Closed jasondellaluce closed 1 year ago
Comparing deff35ed9c8b33d719bda3969dc4f395b86ffd25
with latest tag falco-rules-1.0.0
No changes detected
rules/falco_rules.yaml
Comparing
deff35ed9c8b33d719bda3969dc4f395b86ffd25
with latest tagfalco-rules-1.0.0
No changes detected
For the future, rule/macro/list reordering is something we should catch in automatic change checks. If we can't predict the major/minor/nature of the reordering, my opinion would be to add an "other/extra changes" section for things like this.
cc @loresuso
@jasondellaluce ty! I think the "shadowing" is something we should discuss more in detail in the new rules maturity framework as we build it out. Perhaps would you have ideas on how to expose something easy to use for end users to dictate the ordering? For example, I have a custom Go patching script that re-orders based on a predefined priority list which includes custom rules as well.
But this is beyond this PR, LGTM!
On the long term, we could consider making Falco trigger all rules instead of the first one, but that would be a new feature for a future Falco release, and not a patch for the existing rulesets.
Agreed.
One more thought, should we add more output fields to the other rules that could be a new executable?
evt.arg.flags
proc.exe_ino.ctime_duration_proc_start
That sounds like a good idea to me. @loresuso word to you on this.
I agree that in the long term, Falco should trigger each rule in which the condition is satisfied. I think we should start prioritizing this, since the shadowing problem should be solved from its root cause.
I am ok with moving the rule down in the file and as Melissa was saying, I think we can print out the evt.arg.flags
in all the other rules so that we can understand if exe_upper_layer
was also set from the output.
For the future, rule/macro/list reordering is something we should catch in automatic change checks. If we can't predict the major/minor/nature of the reordering, my opinion would be to add an "other/extra changes" section for things like this.
agreed!
Comparing f01320f2e27328efe38c79f0f66b04e67b3947f1
with latest tag falco-rules-1.0.0
Patch changes:
DB program spawned process
changed its output fieldsRun shell untrusted
changed its output fieldsSystem user interactive
changed its output fieldsTerminal shell in container
changed its output fieldsProgram run with disallowed http proxy env
changed its output fieldsUser mgmt binaries
changed its output fieldsLaunch Package Management Process in Container
changed its output fieldsNetcat Remote Code Execution in Container
changed its output fieldsLaunch Suspicious Network Tool in Container
changed its output fieldsLaunch Suspicious Network Tool on Host
changed its output fieldsSearch Private Keys or Passwords
changed its output fieldsRemove Bulk Data from Disk
changed its output fieldsDelete Bash History
changed its output fieldsLaunch Remote File Copy Tools in Container
changed its output fieldsDetect crypto miners using the Stratum protocol
changed its output fieldsContainer Run as Root User
changed its output fieldsSudo Potential Privilege Escalation
changed its output fieldsDebugfs Launched in Privileged Container
changed its output fieldsMount Launched in Privileged Container
changed its output fieldsLaunch Ingress Remote File Copy Tools in Container
changed its output fieldsPolkit Local Privilege Escalation Vulnerability (CVE-2021-4034)
changed its output fieldsFind AWS Credentials
changed its output fieldsExecution from /dev/shm
changed its output fieldsIs everyone onboard with the current change? I would like to issue a v1.0.1 patch release of the Falco rules including this.
Yes happy to approve once I can ...
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: incertum, jasondellaluce
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Hey folks, thank you for the PR. How can I know when is this going to be GA? This will break the labs for the Falco 101 workshop, and we have 10+ deliveries in the next 2 weeks.
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
The rule
Drop and execute new binary in container
has been introduced in #20 (part of thefalco-rules-1.0.0
release) and has a condition that is very similar to other rules, but that however is more narrow. Being defined before the rules below, the probability of "shadowing" them is quite high (a.k.a. case in Falco only reports the first rule matching, thus not triggering rules defined after in the YAML order):Terminal shell in container
Launch Package Management Process in Container
Netcat Remote Code Execution in Container
Launch Suspicious Network Tool in Container
Launch Remote File Copy Tools in Container
The docker client is executed in a container
Container Run as Root User
Debugfs Launched in Privileged Container
Mount Launched in Privileged Container
Launch Ingress Remote File Copy Tools in Container
My proposal is to move
Drop and execute new binary in container
down in the declaration order. The rule has lots of value, but can't shadow other important rules.cc @incertum @loresuso
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
On the long term, we could consider making Falco trigger all rules instead of the first one, but that would be a new feature for a future Falco release, and not a patch for the existing rulesets.