Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(events/README.md): update conventions #194

Merged
merged 1 commit into from
Mar 27, 2024
+17 −3
Merged

docs(events/README.md): update conventions #194

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 17 additions & 3 deletions events/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,15 @@ An *action* is a `func` that implements `events.Action` interface, and when call

### Choose a package

- The package name should reflect the data source name of the ruleset (ie. `syscall`).
- Each *action* must be put in a subpackage of `events` that matches the ruleset context.
- The `helper` subpackage is intended for those actions that does not match a rule, but still be useful to implement other actions.
- The `helper` subpackage is intended for actions that do not match a rule but can still be useful for implementing other actions.
- Before adding a new subpackage, propose your motivations to the maintainers.

#### Functions visibility

Only `func`s that implement the `events.Action` interface must be exported by a package. Other utility functions can be included, if needed, stating they are not exported names (a notable example is [syscall/utils_linux.go](https://github.com/falcosecurity/event-generator/blob/main/events/syscall/utils_linux.go)).

### Naming

- Use the name of the rule the action is intended for, remove all non-alphanumeric characters (eg. `s/[^([:alpha:]|[:digit:]]//g`), and convert it to:
Expand All @@ -25,11 +30,20 @@ An *action* is a `func` that implements `events.Action` interface, and when call
Each action must be registered by calling `events.Register()` or `events.RegisterWithName()` at initialization time, the first one will automatically extracts the name from the `func`'s name. For example:

```golang
var _ = events.Register(WriteBelowEtc)
var _ = events.Register(SystemUserInteractive)
```

Rules disabled by default or not included in the *stable* ruleset (if the [Rules Maturity Framework applies) must be skipped by default. For example:

```golang
var _ = events.Register(
WriteBelowEtc,
events.WithDisabled(), // this rule is not included in falco_rules.yaml (stable rules), so disable the action
)
```

### Behavior
Running an *action* should be an idempotent operation, in the sense that it should not have additional effect if it is called more than once.
Running an *action* should be an idempotent operation in the sense that it should not have additional effects if it is called more than once.
For this reason, *actions* should revert any operation that changed the state of the system (eg. if a file is created, then it has to be removed). For example:

```golang
Expand Down
Loading