-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: the correct usage is <NA>
not N/A
#244
Conversation
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @Andreagit97!
LGTM label has been added. Git tree hash: 3626b9b05994ca42dca614baccd974e23b022398
|
/hold |
I will check if we need to keep both |
rules/falco-incubating_rules.yaml
Outdated
@@ -769,7 +769,7 @@ | |||
# https://github.com/draios/sysdig/issues/954). So in that case, allow | |||
# a setuid. | |||
- macro: known_user_in_container | |||
condition: (container and user.name != "N/A") | |||
condition: (container and user.name != <NA>) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
possible alternatives
condition: (container and user.name != <NA>) | |
condition: (container and not user.name in ("<NA>","N/A")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Thanks and let's only consistently use the correct version.
4113b43
to
a03adf2
Compare
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
Uhm |
Signed-off-by: Andrea Terzolo <[email protected]>
a03adf2
to
4746363
Compare
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
LGTM label has been added. Git tree hash: 97a3d7b7deada8bb67a3309916313eabda70e003
|
/hold |
Signed-off-by: Andrea Terzolo <[email protected]>
you can ignore this for now, since here's an ongoing discussion #238 |
@@ -769,7 +769,7 @@ | |||
# https://github.com/draios/sysdig/issues/954). So in that case, allow | |||
# a setuid. | |||
- macro: known_user_in_container | |||
condition: (container and not user.name in ("<NA>","N/A")) | |||
condition: (container and not user.name in ("<NA>","N/A","")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also ""
seems a legit value for user.name
LGTM label has been added. Git tree hash: 59041f53a260df0cdf68b9cb56a162a5ffe0f5e4
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, darryk10, incertum, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Rules files suggestionsfalco-incubating_rules.yamlComparing Minor changes:
Patch changes:
falco_rules.yamlComparing Minor changes:
Patch changes:
falco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
/unhold |
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area rules
Proposed rule maturity level
/area maturity-incubating
/area maturity-sandbox
What this PR does / why we need it:
Debugging some issues in Falco CI https://github.com/falcosecurity/falco/actions/runs/8845222090?pr=3177 I faced this inconsistency. The rule
Non sudo setuid
was triggered withuser.name=<NA>
because the macroknown_user_in_container
checks forN/A
. This PR fixes the usages ofN/A
Which issue(s) this PR fixes:
Special notes for your reviewer: