Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco Priority "Informational" does not work #64

Closed
portaldon opened this issue Dec 17, 2020 · 4 comments
Closed

Falco Priority "Informational" does not work #64

portaldon opened this issue Dec 17, 2020 · 4 comments
Assignees
@tembleking
Labels
bug Something isn't working

Comments

@portaldon
Copy link

portaldon commented Dec 17, 2020
edited
Loading

When creating a Falco Rule using Terraform, you should be able to set priority to “informational”. However, the provider does not accept “informational”, only “info”. And because the Sysdig API expects “informational”, that results in Terraform always making changes when running “terraform apply”.

To give an example, every time we run “terraform plan”, we have 17 of the changes below:

(…)

~ resource "sysdig_secure_rule_falco" "rule_system_user_interactive" {

    append      = false

    condition   = "spawned_process and system_users and interactive and not user_known_system_user_login"

    description = "an attempt to run interactive commands by a system (i.e. non-login) user"

    id          = "446"

    name        = "Terraform - System user interactive"

    output      = "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"

  ~ priority    = "info" -> "informational"

    source      = "syscall"

    tags        = [

        "NIST_800-53_AU-6(8)",

        "NIST_800-53_AC-6",

        "SOC2_CC6.1",

        "SOC2",

        "users",

        "NIST_800-53_AC-2g",

        "NIST_800-53_AC-17",

        "NIST_800-53_SI-4(24)",

        "NIST_800-53_AU-2",

        "NIST_800-53_SI-7(11)",

        "mitre_remote_access_tools",

        "NIST_800-53_SI-4",

        "NIST_800-53",

        "NIST_800-53_SI-3",

        "NIST_800-53_SI-4(2)",

    ]

    version     = 20

}

Plan: 0 to add, 17 to change, 0 to destroy.

As you can see Terraform wants to change from “info” to “informational” since that’s what the Sysdig API expects (~ priority = "info" -> "informational"). But in the code we’re actually not changing anything. My suggestion would be to update the Sysdig provider to accept “informational” instead of “info”.

terraform-provider-sysdig/sysdig/resource_sysdig_secure_rule_falco.go

Line 44 in fba0462

ValidateDiagFunc: validateDiagFunc(validation.StringInSlice([]string{"emergency", "alert", "critical", "error", "warning", "notice", "info", "debug"}, false)),

@tembleking
Copy link
Member

Hi @Donald-Sysdig, thanks for reporting, but this contradicts the behavior at #59. What version of the API is this? And what's the correct priority? info or informational?

@portaldon
Copy link
Author

@tembleking ,

Per Falco rules documentation (https://falco.org/docs/rules/), field Priority must be:
emergency, alert, critical, error, warning, notice, informational, debug

@tembleking tembleking added the bug Something isn't working label Jan 7, 2021
@tembleking tembleking self-assigned this Jan 7, 2021
@tembleking
Copy link
Member

@Donald-Sysdig I am testing with this resource:

resource "sysdig_secure_rule_falco" "rule_system_user_interactive" {
  condition   = "spawned_process and system_users and interactive and not user_known_system_user_login"
  description = "an attempt to run interactive commands by a system (i.e. non-login) user"
  name        = "Terraform - System user interactive"
  output      = "System user ran an interactive command (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline container_id=%container.id image=%container.image.repository)"

  priority = "info"
  source   = "syscall"
  tags = [
    "NIST_800-53_AU-6(8)",
    "NIST_800-53_AC-6",
    "SOC2_CC6.1",
    "SOC2",
    "users",
    "NIST_800-53_AC-2g",
    "NIST_800-53_AC-17",
    "NIST_800-53_SI-4(24)",
    "NIST_800-53_AU-2",
    "NIST_800-53_SI-7(11)",
    "mitre_remote_access_tools",
    "NIST_800-53_SI-4",
    "NIST_800-53",
    "NIST_800-53_SI-3",
    "NIST_800-53_SI-4(2)",
  ]
}

And after applying it, I am unable to reproduce this issue:

$ terraform plan
sysdig_secure_rule_falco.rule_system_user_interactive: Refreshing state... [id=23427]

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

How did you reproduce it?

@tembleking
Copy link
Member

I am able to reproduce this if I revert the changes made in #59 which was already released. Our API returns "info" when the priority is "informational", so this should not be an issue with the latest version of the provider. Can you test it out please? @Donald-Sysdig
I am closing this issue for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tembleking tembleking

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tembleking @portaldon