fix(rules/falco_rules): solve shadowing issues with "Drop and execute new binary in container" #83
Conversation
… new binary in container` Rule was contributed by Lorenzo Susini in #20. Co-authored-by: Lorenzo Susini <[email protected]> Signed-off-by: Jason Dellaluce <[email protected]>
rules/falco_rules.yamlComparing No changes detected |
For the future, rule/macro/list reordering is something we should catch in automatic change checks. If we can't predict the major/minor/nature of the reordering, my opinion would be to add an "other/extra changes" section for things like this. cc @loresuso |
|
@jasondellaluce ty! I think the "shadowing" is something we should discuss more in detail in the new rules maturity framework as we build it out. Perhaps would you have ideas on how to expose something easy to use for end users to dictate the ordering? For example, I have a custom Go patching script that re-orders based on a predefined priority list which includes custom rules as well. But this is beyond this PR, LGTM!
Agreed. |
|
One more thought, should we add more output fields to the other rules that could be a new executable? |
|
That sounds like a good idea to me. @loresuso word to you on this. |
|
I agree that in the long term, Falco should trigger each rule in which the condition is satisfied. I think we should start prioritizing this, since the shadowing problem should be solved from its root cause. I am ok with moving the rule down in the file and as Melissa was saying, I think we can print out the
agreed! |
…rocess Signed-off-by: Jason Dellaluce <[email protected]>
rules/falco_rules.yamlComparing Patch changes:
|
|
Is everyone onboard with the current change? I would like to issue a v1.0.1 patch release of the Falco rules including this. |
|
Yes happy to approve once I can ... |
|
LGTM label has been added. Git tree hash: 697a70883fe14556c02690f78f5a3e4b939df927
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: incertum, jasondellaluce The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hey folks, thank you for the PR. How can I know when is this going to be GA? This will break the labs for the Falco 101 workshop, and we have 10+ deliveries in the next 2 weeks. |
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
The rule
Drop and execute new binary in containerhas been introduced in #20 (part of thefalco-rules-1.0.0release) and has a condition that is very similar to other rules, but that however is more narrow. Being defined before the rules below, the probability of "shadowing" them is quite high (a.k.a. case in Falco only reports the first rule matching, thus not triggering rules defined after in the YAML order):Terminal shell in containerLaunch Package Management Process in ContainerNetcat Remote Code Execution in ContainerLaunch Suspicious Network Tool in ContainerLaunch Remote File Copy Tools in ContainerThe docker client is executed in a containerContainer Run as Root UserDebugfs Launched in Privileged ContainerMount Launched in Privileged ContainerLaunch Ingress Remote File Copy Tools in ContainerMy proposal is to move
Drop and execute new binary in containerdown in the declaration order. The rule has lots of value, but can't shadow other important rules.cc @incertum @loresuso
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
On the long term, we could consider making Falco trigger all rules instead of the first one, but that would be a new feature for a future Falco release, and not a patch for the existing rulesets.