search

falcosecurity / event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Apache License 2.0
94 stars 40 forks source link

Use `events.ErrSkipped` with a proper `Reason` when skipping an actions #201

Closed leogr closed 7 months ago

leogr commented 7 months ago

Describe the bug

Actions that skip due to a non-supported context/prerequisite (e.g., those using h.InContainer()) should return events.ErrSkipped with a proper Reason. This allows the event-generator to automatically log the correct message.

Not OK example

https://github.com/falcosecurity/event-generator/blob/939b3e05a3e7806101031d82866ad0d11c43ed83/events/syscall/change_namespace_privileges_via_unshare.go#L31-L42

The action is supposed to run in a container-only context, so it should return events.ErrSkipped when h.InContainer() is false.

OK example

https://github.com/falcosecurity/event-generator/blob/939b3e05a3e7806101031d82866ad0d11c43ed83/events/syscall/user_mgmt_binaries.go#L29-L36

The action is not supposed to run in a container, so it correctly returns events.ErrSkipped when h.InContainer() is true.

Additional context

This should also be documented in https://github.com/falcosecurity/event-generator/tree/main/events#readme, so /kind documentation

cc @FedeDP @LucaGuerra

GLVSKiriti commented 7 months ago

@leogr Can I take up this issue?

leogr commented 7 months ago

@leogr Can I take up this issue?

Yes, please! :+1:

leogr commented 7 months ago

@GLVSKiriti if you want to work on this, please type /assign in a comment of this issue :pray:

GLVSKiriti commented 7 months ago

/assign

GLVSKiriti commented 7 months ago

@GLVSKiriti if you want to work on this, please type /assign in a comment of this issue 🙏

Yeah sure! Already raised a PR for this issue. Pls provide our feedback