Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow unknown sources #1538

Closed
wants to merge 2 commits into from
Closed

Allow unknown sources #1538

wants to merge 2 commits into from

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Jan 26, 2021

What type of PR is this?

In #1427 rule processing was already relaxed a bit to allow rules to have new properties without failures. This further relaxes processing to completely ignore rules that have a source other than "syscall" or "k8s_audit"., for example:

- rule: Rule with unknown source
  condition: some unknown filteer
  output: some unknown output
  priority: INFO

Without this change, falco will try to read rules with unknown sources and match the filtercheck fields against known supported sets for k8s audit/syscall.

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

If contributing rules or changes to rules, please make sure to also uncomment one of the following line:

/kind rule-update

/kind rule-create

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area rules

/area tests

/area proposals

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Silently allow and ignore rules where the source is something other than "syscall" or "k8s_audit" (or blank, which defaults to "syscall").

@poiana
Copy link

poiana commented Jan 26, 2021

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign mstemm after the PR has been reviewed.
You can assign the PR to them by writing /assign @mstemm in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana requested review from Kaizhe and leogr January 26, 2021 18:25
leogr
leogr reviewed Jan 29, 2021
View reviewed changes
Copy link
Member

@leogr leogr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note that the if append then is evaluated after the check to skip unknown sources. So, it seems to me that by doing so, the append property will not be considered for sources other than syscall and k8s_audit.

If that was intended, then I don't understand the reason.

@mstemm
Copy link
Contributor Author

mstemm commented Jan 29, 2021

The idea is to entirely skip rules where the source is something other than syscall/k8s_audit. So that would also mean skipping appending rules to other rules, since the appended rule would be one that falco should skip anyway. I think I got that part right--which if append then were you looking at?

@leogr
Copy link
Member

leogr commented Feb 1, 2021
edited
Loading

The idea is to entirely skip rules where the source is something other than syscall/k8s_audit. So that would also mean skipping appending rules to other rules, since the appended rule would be one that falco should skip anyway. I think I got that part right--which if append then were you looking at?

Ok, your intent is clear to me now, thanks for the explanation.

Anyway, another point: it is not exactly clear to me (as a user) what's the purpose to silently ignore those rules. It could lead to errors that can be hard to discover (imagine a typo on a filter name that would produce an unknown filter). So, what's the use case, could you provide an example?

@mstemm
Skip rules/macros with unknown sources
d8a7930 
If the rule/macro's source is something other than "syscall" or
"k8s_audit", silently ignore the rule/macro.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
@mstemm
Test for rule/macro having unknown source
ca8178c 
The rules file has a rule/macro with an unknown source as well as a rule
that matches a trace file, and verifies that the rule/macro with the
unknown source doesn't interfere with rule loading/event matching.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
@mstemm
Copy link
Contributor Author

mstemm commented Feb 5, 2021

I discussed more with @leogr and I'm going to close this for now. Maybe we'll bring it back when falco starts handling a wider variety of event sources.

@mstemm mstemm closed this Feb 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr left review comments

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

Assignees
No one assigned
Labels
area/engine dco-signoff: yes kind/bug release-note size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mstemm @poiana @leogr