-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow unknown sources #1538
Allow unknown sources #1538
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
3abe2b0
to
4a8c661
Compare
4a8c661
to
dde2d5a
Compare
76bc4f9
to
0201231
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please note that the if append then
is evaluated after the check to skip unknown sources. So, it seems to me that by doing so, the append
property will not be considered for sources other than syscall
and k8s_audit
.
If that was intended, then I don't understand the reason.
The idea is to entirely skip rules where the source is something other than syscall/k8s_audit. So that would also mean skipping appending rules to other rules, since the appended rule would be one that falco should skip anyway. I think I got that part right--which if append then were you looking at? |
Ok, your intent is clear to me now, thanks for the explanation. Anyway, another point: it is not exactly clear to me (as a user) what's the purpose to silently ignore those rules. It could lead to errors that can be hard to discover (imagine a typo on a filter name that would produce an unknown filter). So, what's the use case, could you provide an example? |
If the rule/macro's source is something other than "syscall" or "k8s_audit", silently ignore the rule/macro. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
The rules file has a rule/macro with an unknown source as well as a rule that matches a trace file, and verifies that the rule/macro with the unknown source doesn't interfere with rule loading/event matching. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
0201231
to
ca8178c
Compare
I discussed more with @leogr and I'm going to close this for now. Maybe we'll bring it back when falco starts handling a wider variety of event sources. |
What type of PR is this?
In #1427 rule processing was already relaxed a bit to allow rules to have new properties without failures. This further relaxes processing to completely ignore rules that have a source other than "syscall" or "k8s_audit"., for example:
Without this change, falco will try to read rules with unknown sources and match the filtercheck fields against known supported sets for k8s audit/syscall.
/kind bug
Any specific area of the project related to this PR?
/area engine
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: