Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: syscalls as Tracee events #3403

Closed
AnaisUrlichs opened this issue Aug 22, 2023 · 5 comments · Fixed by #3416
Closed

docs: syscalls as Tracee events #3403

AnaisUrlichs opened this issue Aug 22, 2023 · 5 comments · Fixed by #3416
Assignees
@AnaisUrlichs
Labels
kind/documentation
Milestone
v0.18.0

Comments

@AnaisUrlichs
Copy link
Contributor

Just to clarify, I can use syscalls as events in the Tracee Policy?

e.g. https://aquasecurity.github.io/tracee/v0.17/docs/events/builtin/syscalls/open/

spec:
    scope:
      - container
    rules:
      - event: open
@AnaisUrlichs AnaisUrlichs self-assigned this Aug 22, 2023
@geyslan
Copy link
Member

geyslan commented Aug 22, 2023

Yep, take a look at examples/policies/openat_args_pahtname.yaml

❯ cat examples/policies/openat_args_pahtname.yaml
apiVersion: aquasecurity.github.io/v1beta1
kind: TraceePolicy
metadata:
  name: openat-args-pathname
  annotations:
    description: traces openat under /tmp/*
spec:
  scope: 
    - global
  rules:
    - event: openat
      filters:
        - args.pathname=/tmp*

@AnaisUrlichs
Copy link
Contributor Author

Cool, thank you @geyslan

@AnaisUrlichs
Copy link
Contributor Author

Will leave this issue open until I documented it

@yanivagman
Copy link
Collaborator

Will leave this issue open until I documented it

Which documentation do you want to add other than https://aquasecurity.github.io/tracee/v0.17/docs/events/builtin/syscalls/open/?

@AnaisUrlichs
Copy link
Contributor Author

@yanivagman I was planning on detailing in the Policies section where people can find information on the events they can add to the policy -- I might be learning this right now but a completely new users will not know -- will tag this issue in the PR

AnaisUrlichs added a commit to AnaisUrlichs/tracee that referenced this issue Aug 25, 2023
@AnaisUrlichs
adding event information for Tracee Policy based on aquasecurity#3403
823e009 
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
@AnaisUrlichs AnaisUrlichs mentioned this issue Aug 25, 2023
Merged
@yanivagman yanivagman linked a pull request Sep 12, 2023 that will close this issue
docs: changes to the policies documentation #3416
Merged
@yanivagman yanivagman added this to the v0.18.0 milestone Sep 12, 2023
josedonizetti pushed a commit that referenced this issue Sep 18, 2023
@AnaisUrlichs @josedonizetti
adding event information for Tracee Policy based on #3403
0192cf1 
Signed-off-by: AnaisUrlichs <urlichsanais@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AnaisUrlichs AnaisUrlichs

Labels
kind/documentation
Projects
None yet
Milestone
v0.18.0
Development

Successfully merging a pull request may close this issue.

docs: changes to the policies documentation AnaisUrlichs/tracee
3 participants
@geyslan @yanivagman @AnaisUrlichs