-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falco Priority "Informational" does not work #64
Comments
Hi @Donald-Sysdig, thanks for reporting, but this contradicts the behavior at #59. What version of the API is this? And what's the correct priority? |
Per Falco rules documentation (https://falco.org/docs/rules/), field |
@Donald-Sysdig I am testing with this resource: resource "sysdig_secure_rule_falco" "rule_system_user_interactive" {
condition = "spawned_process and system_users and interactive and not user_known_system_user_login"
description = "an attempt to run interactive commands by a system (i.e. non-login) user"
name = "Terraform - System user interactive"
output = "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"
priority = "info"
source = "syscall"
tags = [
"NIST_800-53_AU-6(8)",
"NIST_800-53_AC-6",
"SOC2_CC6.1",
"SOC2",
"users",
"NIST_800-53_AC-2g",
"NIST_800-53_AC-17",
"NIST_800-53_SI-4(24)",
"NIST_800-53_AU-2",
"NIST_800-53_SI-7(11)",
"mitre_remote_access_tools",
"NIST_800-53_SI-4",
"NIST_800-53",
"NIST_800-53_SI-3",
"NIST_800-53_SI-4(2)",
]
} And after applying it, I am unable to reproduce this issue:
How did you reproduce it? |
I am able to reproduce this if I revert the changes made in #59 which was already released. Our API returns "info" when the priority is "informational", so this should not be an issue with the latest version of the provider. Can you test it out please? @Donald-Sysdig |
When creating a Falco Rule using Terraform, you should be able to set priority to “informational”. However, the provider does not accept “informational”, only “info”. And because the Sysdig API expects “informational”, that results in Terraform always making changes when running “terraform apply”.
To give an example, every time we run “terraform plan”, we have 17 of the changes below:
(…)
~ resource "sysdig_secure_rule_falco" "rule_system_user_interactive" {
Plan: 0 to add, 17 to change, 0 to destroy.
As you can see Terraform wants to change from “info” to “informational” since that’s what the Sysdig API expects (~ priority = "info" -> "informational"). But in the code we’re actually not changing anything. My suggestion would be to update the Sysdig provider to accept “informational” instead of “info”.
terraform-provider-sysdig/sysdig/resource_sysdig_secure_rule_falco.go
Line 44 in fba0462
The text was updated successfully, but these errors were encountered: