search

falcosecurity / event-generator

Generate a variety of suspect actions that are detected by Falco rulesets
Apache License 2.0
94 stars 40 forks source link

increase timeout for syscall.DisallowedSSHConnectionNonStandardPort #224

Closed prezha closed 2 months ago

prezha commented 2 months ago

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area events

What this PR does / why we need it:

on some systems, the syscall.DisallowedSSHConnectionNonStandardPort event does not trigger due to too short timeout of 1s, so we're increasing it to 5s

Which issue(s) this PR fixes:

Fixes #221

Special notes for your reviewer:

//cc: @leogr i was able to reproduce the issue on lima and arm64 mac, but have not seen it on minikube or "vanilla" ubuntu kvm vm on linux x86/amd64 before: signal: killed comes from the context timeout that was apparently too short in this case

$ falco --version
Fri Sep 20 19:09:58 2024: Falco version: 0.38.2 (aarch64)
Fri Sep 20 19:09:58 2024: Falco initialized with configuration files:
Fri Sep 20 19:09:58 2024:    /etc/falco/falco.yaml
Fri Sep 20 19:09:58 2024: System info: Linux version 6.8.0-41-generic (buildd@bos03-arm64-063) (aarch64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug  2 23:26:06 UTC 2024
Falco version: 0.38.2
Libs version:  0.17.3
Plugin API:    3.6.0
Engine:        0.40.0
Driver:
  API version:    8.0.0
  Schema version: 2.0.0
  Default driver: 7.2.1+driver
$ sudo ./event-generator -l debug test syscall.DisallowedSSH
DEBU running with args: ./event-generator -l debug test syscall.DisallowedSSH
DEBU running without a configuration file
DEBU running with options                          loglevel=debug
INFO sleep for 100ms                               action=syscall.DisallowedSSHConnectionNonStandardPort
DEBU failed to run ssh command (this is expected)  action=syscall.DisallowedSSHConnectionNonStandardPort error="exit status 255"
INFO test passed                                   action=syscall.DisallowedSSHConnectionNonStandardPort rule="Disallowed SSH Connection Non Standard Port" source=syscall
poiana commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leogr, prezha

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/falcosecurity/event-generator/blob/main/OWNERS)~~ [leogr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
poiana commented 2 months ago

LGTM label has been added.

Git tree hash: fe655897245d9c896ff43944f9a8522a48a9989c