Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rules yaml files updated as per yaml linting conditions #238

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

h4l0gen
Copy link
Contributor

@h4l0gen h4l0gen commented Mar 22, 2024

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:
to pass yaml lint workflow test.
Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

@h4l0gen
Copy link
Contributor Author

h4l0gen commented Mar 22, 2024

Yaml_lint may fail on some lines. Am looking into them, and fix it ASAP!

@h4l0gen h4l0gen force-pushed the linted-falco-rules branch 5 times, most recently from 0c88cb0 to 07cfd7c Compare March 22, 2024 20:36
Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 1740ba32f196727f6f34e22e91c98f8e0b4b8f2b with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 40a1468a19b372fbf455ede472131060851b1f11 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

@h4l0gen h4l0gen force-pushed the linted-falco-rules branch 4 times, most recently from 9d1d2b3 to 1f2926e Compare March 22, 2024 21:31
Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 95e445358b8b0901d4a93b7db3a408f6eec1dfc8 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 0806a17d2dab5d00a13f61e72782014db0b49d09 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 804237cf161c89f45f2af340183b77ff50751688 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 236f8b92ef940ec9953253a4e1d01951639ec0cb with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing e386e2e686d6e023d7b43984de905d31265e9a38 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing ba34e8fdd0d6cb09c52f788a24c1addc3ce1273a with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 07d2b6a65136e9ff807b5bbd4d4bf65dcb572352 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link

Rules files suggestions

falco-deprecated_rules.yaml

Comparing 7af2051f65ad6568887e3c1dae1544ff23220784 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/hold

I've just realized that with this change, we will put the output: on multiple lines, and I'm not sure that is what we want. Never mind, I was wrong, sorry

Update: Anyway, after talking with some other maintainers, we are still determining if this linting style is what we want. I will investigate further and possibly come back with a "rule style" that works for anyone.

@h4l0gen
Copy link
Contributor Author

h4l0gen commented May 8, 2024

Hi @leogr, what are your thoughts on this PR? Have we made any decisions yet? Feel free to assign me any related tasks; I would love to work on them.

@leogr
Copy link
Member

leogr commented May 8, 2024

Hi @leogr, what are your thoughts on this PR? Have we made any decisions yet? Feel free to assign me any related tasks; I would love to work on them.

I have only two points:

  1. Line-width: 80 characters are too few, IMO. I'd propose 120 or more (@falcosecurity/rules-maintainers we need to reach a consensus on this - cc @falcosecurity/core-maintainers your opinion is welcome).
  2. Using > in yaml should be avoided since it appends an unwanted new line at the end (see example below)
- example1: 
    bla bla bla
  example2: >
    bla bla bla

👇

[
    {
        "example1": "bla bla bla",
        "example2": "bla bla bla\n"
    }
]

@h4l0gen, you can proceed to update this PR if you want to (it may be useful as a preview of the end result), but we need to reach a consensus on the style before merging it.

@leogr
Copy link
Member

leogr commented May 22, 2024

Hi @leogr, what are your thoughts on this PR? Have we made any decisions yet? Feel free to assign me any related tasks; I would love to work on them.

I have only two points:

  1. Line-width: 80 characters are too few, IMO. I'd propose 120 or more (@falcosecurity/rules-maintainers we need to reach a consensus on this - cc @falcosecurity/core-maintainers your opinion is welcome).
  2. Using > in yaml should be avoided since it appends an unwanted new line at the end (see example below)
- example1: 
    bla bla bla
  example2: >
    bla bla bla

👇

[
    {
        "example1": "bla bla bla",
        "example2": "bla bla bla\n"
    }
]

@h4l0gen, you can proceed to update this PR if you want to (it may be useful as a preview of the end result), but we need to reach a consensus on the style before merging it.

@falcosecurity/rules-maintainers @darryk10 @loresuso any thoughts on my above proposal?

@darryk10
Copy link
Contributor

Hi @leogr, what are your thoughts on this PR? Have we made any decisions yet? Feel free to assign me any related tasks; I would love to work on them.

I have only two points:

  1. Line-width: 80 characters are too few, IMO. I'd propose 120 or more (@falcosecurity/rules-maintainers we need to reach a consensus on this - cc @falcosecurity/core-maintainers your opinion is welcome).
  2. Using > in yaml should be avoided since it appends an unwanted new line at the end (see example below)
- example1: 
    bla bla bla
  example2: >
    bla bla bla

👇

[
    {
        "example1": "bla bla bla",
        "example2": "bla bla bla\n"
    }
]

@h4l0gen, you can proceed to update this PR if you want to (it may be useful as a preview of the end result), but we need to reach a consensus on the style before merging it.

@falcosecurity/rules-maintainers @darryk10 @loresuso any thoughts on my above proposal?

I agree with both points.
If we can remove the < , it would simplify the overall syntax, and it would be easier to maintain.

@h4l0gen
Copy link
Contributor Author

h4l0gen commented May 24, 2024

Hi @leogr, Sorry for being late, I am a little busy nowadays 😅. I'll be back, just give me a week 🙏. I will make changes as per your and other maintainers' suggestions.

@h4l0gen
Copy link
Contributor Author

h4l0gen commented May 25, 2024

@leogr If we increase line length value, we will solve many issues of formatting, as I've accepted this format

- example1: 
    bla bla bla
  example2: >
    bla bla bla

Above this one

[
    {
        "example1": "bla bla bla",
        "example2": "bla bla bla\n"
    }
]

as it gives line-length issue. So my vote to increase line length value.

@h4l0gen h4l0gen changed the title rules yaml files updated as per yaml linting conditions wip: rules yaml files updated as per yaml linting conditions Jun 28, 2024
@poiana
Copy link

poiana commented Jun 28, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: h4l0gen
Once this PR has been reviewed and has the lgtm label, please ask for approval from leogr. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link

Rules files suggestions

falco-sandbox_rules.yaml

Comparing b8a2223fd4364cc1e3877e55f5fd3cc3d1b724a1 with latest tag falco-sandbox-rules-4.0.0

Major changes:

  • Macro etckeeper_activities has been removed
  • Macro etckeeper has been removed

Minor changes:

  • Rule BPF Program Not Profiled has been added
  • Macro bpf_profiled_procs has been added
  • List bpf_profiled_binaries has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed

falco-deprecated_rules.yaml

Comparing b8a2223fd4364cc1e3877e55f5fd3cc3d1b724a1 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

falco_rules.yaml

Comparing b8a2223fd4364cc1e3877e55f5fd3cc3d1b724a1 with latest tag falco-rules-3.1.0

Major changes:

  • Macro known_drop_and_execute_activities has been removed

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-incubating_rules.yaml

Comparing b8a2223fd4364cc1e3877e55f5fd3cc3d1b724a1 with latest tag falco-incubating-rules-4.0.0

Major changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been removed
  • Rule BPF Program Not Profiled has been removed
  • Macro bpf_profiled_procs has been removed
  • List bpf_profiled_binaries has been removed

Patch changes:

  • List falco_privileged_images has some item added or removed

@h4l0gen
Copy link
Contributor Author

h4l0gen commented Jun 29, 2024

Hi @leogr, need your confirmation, which one you prefer

- macro: inbound
  condition:
    (((evt.type in (accept,accept4,listen) and evt.dir=<) or
      (evt.type in (recvfrom,recvmsg) and evt.dir=< and
       fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
     (evt.rawres >= 0 or evt.res = EINPROGRESS))

or

- macro: inbound
  condition:
    (
     (
      (evt.type in (accept,accept4,listen) and evt.dir=<) or
      (evt.type in (recvfrom,recvmsg) and evt.dir=< and fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)
     ) and
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
     (evt.rawres >= 0 or evt.res = EINPROGRESS)
   )

Signed-off-by: h4l0gen <[email protected]>

rules files are updated

Signed-off-by: h4l0gen <[email protected]>

updated rule files

Signed-off-by: h4l0gen <[email protected]>

updated rules file

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updated falco rules files

Signed-off-by: h4l0gen <[email protected]>

updating

Signed-off-by: h4l0gen <[email protected]>

final

Signed-off-by: h4l0gen <[email protected]>

final

Signed-off-by: h4l0gen <[email protected]>

final

Signed-off-by: h4l0gen <[email protected]>

tags format updated

Signed-off-by: h4l0gen <[email protected]>

updated

Signed-off-by: h4l0gen <[email protected]>

updated

Signed-off-by: h4l0gen <[email protected]>

format updated

Signed-off-by: h4l0gen <[email protected]>

updated

Signed-off-by: h4l0gen <[email protected]>

updated

Signed-off-by: h4l0gen <[email protected]>

updated

Signed-off-by: h4l0gen <[email protected]>
Copy link

Rules files suggestions

falco-sandbox_rules.yaml

Comparing c105a423700e2ee5b4414a8cc17cdf1b57e47cb9 with latest tag falco-sandbox-rules-4.0.0

Major changes:

  • Macro etckeeper_activities has been removed
  • Macro etckeeper has been removed

Minor changes:

  • Rule BPF Program Not Profiled has been added
  • Macro bpf_profiled_procs has been added
  • List bpf_profiled_binaries has been added

Patch changes:

  • List safe_etc_dirs has some item added or removed
  • List user_known_k8s_ns_kube_system_images has some item added or removed

falco-deprecated_rules.yaml

Comparing c105a423700e2ee5b4414a8cc17cdf1b57e47cb9 with latest tag falco-deprecated-rules-3.0.0

Major changes:

  • Rule Disallowed SSH Connection has less tags than before

Patch changes:

  • Rule Disallowed SSH Connection has more tags than before

falco_rules.yaml

Comparing c105a423700e2ee5b4414a8cc17cdf1b57e47cb9 with latest tag falco-rules-3.1.0

Major changes:

  • Macro known_drop_and_execute_activities has been removed

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-incubating_rules.yaml

Comparing c105a423700e2ee5b4414a8cc17cdf1b57e47cb9 with latest tag falco-incubating-rules-4.0.0

Major changes:

  • Rule BPF Program Not Profiled has been removed
  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been removed
  • Macro bpf_profiled_procs has been removed
  • List bpf_profiled_binaries has been removed

Patch changes:

  • List falco_privileged_images has some item added or removed

@h4l0gen h4l0gen changed the title wip: rules yaml files updated as per yaml linting conditions rules yaml files updated as per yaml linting conditions Jul 5, 2024
@leogr
Copy link
Member

leogr commented Jul 18, 2024

Hi @leogr, need your confirmation, which one you prefer

- macro: inbound
  condition:
    (((evt.type in (accept,accept4,listen) and evt.dir=<) or
      (evt.type in (recvfrom,recvmsg) and evt.dir=< and
       fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
     (evt.rawres >= 0 or evt.res = EINPROGRESS))

or

- macro: inbound
  condition:
    (
     (
      (evt.type in (accept,accept4,listen) and evt.dir=<) or
      (evt.type in (recvfrom,recvmsg) and evt.dir=< and fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)
     ) and
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
     (evt.rawres >= 0 or evt.res = EINPROGRESS)
   )

I prefer the first one.

@poiana
Copy link

poiana commented Oct 16, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@poiana
Copy link

poiana commented Nov 15, 2024

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants