Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker rules extension #307

Merged
merged 4 commits into from
Mar 4, 2019
Merged

Docker rules extension #307

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
56ff315
Add some Docker rules
cristgl Feb 27, 2019
c8509a8
Added some more Docker rules
cristgl Mar 1, 2019
7e5898f
Fix some typos
cristgl Mar 1, 2019
27f02e0
Fix network rules for Docker
cristgl Mar 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
270 changes: 237 additions & 33 deletions rules/0560-docker_integration_rules.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ ID: 87900 - 87999
<options>no_full_log</options>
</rule>

<rule id="87902" level="3">
<rule id="87902" level="5">
<if_sid>87900</if_sid>
<field name="docker.status">^destroy$</field>
<description>Container $(docker.Actor.Attributes.name) destroyed</description>
Expand Down Expand Up @@ -63,11 +63,11 @@ ID: 87900 - 87999
<rule id="87907" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^exec_start: </field>
<description>Command run in container $(docker.Actor.Attributes.name). Action: "$(docker.Action)"</description>
<description>Command launched in container $(docker.Actor.Attributes.name). Action: "$(docker.Action)"</description>
<options>no_full_log</options>
</rule>

<rule id="87908" level="3">
<rule id="87908" level="5">
<if_sid>87907</if_sid>
<field name="docker.status">^exec_start: bash $|^exec_start: /bin/bash $|^exec_start: sh $|^exec_start: dash $|^exec_start: /bin/dash $</field>
<description>Started shell session in container $(docker.Actor.Attributes.name)</description>
Expand Down Expand Up @@ -109,115 +109,319 @@ ID: 87900 - 87999
<options>no_full_log</options>
</rule>

<rule id="87914" level="3">
<rule id="87914" level="7">
<if_sid>87912</if_sid>
<field name="docker.Action">^destroy$</field>
<description>Volume destroyed in $(docker.Actor.Attributes.driver)</description>
<options>no_full_log</options>
</rule>

<rule id="87915" level="3">
<if_sid>87912</if_sid>
<field name="docker.Action">^mount$</field>
<description>Volume mounted on $(docker.Actor.Attributes.destination)</description>
<options>no_full_log</options>
</rule>

<rule id="87916" level="5">
<if_sid>87912</if_sid>
<field name="docker.Action">^unmount$</field>
<description>Volume unmounted from $(docker.Actor.Attributes.driver)</description>
<options>no_full_log</options>
</rule>

<rule id="87917" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^commit$</field>
<description>Container $(docker.Actor.Attributes.name) commited</description>
<description>Committed an image from container $(docker.Actor.Attributes.name)</description>
<options>no_full_log</options>
</rule>

<rule id="87916" level="3">
<rule id="87918" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^tag$</field>
<description>Image $(docker.Actor.Attributes.name) tagged</description>
<options>no_full_log</options>
</rule>

<rule id="87917" level="3">
<rule id="87919" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^untag$</field>
<description>Image $(docker.Actor.Attributes.name) untagged</description>
<options>no_full_log</options>
</rule>

<rule id="87918" level="3">
<rule id="87920" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^import$</field>
<description>Image created from imported data</description>
<options>no_full_log</options>
</rule>

<rule id="87921" level="7">
<if_sid>87900</if_sid>
<field name="docker.status">^delete$</field>
<description>Container $(docker.Actor.Attributes.name) deleted</description>
<options>no_full_log</options>
</rule>

<rule id="87919" level="3">
<rule id="87922" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^attach$</field>
<description>Container $(docker.Actor.Attributes.name) attached standard input, output and error</description>
<description>Attached local standard input, output, and error streams to container $(docker.Actor.Attributes.name)</description>
<options>no_full_log</options>
</rule>

<rule id="87920" level="3">
<rule id="87923" level="5">
<if_sid>87900</if_sid>
<field name="docker.status">^export$</field>
<description>Container $(docker.Actor.Attributes.name) exported its filesystem</description>
<description>Filesystem of container $(docker.Actor.Attributes.name) exported</description>
<options>no_full_log</options>
</rule>

<rule id="87921" level="3">
<rule id="87924" level="7">
<if_sid>87900</if_sid>
<field name="docker.status">^kill$|^die$</field>
<description>Container $(docker.Actor.Attributes.name) received the action: $(docker.status)</description>
<options>no_full_log</options>
</rule>

<rule id="87922" level="3">
<rule id="87925" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^update$</field>
<description>Container $(docker.Actor.Attributes.name) updated its configuration</description>
<description>Configuration of container $(docker.Actor.Attributes.name) updated</description>
<options>no_full_log</options>
</rule>

<rule id="87923" level="3">
<rule id="87926" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^top$</field>
<description>Container $(docker.Actor.Attributes.name) displayed its running processes</description>
<description>Running processes of container $(docker.Actor.Attributes.name) displayed</description>
<options>no_full_log</options>
</rule>

<rule id="87924" level="3">
<rule id="87927" level="0">
<if_sid>87900</if_sid>
<field name="docker.Type">^network$</field>
<description>Container $(docker.Actor.Attributes.name) displayed its running processes</description>
<description>Group of network events</description>
<options>no_full_log</options>
</rule>

<rule id="87925" level="3">
<if_sid>87924</if_sid>
<rule id="87928" level="3">
<if_sid>87927</if_sid>
<field name="docker.Action">^connect$</field>
<description>Network connected for container $(docker.Actor.Attributes.name)</description>
<description>Network $(docker.Actor.Attributes.name) connected</description>
<options>no_full_log</options>
</rule>

<rule id="87926" level="3">
<if_sid>87924</if_sid>
<rule id="87929" level="4">
<if_sid>87927</if_sid>
<field name="docker.Action">^disconnect$</field>
<description>Network disconnected for container $(docker.Actor.Attributes.name)</description>
<description>Network $(docker.Actor.Attributes.name) disconnected</description>
<options>no_full_log</options>
</rule>

<rule id="87927" level="3">
<if_sid>87924</if_sid>
<rule id="87930" level="3">
<if_sid>87927</if_sid>
<field name="docker.Action">^create$</field>
<description>Network $(docker.Actor.Attributes.name) of type $(docker.Actor.Attributes.type) created</description>
<description>Network $(docker.Actor.Attributes.name) created</description>
<options>no_full_log</options>
</rule>

<rule id="87928" level="3">
<if_sid>87924</if_sid>
<rule id="87931" level="5">
<if_sid>87927</if_sid>
<field name="docker.Action">^destroy$</field>
<description>Network $(docker.Actor.Attributes.name) of type $(docker.Actor.Attributes.type) deleted</description>
<description>Network $(docker.Actor.Attributes.name) deleted</description>
<options>no_full_log</options>
</rule>

<rule id="87929" level="3">
<rule id="87932" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^pull$</field>
<description>Image $(docker.Actor.Attributes.name) was pulled</description>
<description>Image or repository $(docker.Actor.Attributes.name) pulled</description>
<options>no_full_log</options>
</rule>

<rule id="87933" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^load$</field>
<description>Image loaded</description>
<options>no_full_log</options>
</rule>

<rule id="87934" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^save$</field>
<description>Image saved</description>
<options>no_full_log</options>
</rule>

<rule id="87935" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^rename$</field>
<description>Container renamed from $(docker.Actor.Attributes.oldName) to $(docker.Actor.Attributes.name)</description>
<options>no_full_log</options>
</rule>

<rule id="87936" level="0">
<if_sid>87900</if_sid>
<field name="docker.Type">^config$</field>
<description>Group of Docker config events</description>
<options>no_full_log</options>
</rule>

<rule id="87937" level="3">
<if_sid>87936</if_sid>
<field name="docker.Action">^create$</field>
<description>$(docker.Actor.Attributes.name) config created</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$(docker.Actor.Attributes.name) configuration created

<options>no_full_log</options>
</rule>

<rule id="87938" level="5">
<if_sid>87936</if_sid>
<field name="docker.Action">^remove$</field>
<description>$(docker.Actor.Attributes.name) config deleted</description>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$(docker.Actor.Attributes.name) configuration deleted

<options>no_full_log</options>
</rule>

<rule id="87939" level="0">
<if_sid>87900</if_sid>
<field name="docker.Type">^secret$</field>
<description>Group of Docker secret events</description>
<options>no_full_log</options>
</rule>

<rule id="87940" level="3">
<if_sid>87939</if_sid>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<if_sid>87942</if_sid>

