Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: the correct usage is <NA> not N/A #244

Merged
merged 2 commits into from
Apr 30, 2024
Merged

fix: the correct usage is <NA> not N/A #244

merged 2 commits into from
Apr 30, 2024

Conversation

Andreagit97
Copy link
Member

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area rules

Proposed rule maturity level

/area maturity-incubating

/area maturity-sandbox

What this PR does / why we need it:

Debugging some issues in Falco CI https://github.com/falcosecurity/falco/actions/runs/8845222090?pr=3177 I faced this inconsistency. The rule Non sudo setuid was triggered with user.name=<NA> because the macro known_user_in_container checks for N/A. This PR fixes the usages of N/A

Which issue(s) this PR fixes:

Special notes for your reviewer:

@poiana poiana added kind/bug Something isn't working dco-signoff: yes area/rules area/maturity-incubating See the Rules Maturity Framework area/maturity-sandbox See the Rules Maturity Framework labels Apr 26, 2024
@poiana poiana requested review from Kaizhe and leodido April 26, 2024 10:09
@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92 with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper has been added
  • Macro etckeeper_activities has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

darryk10
darryk10 approved these changes Apr 26, 2024
View reviewed changes
Copy link
Contributor

@darryk10 darryk10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Andreagit97!

@poiana poiana added the lgtm label Apr 26, 2024
@poiana
Copy link

poiana commented Apr 26, 2024

LGTM label has been added.

Git tree hash: 3626b9b05994ca42dca614baccd974e23b022398

@Andreagit97
Copy link
Member Author

/hold

@Andreagit97
Copy link
Member Author

I will check if we need to keep both N/A and <NA> or <NA> is enough

Andreagit97
Andreagit97 commented Apr 26, 2024
View reviewed changes
rules/falco-incubating_rules.yaml Outdated
@@ -769,7 +769,7 @@
# https://github.com/draios/sysdig/issues/954). So in that case, allow
# a setuid.
- macro: known_user_in_container
condition: (container and user.name != "N/A")
condition: (container and user.name != <NA>)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possible alternatives

Suggested change
condition: (container and user.name != <NA>)
condition: (container and not user.name in ("<NA>","N/A"))

incertum
incertum previously approved these changes Apr 26, 2024
View reviewed changes
Copy link
Contributor

@incertum incertum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Thanks and let's only consistently use the correct version.

@poiana poiana removed the lgtm label Apr 29, 2024
@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper_activities has been added
  • Macro etckeeper has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

@Andreagit97
Copy link
Member Author

Uhm Yamllint Github Actions / Yamllint suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here

@Andreagit97
fix: add <NA> check
4746363 
Signed-off-by: Andrea Terzolo <[email protected]>
@poiana poiana removed the size/S label Apr 29, 2024
@poiana poiana added the size/M label Apr 29, 2024
@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-rules-3.0.1

Minor changes:

  • Macro known_drop_and_execute_activities has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper has been added
  • Macro etckeeper_activities has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

@Andreagit97 Andreagit97 mentioned this pull request Apr 29, 2024
Merged
leogr
leogr previously approved these changes Apr 29, 2024
View reviewed changes
@poiana poiana added the lgtm label Apr 29, 2024
@poiana
Copy link

poiana commented Apr 29, 2024

LGTM label has been added.

Git tree hash: 97a3d7b7deada8bb67a3309916313eabda70e003

@Andreagit97
Copy link
Member Author

/hold

@Andreagit97
fix: add "" case for user.name
6b7c59b 
Signed-off-by: Andrea Terzolo <[email protected]>
@poiana poiana removed the lgtm label Apr 29, 2024
@poiana poiana requested a review from leogr April 29, 2024 11:05
@leogr
Copy link
Member

leogr commented Apr 29, 2024

Uhm Yamllint Github Actions / Yamllint suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here

you can ignore this for now, since here's an ongoing discussion #238

Andreagit97
Andreagit97 commented Apr 29, 2024
View reviewed changes
rules/falco-incubating_rules.yaml
@@ -769,7 +769,7 @@
# https://github.com/draios/sysdig/issues/954). So in that case, allow
# a setuid.
- macro: known_user_in_container
condition: (container and not user.name in ("<NA>","N/A"))
condition: (container and not user.name in ("<NA>","N/A",""))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also "" seems a legit value for user.name

@poiana poiana added the lgtm label Apr 29, 2024
@poiana
Copy link

poiana commented Apr 29, 2024

LGTM label has been added.

Git tree hash: 59041f53a260df0cdf68b9cb56a162a5ffe0f5e4

@poiana
Copy link

poiana commented Apr 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, darryk10, incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [Andreagit97,incertum,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@github-actions GitHub Actions
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-rules-3.0.1

Minor changes:

  • Macro known_drop_and_execute_activities has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper has been added
  • Macro etckeeper_activities has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

@Andreagit97 Andreagit97 mentioned this pull request Apr 30, 2024
Closed
11 tasks
@leogr
Copy link
Member

leogr commented Apr 30, 2024

/unhold

@poiana poiana merged commit 4f153f5 into falcosecurity:main Apr 30, 2024
10 of 12 checks passed
@leogr leogr added this to the falco-0.38-rules milestone May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr leogr approved these changes

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

@leodido leodido Awaiting requested review from leodido

@darryk10 darryk10 Awaiting requested review from darryk10

@incertum incertum Awaiting requested review from incertum

Assignees

@leogr leogr

@incertum incertum

@darryk10 darryk10

Labels
approved area/maturity-incubating See the Rules Maturity Framework area/maturity-sandbox See the Rules Maturity Framework area/rules dco-signoff: yes kind/bug Something isn't working lgtm size/M
Projects
Falco Roadmap
Archived in project
Milestone
falco-0.38-rules
Development

Successfully merging this pull request may close these issues.
5 participants
@Andreagit97 @poiana @leogr @incertum @darryk10