search

aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF
https://aquasecurity.github.io/tracee/latest
Apache License 2.0
3.5k stars 406 forks source link

cannot unmarshal !!map into []v1beta1.Rule #4159

Open sankyhack opened 2 months ago

sankyhack commented 2 months ago

Hello Team,

I am trying to create data filter in policy.yml file, I tried indentation, verified yaml file with online validator. Also tried to copy/ paste content shown in below url. Still getting the same error. Any idea how to fix. I tried to test with scope filter as well but none is working https://aquasecurity.github.io/tracee/dev/docs/policies/rules/#hostname

uname -a

Linux ubuntu22 6.5.0-41-generic #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 3 11:32:55 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

./tracee --policy policy.yml --config config.yml

Error: yaml: unmarshal errors: line 11: cannot unmarshal !!map into []v1beta1.Rule

policy.yml file

apiVersion: tracee.aquasec.com/v1beta1 kind: Policy metadata: name: sample-data-filter annotations: description: sample data filter spec: scope:

Thanks and Regards.

geyslan commented 2 months ago

Hello @sankyhack, please reformat it to:

apiVersion: tracee.aquasec.com/v1beta1
kind: Policy
metadata:
  name: sample-data-filter
  annotations:
    description: sample data filter
spec:
  scope:
    - global
  rules:
    - event: sched_process_exec
      filters:
        - hostName=YourHostName

For more, check ./examples/policies/*.yaml.

@yanivagman I think we should provide a contextualised error message in these cases, WDYT?

sankyhack commented 2 months ago

@geyslan Thanks appreciate your help, it worked. along with formatting, number of spaces that we give for filter parameter is also important.