import re


def rule(event):
    if all(
        [
            any(
                [
                    all(
                        [
                            any(
                                [
                                    event.deep_get("Image", default="").endswith("/cat"),
                                    event.deep_get("Image", default="").endswith("/echo"),
                                    event.deep_get("Image", default="").endswith("/grep"),
                                    event.deep_get("Image", default="").endswith("/head"),
                                    event.deep_get("Image", default="").endswith("/more"),
                                    event.deep_get("Image", default="").endswith("/tail"),
                                ]
                            ),
                            ">" in event.deep_get("CommandLine", default=""),
                        ]
                    ),
                    any(
                        [
                            event.deep_get("Image", default="").endswith("/emacs"),
                            event.deep_get("Image", default="").endswith("/nano"),
                            event.deep_get("Image", default="").endswith("/sed"),
                            event.deep_get("Image", default="").endswith("/vi"),
                            event.deep_get("Image", default="").endswith("/vim"),
                        ]
                    ),
                ]
            ),
            any(
                [
                    "/bin/login" in event.deep_get("CommandLine", default=""),
                    "/bin/passwd" in event.deep_get("CommandLine", default=""),
                    "/boot/" in event.deep_get("CommandLine", default=""),
                    re.match(r"^.*/etc/.*.conf.*$", event.deep_get("CommandLine", default="")),
                    "/etc/cron." in event.deep_get("CommandLine", default=""),
                    "/etc/crontab" in event.deep_get("CommandLine", default=""),
                    "/etc/hosts" in event.deep_get("CommandLine", default=""),
                    "/etc/init.d" in event.deep_get("CommandLine", default=""),
                    "/etc/sudoers" in event.deep_get("CommandLine", default=""),
                    "/opt/bin/" in event.deep_get("CommandLine", default=""),
                    "/sbin" in event.deep_get("CommandLine", default=""),
                    "/usr/bin/" in event.deep_get("CommandLine", default=""),
                    "/usr/local/bin/" in event.deep_get("CommandLine", default=""),
                ]
            ),
            not all(
                [
                    event.deep_get("Image", default="").endswith("/bin/sed"),
                    any(
                        [
                            event.deep_get("CommandLine", default="").startswith("sed -i /^"),
                            event.deep_get("CommandLine", default="").startswith("sed -ne s/^"),
                        ]
                    ),
                    event.deep_get("CommandLine", default="").endswith("/etc/mdadm/mdadm.conf"),
                ]
            ),
        ]
    ):
        return True
    return False
