New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
K8s env, best practice, container.info over container.id #1384
Conversation
Welcome @epcim! It looks like this is your first PR to falcosecurity/falco 🎉 |
55c38e5
to
10a5d41
Compare
To change the rules, I have used these few SED cmds..https://github.com/epcim/falco/blob/container-info-dockerfile/docker/falco/Dockerfile#L113 (the targed branch is example, I do have different build pipeline) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thansk @epcim for sending this.
Could you please adjust the release-note block as per contributing guidelines (it should theoretically list all the rules when you made changes) and rebase this on top of the master?
Anyways, I tend to agree with your changes but there's at least a point that we need to take into consideration.
When container.info
is not available the output will contain its fallback. Is such fallback something like what we have now (eg., container_id=<ID>
)?
Could you provide a fallback example, please?
|
10a5d41
to
cf531b4
Compare
Modified rules: rule(Disallowed SSH Connection) rule(Unexpected outbound connection destination) rule(Unexpected inbound connection source) rule(Modify Shell Configuration File) rule(Read Shell Configuration File) rule(Schedule Cron Jobs) rule(Update Package Repository) rule(Read ssh information) rule(Write below etc) rule(Read sensitive file trusted after startup) rule(Write below rpm database) rule(Modify binary dirs) rule(Mkdir binary dirs) rule(System user interactive) rule(Terminal shell in container) rule(System procs network activity) rule(Program run with disallowed http proxy env) rule(Interpreted procs inbound network activity) rule(Interpreted procs outbound network activity) rule(Unexpected UDP Traffic) rule(User mgmt binaries) rule(Create files below dev) rule(Unexpected K8s NodePort Connection) rule(Netcat Remote Code Execution in Container) rule(Launch Suspicious Network Tool in Container) rule(Launch Suspicious Network Tool on Host) rule(Search Private Keys or Passwords) rule(Clear Log Activities) rule(Remove Bulk Data from Disk) rule(Create Hidden Files or Directories) rule(Launch Remote File Copy Tools in Container) rule(Create Symlink Over Sensitive Files) rule(Detect outbound connections to common miner pool ports) rule(Detect crypto miners using the Stratum protocol) rule(Packet socket created in container) rule(Network Connection outside Local Subnet) rule(Redirect STDOUT/STDIN to Network Connection in Container) Signed-off-by: Petr Michalec <epcim@apeliave.net>
cf531b4
to
d73704f
Compare
@leodido so I have rebased + updated commit message.
Modified rules are:
|
@leodido all ok? |
I think |
Two questions from @ldegio (during our Falco Community Calls) today:
Because maybe, disregarding eventual container ID duplication, this could be the way to go to also take care of the @Kaizhe's legit concerns. |
Appending |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please append container.info
instead of replacing container.id
So do we need any other default than? falco/userspace/engine/lua/rule_loader.lua Line 694 in 3693b16
As long as |
Can you confirm I can use the same json pointer(I don't need to change anything, e.g. pointer name, level) to get the container ID if you use |
Seems like, but somebody else better to confirm. I am not Falco developer, just contributor. Macro Also |
I wont do rebase anymore.On 20 Jan 2021 17:06, poiana <notifications@github.com> wrote:
@epcim: PR needs rebase.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.
|
/milestone 0.28.1 |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
@poiana: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind rule-update
/area rules
What this PR does / why we need it:
In my case, I log to ES, I want all informations about running pods available within the alert/audit record. Output field of rule, frequently miss important informations (ie, namespace). container.info macro instead can provide bunch of usefull details if k8s is configured (otherwise it has fallback).
It is then better, to log all details and have them either available on alerts.
(Here I miss some clarification, havent found it documented, but it seems to me, that only details about an event, that are part of falcosidekick Outputfields (https://github.com/falcosecurity/falcosidekick/blob/master/outputs/alertmanager.go#L25) are the ones key=value between "()" of the output field of rule. Sorry I am lazy to find it again in src code - it might be bit different, but the truth is that alert does not have all event details.
Which issue(s) this PR fixes:
n/a
Special notes for your reviewer:
racionale here is as I cant get more details in alert, I do have need use flexible %container.info macro to give me all important (namespace, podname, ...)
Does this PR introduce a user-facing change?: