Add exceptions support #1427
Merged
Add exceptions support #1427
Commits on Jan 8, 2021
-
Pass back warnings when loading rules
Add the notion of warnings when loading rules, which are printed if verbose is true: - load_rules now returns a tuple (success, required engine version, error array, warnings array) instead of (true, required engine version) or (false, error string) - build_error/build_error_with_context now returns an array instead of string value. - warnings are combined across calls to load_rules_doc - Current warnings include: - a rule that contains an unknown filter - a macro not referred to by any rule - a list not referred to by any rule/macro/list Any errors/warnings are concatenated into the exception if success was false. Any errors/warnings will be printed if verbose is true. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Allow unknown top level objs as warnings
When parsing a rules file, if a top level object is not one of the known types rule, macro, list, required_engine_version, instead of failing parsing, add a warning instead. This adds some forwards-compatibility to rules files. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
The format of error responses has changed to include a summary of errors and/or warnings. This changed many test cases that were looking for specific outputs. Update to add counts and other minor formatting changes. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Support exceptions properties on rules
Support exceptions properties on rules as described in #1376. - When parsing rules, add an empty exceptions table if not specified. - If exceptions are specified, they must contain names and lists of fields, and optionally can contain lists of comps and lists of lists of values. - If comps are not specified, = is used. - If a rule has exceptions and append:true, add values to the original rule's exception values with the matching name. - It's a warning but not an error to have exception values with a name not matching any fields. After loading all rules, build the exception condition string based on any exceptions: - If an exception has a single value for the "fields" property, values are combined into a single set to build a condition string like "field cmp (val1, val2, ...)". - Otherwise, iterate through each rule's exception values, finding the matching field names (field1, field2, ...) and comp operators (cmp1, cmp2, ...), then iterating over the list of field values (val1a, val1b, ...), (val2a, val2b, ...), building up a string of the form: and not ((field1 cmp1 val1a and field2 cmp2 val1b and ...) or (field1 cmp1 val2a and field2 cmp2 val2b and ...)... )" - If a value is not already quoted and contains a space, quote it in the string. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Automated tests for exceptions
Handle various positive and negative cases. Should handle every error and warning path when reading exceptions objects or rule exception fields, and various positive cases of using exceptions to prevent alerts. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Don't look for event counts with -V/validate
When running falco with -V/valdiate <rules file>, you won't get any event counts. All prior tests didn't get this far as they also resulted in rules parsing errors. However, validating can now result in warnings only. This won't exit but won't print event counts either. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Bump falco engine version to 8 for exceptions.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Add exceptions fields/comps/values to rules files
Take advantage of the changes to support exceptions and refactor rules to use them whenever feasible: - Define exceptions for every rule. In cases where no practical exception exists e.g. "K8s <obj> Created/Deleted", define an empty exception property just to avoid warnings when loading rules. - Go through all rules and convert macros-used-as-exceptions that matched against 2-3 filter fields into exceptions. In most cases, switching from equality (e.g proc.name=nginx) to in (e.g. proc.name in (nginx)) allowed for better groupings into a smaller set of exception items. - In cases where the exception had complex combinations of fields, keep the macro as is. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Properly note lists in other lists as used
If a list: - list: foo items: [a, b, c] Was referenced in another list: - list: bar items: [foo, d, e, f] The first list would not be marked as used, when it should. This avoids mistaken messages like "list xxx not refered to by any rule/macro/list" Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Remove old unused macros/lists
Remove old macros/lists that aren't being used by any current rules. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Remove test case for unknown objects.
The rules loader now allows objects with unknown keys. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Use the right not equals operator.
Fix typo, "!" should be "!=". Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Remove falco_tests.yaml from gitignore
It was renamed from falco_tests.yaml.in in 5bafa19. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Make the req. engine version 8 for k8s_audit rules
These define exceptions too. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
-
Also include all exception fields in rule_result
When returning a rule_result struct, also include a set of field names used by all exceptions for this rule. This may make building exception values a bit easier. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.