-
Notifications
You must be signed in to change notification settings - Fork 886
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exceptions support #1427
Add exceptions support #1427
Commits on Jan 8, 2021
-
Pass back warnings when loading rules
Add the notion of warnings when loading rules, which are printed if verbose is true: - load_rules now returns a tuple (success, required engine version, error array, warnings array) instead of (true, required engine version) or (false, error string) - build_error/build_error_with_context now returns an array instead of string value. - warnings are combined across calls to load_rules_doc - Current warnings include: - a rule that contains an unknown filter - a macro not referred to by any rule - a list not referred to by any rule/macro/list Any errors/warnings are concatenated into the exception if success was false. Any errors/warnings will be printed if verbose is true. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 7cfcf0b - Browse repository at this point
Copy the full SHA 7cfcf0bView commit details -
Allow unknown top level objs as warnings
When parsing a rules file, if a top level object is not one of the known types rule, macro, list, required_engine_version, instead of failing parsing, add a warning instead. This adds some forwards-compatibility to rules files. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for ff2bcb7 - Browse repository at this point
Copy the full SHA ff2bcb7View commit details -
The format of error responses has changed to include a summary of errors and/or warnings. This changed many test cases that were looking for specific outputs. Update to add counts and other minor formatting changes. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 56c8706 - Browse repository at this point
Copy the full SHA 56c8706View commit details -
Support exceptions properties on rules
Support exceptions properties on rules as described in #1376. - When parsing rules, add an empty exceptions table if not specified. - If exceptions are specified, they must contain names and lists of fields, and optionally can contain lists of comps and lists of lists of values. - If comps are not specified, = is used. - If a rule has exceptions and append:true, add values to the original rule's exception values with the matching name. - It's a warning but not an error to have exception values with a name not matching any fields. After loading all rules, build the exception condition string based on any exceptions: - If an exception has a single value for the "fields" property, values are combined into a single set to build a condition string like "field cmp (val1, val2, ...)". - Otherwise, iterate through each rule's exception values, finding the matching field names (field1, field2, ...) and comp operators (cmp1, cmp2, ...), then iterating over the list of field values (val1a, val1b, ...), (val2a, val2b, ...), building up a string of the form: and not ((field1 cmp1 val1a and field2 cmp2 val1b and ...) or (field1 cmp1 val2a and field2 cmp2 val2b and ...)... )" - If a value is not already quoted and contains a space, quote it in the string. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 3c59e3d - Browse repository at this point
Copy the full SHA 3c59e3dView commit details -
Automated tests for exceptions
Handle various positive and negative cases. Should handle every error and warning path when reading exceptions objects or rule exception fields, and various positive cases of using exceptions to prevent alerts. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for c483f41 - Browse repository at this point
Copy the full SHA c483f41View commit details -
Don't look for event counts with -V/validate
When running falco with -V/valdiate <rules file>, you won't get any event counts. All prior tests didn't get this far as they also resulted in rules parsing errors. However, validating can now result in warnings only. This won't exit but won't print event counts either. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for a9c763b - Browse repository at this point
Copy the full SHA a9c763bView commit details -
Bump falco engine version to 8 for exceptions.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for e839e5f - Browse repository at this point
Copy the full SHA e839e5fView commit details -
Add exceptions fields/comps/values to rules files
Take advantage of the changes to support exceptions and refactor rules to use them whenever feasible: - Define exceptions for every rule. In cases where no practical exception exists e.g. "K8s <obj> Created/Deleted", define an empty exception property just to avoid warnings when loading rules. - Go through all rules and convert macros-used-as-exceptions that matched against 2-3 filter fields into exceptions. In most cases, switching from equality (e.g proc.name=nginx) to in (e.g. proc.name in (nginx)) allowed for better groupings into a smaller set of exception items. - In cases where the exception had complex combinations of fields, keep the macro as is. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for cb1ed63 - Browse repository at this point
Copy the full SHA cb1ed63View commit details -
Properly note lists in other lists as used
If a list: - list: foo items: [a, b, c] Was referenced in another list: - list: bar items: [foo, d, e, f] The first list would not be marked as used, when it should. This avoids mistaken messages like "list xxx not refered to by any rule/macro/list" Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 1acd926 - Browse repository at this point
Copy the full SHA 1acd926View commit details -
Remove old unused macros/lists
Remove old macros/lists that aren't being used by any current rules. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for fb4f0ff - Browse repository at this point
Copy the full SHA fb4f0ffView commit details -
Remove test case for unknown objects.
The rules loader now allows objects with unknown keys. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 5fe69c4 - Browse repository at this point
Copy the full SHA 5fe69c4View commit details -
Use the right not equals operator.
Fix typo, "!" should be "!=". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for a2d9cec - Browse repository at this point
Copy the full SHA a2d9cecView commit details -
Remove falco_tests.yaml from gitignore
It was renamed from falco_tests.yaml.in in 5bafa19. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 48a409f - Browse repository at this point
Copy the full SHA 48a409fView commit details -
Make the req. engine version 8 for k8s_audit rules
These define exceptions too. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 8a67a31 - Browse repository at this point
Copy the full SHA 8a67a31View commit details -
Also include all exception fields in rule_result
When returning a rule_result struct, also include a set of field names used by all exceptions for this rule. This may make building exception values a bit easier. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for d5c2f67 - Browse repository at this point
Copy the full SHA d5c2f67View commit details