contributor

Change the description of network rules. When managing containers with the default network configuration, the following alert is shown:

{
  "timestamp": "2019-03-04T01:13:45.339-0800",
  "rule": {
    "level": 4,
    "description": "Network bridge of type bridge disconnected",
    "id": "87931",
   ...

Omit the network name or the type of the network.

@chemamartinez
Copy link
Contributor

GJ @cristgl !

@chemamartinez chemamartinez merged commit ae131c2 into 3.9 Mar 4, 2019
@chemamartinez chemamartinez deleted the 3.9-docker-ruleset-ampl branch March 4, 2019 12:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chemamartinez chemamartinez chemamartinez approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@cristgl @chemamartinez