Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco rules file should have required_engine_version: 6 #1272

Closed
mstemm opened this issue Jun 22, 2020 · 6 comments · Fixed by #1381
Closed

Falco rules file should have required_engine_version: 6 #1272

mstemm opened this issue Jun 22, 2020 · 6 comments · Fixed by #1381
Labels
kind/bug

Comments

@mstemm
Copy link
Contributor

mstemm commented Jun 22, 2020

Describe the bug

Hi, I noticed that 70b9bfe#diff-6acd8aa2e534d1ed83e275bf658d936b added a new rule Container Drift Detected (open+create) that requries falco engine version 6. However, the rules file itself doesn’t have any required_engine_version block. There’s a commented out version here: https://github.com/falcosecurity/falco/blob/master/rules/falco_rules.yaml#L26.

If users tried to load this rules file with older falco versions, they wouldn't be able to load the file, as the new field evt.is_open_exec doesn't work with older falco engine versions.

I'd suggest at least updating the required_engine_version to 6 in the rules file.

How to reproduce it

Expected behaviour

Screenshots

Environment

  • Falco version:
  • System info:
  • Cloud provider or hardware configuration:
  • OS:
  • Kernel:
  • Installation method:

Additional context
@mstemm
Copy link
Contributor Author

mstemm commented Jun 22, 2020

Btw, here are our docs on falco engine and rules file compatibility: https://falco.org/docs/rules/#versioning.

@fntlnz
Copy link
Contributor

fntlnz commented Jun 23, 2020

I think that it's the time to remove that comment honestly.

@fntlnz fntlnz mentioned this issue Jun 23, 2020
Closed
@fntlnz
Copy link
Contributor

fntlnz commented Jun 23, 2020

I proposed a change in #1273 - however, as an alternative thing we can do is to create a rules file for every required_engine_version depending on what are the supported fields. I don't like this idea however, probably being able to scope the specific rule is a better idea in my opinion.

@leodido
Copy link
Member

leodido commented Jun 23, 2020
edited
Loading

The required_engine_version already works at the rule level (we just tested it), other than at the file level.

Thus, the best approach is to define it for the Container Drift rule, IMHO. We'll do it into #1273 right now.

@stale
Copy link

stale bot commented Aug 22, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.

@stale stale bot added the wontfix label Aug 22, 2020
@leogr
Copy link
Member

leogr commented Aug 24, 2020

quick update: the required_engine_version does not work at the rule level, see this comment

@stale stale bot removed the wontfix label Aug 24, 2020
@leogr leogr mentioned this issue Sep 7, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
4 participants
@leodido @fntlnz @leogr @mstemm