fix: Enhance Falco syscall events triggering and reliability #220
Conversation
|
Welcome @prezha! It looks like this is your first PR to falcosecurity/event-generator 🎉 |
- Clean up several events to prevent inode starvation and other issues during repeated runs - Use random temp file/folder names to avoid overlaps and errors - Add missing binaries and fix their calls to enable all 60+ events to trigger correctly - Fix CombinedServerClient() and event naming issues to improve test reliability - Add prerequisite checks for some events and improve error handling - Add timeouts to long-running commands and remove unnecessary bash dependency - Remove deprecated and redundant Falco rules - Fix build issues on macOS and ensure tests continue even if one fails Bonus: - Clean up Makefile, disable CGO_ENABLED, and fix all linter errors - Use specific base image tags in Dockerfile to ensure a clean vulnerability scan - Update Go and dependencies to address known security issues - Refactor for consistency and code clarity, convert CRLF to LF line endings Signed-off-by: Predrag Rogic <[email protected]>
prezha
force-pushed
the
fix-event-triggering
branch
from
5fbcf76
to
11c9c09
Compare
Signed-off-by: Predrag Rogic <[email protected]>
|
Hey @prezha Thank you for this contribution! 🤩 🙏 |
|
Hey @prezha, thanks for the contribution! I will take a look in the coming days! |
Signed-off-by: Predrag Rogic <[email protected]>
|
hey @leogr and @alacuku, just a heads up: after some additional testing i noticed that the event-generator creates an increasing number of zombie processes (which can eventually create issues in the this is due to how we handle killing |
There was a problem hiding this comment.
Hey @prezha
This PR is fantastic:star_struck: you did a terrific job, thank you!
I did a first review pass, and only found very minor issues (see comments below), otherwise it seems excellent to me.
I'll give it a try with a real Falco installation as soon as I can, then I will approve.
🙏
| @@ -21,14 +21,21 @@ import ( | |||
| ) | |||
|
|
|||
| var _ = events.Register( | |||
| CreateHiddenFileOrDirectory, | |||
| CreateHiddenFilesOrDirectories, | |||
There was a problem hiding this comment.
Can you also rename the file name to create_hidden_file_or_directories.go, please?
There was a problem hiding this comment.
i've renamed it to create_hidden_files_or_directories.go
| @@ -24,16 +24,21 @@ import ( | |||
| ) | |||
|
|
|||
| var _ = events.Register( | |||
| LaunchIngressRemoteFileCopyToolsInsideContainer, | |||
| LaunchIngressRemoteFileCopyToolsInContainer, | |||
There was a problem hiding this comment.
renamed the file accordingly
| ) | ||
|
|
||
| var _ = events.Register(PotentialLocalPrivillegeEscalation) | ||
| var _ = events.Register(PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse) |
There was a problem hiding this comment.
The file name does not match.
Note the typo 👇
potential_local_privillege_escalation_via_env_var_misuse.go
There was a problem hiding this comment.
renamed file to potential_local_privilege_escalation_via_environment_variables_misuse.go
| @@ -25,12 +27,16 @@ var _ = events.Register( | |||
| ) | |||
|
|
|||
| func ReadEnvironmentVariableFromProcFiles(h events.Helper) error { | |||
|
Tried with Falco 0.38.3 $ sudo ./event-generator test syscall
INFO sleep for 100ms action=syscall.PacketSocketCreatedInContainer
WARN action skipped action=syscall.PacketSocketCreatedInContainer reason="only applicable to containers"
INFO sleep for 100ms action=syscall.CreateHardlinkOverSensitiveFiles
INFO action executed action=syscall.CreateHardlinkOverSensitiveFiles
INFO test passed action=syscall.CreateHardlinkOverSensitiveFiles rule="Create Hardlink Over Sensitive Files" source=syscall
INFO sleep for 100ms action=syscall.NetcatRemoteCodeExecutionInContainer
WARN action skipped action=syscall.NetcatRemoteCodeExecutionInContainer reason="only applicable to containers"
INFO sleep for 100ms action=syscall.FindAwsCredentials
INFO action executed action=syscall.FindAwsCredentials
INFO test passed action=syscall.FindAwsCredentials rule="Find AWS Credentials" source=syscall
INFO sleep for 100ms action=syscall.MountLaunchedInPrivilegedContainer
WARN action skipped action=syscall.MountLaunchedInPrivilegedContainer reason="only applicable to containers"
INFO sleep for 100ms action=syscall.CreateSymlinkOverSensitiveFiles
INFO action executed action=syscall.CreateSymlinkOverSensitiveFiles
INFO test passed action=syscall.CreateSymlinkOverSensitiveFiles rule="Create Symlink Over Sensitive Files" source=syscall
INFO sleep for 100ms action=syscall.RemoveBulkDataFromDisk
INFO action executed action=syscall.RemoveBulkDataFromDisk
INFO test passed action=syscall.RemoveBulkDataFromDisk rule="Remove Bulk Data from Disk" source=syscall
INFO sleep for 100ms action=syscall.DisallowedSSHConnectionNonStandardPort
ERRO action error action=syscall.DisallowedSSHConnectionNonStandardPort error="context deadline exceeded"
INFO sleep for 100ms action=syscall.DropAndExecuteNewBinaryInContainer
WARN action skipped action=syscall.DropAndExecuteNewBinaryInContainer reason="only applicable to containers"
INFO sleep for 100ms action=syscall.RunShellUntrusted
INFO spawn as "httpd" action=syscall.RunShellUntrusted args="^helper.RunShell$"
INFO sleep for 100ms action=helper.RunShell as=httpd
INFO action executed action=helper.RunShell as=httpd
INFO test passed action=syscall.RunShellUntrusted rule="Run shell untrusted" source=syscall
INFO sleep for 100ms action=syscall.LaunchSuspiciousNetworkToolOnHost
WARN action skipped action=syscall.LaunchSuspiciousNetworkToolOnHost reason="nmap executable file not found in $PATH"
INFO sleep for 100ms action=syscall.ClearLogActivities
INFO action executed action=syscall.ClearLogActivities
INFO test passed action=syscall.ClearLogActivities rule="Clear Log Activities" source=syscall
INFO sleep for 100ms action=syscall.DebugfsLaunchedInPrivilegedContainer
WARN action skipped action=syscall.DebugfsLaunchedInPrivilegedContainer reason="only applicable to containers"
INFO sleep for 100ms action=syscall.ExecutionFromDevShm
INFO action executed action=syscall.ExecutionFromDevShm
INFO test passed action=syscall.ExecutionFromDevShm rule="Execution from /dev/shm" source=syscall
INFO sleep for 100ms action=syscall.FilelessExecutionViaMemfdCreate
INFO action executed action=syscall.FilelessExecutionViaMemfdCreate
INFO test passed action=syscall.FilelessExecutionViaMemfdCreate rule="Fileless execution via memfd_create" source=syscall
INFO sleep for 100ms action=syscall.ReadSensitiveFileUntrusted
INFO action executed action=syscall.ReadSensitiveFileUntrusted
INFO test passed action=syscall.ReadSensitiveFileUntrusted rule="Read sensitive file untrusted" source=syscall
INFO sleep for 100ms action=syscall.JavaProcessClassFileDownload
INFO spawn as "java" action=syscall.JavaProcessClassFileDownload args="^helper.CombinedServerClient$"
INFO sleep for 100ms action=helper.CombinedServerClient
ERRO action error action=syscall.JavaProcessClassFileDownload error="context deadline exceeded"
INFO sleep for 100ms action=syscall.DirectoryTraversalMonitoredFileRead
INFO action executed action=syscall.DirectoryTraversalMonitoredFileRead
INFO test passed action=syscall.DirectoryTraversalMonitoredFileRead rule="Directory traversal monitored file read" source=syscall
INFO sleep for 100ms action=syscall.DetectReleaseAgentFileContainerEscapes
WARN action skipped action=syscall.DetectReleaseAgentFileContainerEscapes reason="only applicable to containers"
INFO sleep for 100ms action=syscall.PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse
INFO action executed action=syscall.PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse
ERRO action error action=syscall.PotentialLocalPrivilegeEscalationViaEnvironmentVariablesMisuse error="context deadline exceeded"
INFO sleep for 100ms action=syscall.ReadSensitiveFileTrustedAfterStartup
INFO spawn as "httpd" action=syscall.ReadSensitiveFileTrustedAfterStartup args="^syscall.ReadSensitiveFileUntrusted$ --sleep 6s"
INFO sleep for 6s action=syscall.ReadSensitiveFileUntrusted as=httpd
INFO action executed action=syscall.ReadSensitiveFileUntrusted as=httpd
INFO test passed action=syscall.ReadSensitiveFileTrustedAfterStartup rule="Read sensitive file trusted after startup" source=syscall
INFO sleep for 100ms action=syscall.SystemUserInteractive
INFO run as "daemon" action=syscall.SystemUserInteractive cmdArgs="[]" cmdName=/bin/login user=daemon
INFO test passed action=syscall.SystemUserInteractive rule="System user interactive" source=syscall
INFO sleep for 100ms action=syscall.PtraceAntiDebugAttempt
INFO action executed action=syscall.PtraceAntiDebugAttempt
INFO test passed action=syscall.PtraceAntiDebugAttempt rule="PTRACE anti-debug attempt" source=syscall
INFO sleep for 100ms action=syscall.PtraceAttachedToProcess
INFO test passed action=syscall.PtraceAttachedToProcess rule="PTRACE attached to process" source=syscall
INFO sleep for 100ms action=syscall.SearchPrivateKeysOrPasswords
INFO action executed action=syscall.SearchPrivateKeysOrPasswords
INFO test passed action=syscall.SearchPrivateKeysOrPasswords rule="Search Private Keys or Passwords" source=syscallI got just 3 failures:
Anything else worked as expected 🚀 |
|
thanks @leogr for the review! i'll fix the files names as for the failures you got:
...
yep, i think it's because the default 100ms "sleep" sometimes is not sufficient to capture the event falco emits (and match it to the expected one in the test), so adding |
Signed-off-by: Predrag Rogic <[email protected]>
|
i've renamed all suggested files and few others for consistency |
Signed-off-by: Predrag Rogic <[email protected]>
|
just realized that gh workflows also need updated go version, which i added in the last 501ed2b commit |
Unfortunately, more That said, I believe we can dig into this issue in a follow-up PR. This is already great and big enough 😅 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leogr, prezha The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
LGTM label has been added. Git tree hash: 7df09df584861eb1b1c2442fb8f0874d6f958de3
|
foreword/background:
wanted to use falco event-generator for stability/regression testing, but hit some issues that this pr aims to fix
i appreciate this is a bigger pr with lots of changes for i did not have a time to break it down into individual commits/PRs - the intention here is to offer the improvements i made and i'm, of course, happy to provide any additional clarification needed
changelog:
Dockerfile(container image) required for some events to be able to trigger at allCombinedServerClient()func where call might end before server was able to catch a message sent by client (hence not triggering event)DisallowedSSHConnectionrule (ref)ContactCloudMetadataServiceFromContainer(falco would likely trigger "Contact EC2 Instance Metadata Service From Container" instead)bonus:
Makefileand disabled CGO_ENABLED for building the binarygolangci-lintv1.61.0) errors and complainsDockerfileinstead of "latest", so thattrivyv0.55.1 vulnerability scanner finds zero issues with os-level packages in the final container image (alpine 3.20.3)trivyv0.55.1 andgovulncheckv1.1.3) do not find any known issues with the code/dependencies (like GO-2024-2687 - HTTP/2 CONTINUATION flood in net/http, CVE-2023-45288 and CVE-2024-24786, etc.)testing performed
make test: all local tests are passingevent-generator test: all tests are now passing - tested inminikubev1.34 using KVM and containerd with falcomodern_ebpfdriver and with both privileged and non-privileged mode/container/kind bug
/kind cleanup
/kind tests
/area events