<field name="docker.Action">^create$</field>
<description>Secret '$(docker.Actor.Attributes.name)' created</description>
<options>no_full_log</options>
</rule>

<rule id="87941" level="3">
<if_sid>87939</if_sid>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<if_sid>87942</if_sid>

<field name="docker.Action">^remove$</field>
<description>Secret '$(docker.Actor.Attributes.name)' removed</description>
<options>no_full_log</options>
</rule>

<rule id="87942" level="0">
<if_sid>87900</if_sid>
<field name="docker.Type">^plugin$</field>
<description>Group of Docker plugin events</description>
<options>no_full_log</options>
</rule>

<rule id="87943" level="3">
<if_sid>87942</if_sid>
<field name="docker.Action">^pull$</field>
<description>Plugin $(docker.Actor.Attributes.name) pulled</description>
<options>no_full_log</options>
</rule>

<rule id="87944" level="3">
<if_sid>87942</if_sid>
<field name="docker.Action">^enable$</field>
<description>Plugin $(docker.Actor.Attributes.name) enabled</description>
<options>no_full_log</options>
</rule>

<rule id="87945" level="3">
<if_sid>87942</if_sid>
<field name="docker.Action">^disable$</field>
<description>Plugin $(docker.Actor.Attributes.name) disabled</description>
<options>no_full_log</options>
</rule>

<rule id="87946" level="3">
<if_sid>87942</if_sid>
<field name="docker.Action">^remove$</field>
<description>Plugin $(docker.Actor.Attributes.name) removed</description>
<options>no_full_log</options>
</rule>

<rule id="87947" level="3">
<if_sid>87942</if_sid>
<field name="docker.Action">^create$</field>
<description>Plugin $(docker.Actor.Attributes.name) created</description>
<options>no_full_log</options>
</rule>

<rule id="87948" level="0">
<if_sid>87900</if_sid>
<field name="docker.Type">^node$</field>
<description>Group of Docker plugin events</description>
<options>no_full_log</options>
</rule>

<rule id="87949" level="3">
<if_sid>87948</if_sid>
<field name="docker.Action">^create$</field>
<description>Node created</description>
<options>no_full_log</options>
</rule>

<rule id="87950" level="3">
<if_sid>87948</if_sid>
<field name="docker.Action">^update$</field>
<description>Node updated</description>
<options>no_full_log</options>
</rule>

<rule id="87951" level="3">
<if_sid>87950</if_sid>
<field name="docker.Actor.Attributes.role.new">\.+</field>
<field name="docker.Actor.Attributes.role.old">\.+</field>
<description>Role for node $(docker.Actor.Attributes.name) has changed from $(docker.Actor.Attributes.role.old) to $(docker.Actor.Attributes.role.new)</description>
<options>no_full_log</options>
</rule>

<rule id="87952" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^resize$</field>
<description>Container $(docker.Actor.Attributes.image) resized terminal size to $(docker.Actor.Attributes.width)x$(docker.Actor.Attributes.height)</description>
<options>no_full_log</options>
</rule>

<rule id="87953" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^checkpoint$</field>
<description>Checkpoint set at container $(docker.Actor.Attributes.name)</description>
<options>no_full_log</options>
</rule>

<rule id="87954" level="0">
<if_sid>87900</if_sid>
<field name="docker.Type">^service$</field>
<description>Group of service events</description>
<options>no_full_log</options>
</rule>

<rule id="87955" level="3">
<if_sid>87954</if_sid>
<field name="docker.Action">^create$</field>
<description>Service $(docker.Actor.Attributes.name) created</description>
<options>no_full_log</options>
</rule>

<rule id="87956" level="3">
<if_sid>87954</if_sid>
<field name="docker.Action">^update$</field>
<description>Service $(docker.Actor.Attributes.name) updated</description>
<options>no_full_log</options>
</rule>

<rule id="87957" level="5">
<if_sid>87954</if_sid>
<field name="docker.Action">^remove$</field>
<description>Service $(docker.Actor.Attributes.name) deleted</description>
<options>no_full_log</options>
</rule>

<rule id="87958" level="3">
<if_sid>87900</if_sid>
<field name="docker.status">^push$</field>
<description>Image $(docker.Actor.Attributes.name) pushed</description>
<options>no_full_log</options>
</rule>
</group>