Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: the correct usage is <NA> not N/A #244

Merged
merged 2 commits into from
Apr 30, 2024

Conversation

Andreagit97
Copy link
Member

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area rules

Proposed rule maturity level

/area maturity-incubating

/area maturity-sandbox

What this PR does / why we need it:

Debugging some issues in Falco CI https://github.com/falcosecurity/falco/actions/runs/8845222090?pr=3177 I faced this inconsistency. The rule Non sudo setuid was triggered with user.name=<NA> because the macro known_user_in_container checks for N/A. This PR fixes the usages of N/A

Which issue(s) this PR fixes:

Special notes for your reviewer:

@poiana poiana added kind/bug Something isn't working dco-signoff: yes area/rules area/maturity-incubating See the Rules Maturity Framework area/maturity-sandbox See the Rules Maturity Framework labels Apr 26, 2024
@poiana poiana requested review from Kaizhe and leodido April 26, 2024 10:09
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 1a26fd14483677785ec686e6b4ebfd876fc28b92 with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper has been added
  • Macro etckeeper_activities has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

Copy link
Contributor

@darryk10 darryk10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Andreagit97!

@poiana
Copy link

poiana commented Apr 26, 2024

LGTM label has been added.

Git tree hash: 3626b9b05994ca42dca614baccd974e23b022398

@Andreagit97
Copy link
Member Author

/hold

@Andreagit97
Copy link
Member Author

I will check if we need to keep both N/A and <NA> or <NA> is enough

@@ -769,7 +769,7 @@
# https://github.com/draios/sysdig/issues/954). So in that case, allow
# a setuid.
- macro: known_user_in_container
condition: (container and user.name != "N/A")
condition: (container and user.name != <NA>)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possible alternatives

Suggested change
condition: (container and user.name != <NA>)
condition: (container and not user.name in ("<NA>","N/A"))

incertum
incertum previously approved these changes Apr 26, 2024
Copy link
Contributor

@incertum incertum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Thanks and let's only consistently use the correct version.

Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 90e927bf5b6bf99b5a9e263d1ed12e122126210c with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper_activities has been added
  • Macro etckeeper has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

@Andreagit97
Copy link
Member Author

Uhm Yamllint Github Actions / Yamllint suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here

Signed-off-by: Andrea Terzolo <[email protected]>
@poiana poiana added the size/M label Apr 29, 2024
Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-rules-3.0.1

Minor changes:

  • Macro known_drop_and_execute_activities has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing ed98e45732964a1936e009327ad2232c7c6e8eb4 with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper has been added
  • Macro etckeeper_activities has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

leogr
leogr previously approved these changes Apr 29, 2024
@poiana
Copy link

poiana commented Apr 29, 2024

LGTM label has been added.

Git tree hash: 97a3d7b7deada8bb67a3309916313eabda70e003

@Andreagit97
Copy link
Member Author

/hold

Signed-off-by: Andrea Terzolo <[email protected]>
@leogr
Copy link
Member

leogr commented Apr 29, 2024

Uhm Yamllint Github Actions / Yamllint suggests that the line length is too long, but this is true for almost all the lines of the files... so probably we should fix it in one shot and not here

you can ignore this for now, since here's an ongoing discussion #238

@@ -769,7 +769,7 @@
# https://github.com/draios/sysdig/issues/954). So in that case, allow
# a setuid.
- macro: known_user_in_container
condition: (container and not user.name in ("<NA>","N/A"))
condition: (container and not user.name in ("<NA>","N/A",""))
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also "" seems a legit value for user.name

@poiana poiana added the lgtm label Apr 29, 2024
@poiana
Copy link

poiana commented Apr 29, 2024

LGTM label has been added.

Git tree hash: 59041f53a260df0cdf68b9cb56a162a5ffe0f5e4

@poiana
Copy link

poiana commented Apr 29, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, darryk10, incertum, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [Andreagit97,incertum,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Copy link

Rules files suggestions

falco-incubating_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-incubating-rules-3.0.1

Minor changes:

  • Rule Backdoored library loaded into SSHD (CVE-2024-3094) has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-rules-3.0.1

Minor changes:

  • Macro known_drop_and_execute_activities has been added

Patch changes:

  • List falco_privileged_images has some item added or removed

falco-sandbox_rules.yaml

Comparing 73b4814c9d35a6fe05180f787d4ba240b1d67a6e with latest tag falco-sandbox-rules-3.0.1

Minor changes:

  • Macro etckeeper has been added
  • Macro etckeeper_activities has been added

Patch changes:

  • List user_known_k8s_ns_kube_system_images has some item added or removed
  • List bpf_profiled_binaries has some item added or removed

@leogr
Copy link
Member

leogr commented Apr 30, 2024

/unhold

@poiana poiana merged commit 4f153f5 into falcosecurity:main Apr 30, 2024
10 of 12 checks passed
@leogr leogr added this to the falco-0.38-rules milestone May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved area/maturity-incubating See the Rules Maturity Framework area/maturity-sandbox See the Rules Maturity Framework area/rules dco-signoff: yes kind/bug Something isn't working lgtm size/M
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

5 participants