Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new(falco): add rule selection configuration in falco.yaml #3178

Merged
merged 4 commits into from
May 14, 2024
Merged

new(falco): add rule selection configuration in falco.yaml #3178

merged 4 commits into from
May 14, 2024

Conversation

LucaGuerra
Copy link
Contributor

@LucaGuerra LucaGuerra commented Apr 23, 2024
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area engine

What this PR does / why we need it:

This is a rather straightforward implementation of #3174 (comment) . Essentially, it introduces two new ways of enabling/disabling rules without changing the rule files. Following the example:

rules:
  - disable:
      rule: *
  - enable:
      tag: network
  - enable:
      rule: Directory traversal monitored file
  - enable:
      rule: k8s_*
  - disable:
      rule: k8s_noisy_rule

This means: disable everything, enable all rules tagged networking, also enable the rule called Directory traversal monitored file, then enable any rule matching the wildcard pattern k8s_* and disable k8s_noisy_rule.

You can achieve the same via the CLI

falco -o "rules[].disable.rule=*" -o "rules[].enable.tag=network" -o "rules[].enable.rule=Directory traversal monitored file
" -o "rules[].enable.rule=k8s_*" -o "rules[].disable.rule=k8s_noisy_rule"

The new syntax [] allows to append a new element at the end of sequences, which is how the CLI works in this case.

At this point, rule names support wildcard while tag names do not. I am a bit unsure about what to do with tag names. On one side, what you want to do is enable and disable them one by one so wildcards seem a bit too much there. On the other hand we currently allow to "intersect" the tags we want, such as only networking AND exec, which is not supported here. Perhaps we could add a tags option for that?

Which issue(s) this PR fixes:

Fixes #3174

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(falco): allow selecting which rules to load from the configuration file or command line

@poiana poiana requested review from Kaizhe and leogr April 23, 2024 14:17
@github-actions GitHub Actions
Copy link

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

@leogr leogr requested a review from jasondellaluce April 23, 2024 14:26
@leogr
Copy link
Member

leogr commented Apr 23, 2024

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

I guess this is a false positive.

@LucaGuerra LucaGuerra force-pushed the new/rule-selection-config branch from 44e5736 to 59ea565 Compare April 23, 2024 16:43
@LucaGuerra LucaGuerra changed the title new(falco): implement rule selection configuration in falco.yaml new(falco): add rule selection configuration in falco.yaml Apr 23, 2024
@LucaGuerra LucaGuerra force-pushed the new/rule-selection-config branch from 59ea565 to 495c7d5 Compare April 23, 2024 17:37
incertum
incertum previously approved these changes Apr 24, 2024
View reviewed changes
Copy link
Contributor

@incertum incertum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Apr 24, 2024
@poiana
Copy link
Contributor

poiana commented Apr 24, 2024

LGTM label has been added.

Git tree hash: b3c5a8310099e8d4525e0d575604bb9213817734

@Andreagit97 Andreagit97 added this to the 0.38.0 milestone Apr 26, 2024
@leogr
Copy link
Member

leogr commented Apr 30, 2024

/assign

leogr
leogr reviewed Apr 30, 2024
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

cc @jasondellaluce @FedeDP for a second look

leogr
leogr reviewed Apr 30, 2024
View reviewed changes
falco.yaml Outdated Show resolved Hide resolved
@FedeDP
Copy link
Contributor

FedeDP commented May 2, 2024

As suggested by Andrea, i'd deprecate -t,-T,-D options so that we can remove them in Falco 0.39: #3174 (comment)

@incertum incertum mentioned this pull request May 8, 2024
Merged
@LucaGuerra LucaGuerra force-pushed the new/rule-selection-config branch from 495c7d5 to 11c3070 Compare May 14, 2024 07:15
@poiana poiana removed the lgtm label May 14, 2024
@poiana poiana requested review from incertum and leogr May 14, 2024 07:15
@LucaGuerra @leogr
update(config): experimental->incubating
fa10f78 
Co-authored-by: Leonardo Grasso <[email protected]>
Signed-off-by: Luca Guerra <[email protected]>
@LucaGuerra
Copy link
Contributor Author

/unhold

FedeDP
FedeDP approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label May 14, 2024
@poiana
Copy link
Contributor

poiana commented May 14, 2024

LGTM label has been added.

Git tree hash: 8522060cfdb6e3df415296ceda72bc2d8253162b

incertum
incertum approved these changes May 14, 2024
View reviewed changes
Copy link
Contributor

@incertum incertum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented May 14, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [FedeDP,LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit abf82f6 into falcosecurity:master May 14, 2024
35 checks passed
@LucaGuerra LucaGuerra deleted the new/rule-selection-config branch May 14, 2024 11:07
This was referenced May 15, 2024
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@incertum incertum incertum approved these changes

@FedeDP FedeDP FedeDP approved these changes

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

@jasondellaluce jasondellaluce Awaiting requested review from jasondellaluce

@leogr leogr Awaiting requested review from leogr

Assignees

@leogr leogr

@FedeDP FedeDP

@incertum incertum

Labels
approved area/engine dco-signoff: yes kind/feature lgtm release-note size/XXL
Projects
Falco Roadmap
Archived in project
Milestone
0.38.0
Development

Successfully merging this pull request may close these issues.

Proposal/discussion: More flexible ways to enable/disable rules from configuration
6 participants
@LucaGuerra @leogr @poiana @FedeDP @incertum @Andreagit97