Easy way to enable all signatures in a policy

[NDStrahilevitz]

Currently, if a user loads a shared object with a large amount of sigantures, the work of actually enabling all these signatures is exhausting (imagine writing 50 different sigantures and enabling all of them!).
The likely way to implement this is supporting sets again or something similar in the policy file. So we could do something like

...
spec:
    scope:
        - global
    rules:
        set: signatures
        event: security_file_open

[yanivagman]

If we're going to support this, let's use the term tags and not sets since we're going to consolidate signature tags and event sets as part of the move to "everything is an event" architecture

[yanivagman]

And maybe just call it events?

spec:
    scope:
        - global
    rules:
        event: security_file_open
        events: signatures

[itaysk]

the tags or sets are not the subject of the rule (which is event/s), they are just means to select the events, so i'd say whatever word you choose prefix it with "event", meaning "event-set"/"event-tag". also yaniv's suggestion events sounds good to me (perhaps more error-prone)

[NDStrahilevitz]

So I think it's either events: (of tag) X or tagged: X or tag: X.
I find that rules is an awkward name for the overarching category here. The events is sort of an implicit select all event where tag=X, whereas only event is "here are the rules of how to trace the following event". So "event" alone fits under "rules", but now with the plural or tag category, it's shakier.

[NDStrahilevitz]

Policy event field should accommodate this feature right now, will test and close if it does work.

[itaysk]

@NDStrahilevitz can you share how?