search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.26k stars 893 forks source link

output of `falco -L` always reports `asyncevent` event type #3215

Closed loresuso closed 3 months ago

loresuso commented 3 months ago

Describe the bug

The output of sudo falco -L -o "json_output=true" provide us a JSON description of each loaded rules. A piece of very useful information about this is the list of event types, but it currently always return asyncevent even if the rule doesn't use it. Example below:

{
      "details": {
        "condition_compiled": "((evt.type in (execve, execveat) and evt.dir = <) and proc.is_exe_from_memfd = true and not proc.name in ())",
        "condition_fields": [
          "proc.name",
          "proc.is_exe_from_memfd",
          "evt.dir",
          "evt.type"
        ],
        "condition_operators": [
          "=",
          "in"
        ],
        "events": [
          "asyncevent", <------------ HERE 
          "execveat",
          "execve"
        ],
        "exception_fields": [],
        "exception_names": [],
        "exception_operators": [],
        "lists": [],
        "macros": [
          "known_memfd_execution_processes",
          "spawned_process"
        ],
        "output_compiled": "Fileless execution via memfd_create (container_start_ts=%container.start_ts proc_cwd=%proc.cwd evt_res=%evt.res proc_sname=%proc.sname gparent=%proc.aname[2] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags container_id=%container.id container_name=%container.name)",
        "output_fields": [
          "container.start_ts",
          "proc.cwd",
          "evt.res",
          "proc.sname",
          "proc.aname[2]",
          "evt.type",
          "user.name",
          "user.uid",
          "user.loginuid",
          "proc.name",
          "proc.exepath",
          "proc.pname",
          "proc.cmdline",
          "proc.tty",
          "evt.arg.flags",
          "container.id",
          "container.name"
        ],
        "plugins": []
      },

How to reproduce it

falco -L -o "json_output=true" | jq and check the events key

Expected behaviour

Just report the events that are actually used in the condition (through used macros as well)

Screenshots

Environment

Additional context

loresuso commented 3 months ago

cc @jasondellaluce for visibility

jasondellaluce commented 3 months ago

This is not really a bug Lore -- there's nothing in the model preventing an async event to bundle the "execve" or "execveat" names, so the rule effectively matches async events too at runtime.

FedeDP commented 3 months ago

Agree with Jason, i don't think this is a bug actually!

loresuso commented 3 months ago

Oh I see what you are saying, thank you! Closing

FedeDP commented 3 months ago

/milestone 0.38.0