Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new: add possibility to retrieve details about rules with filter_details_visitor #2544

Merged
merged 10 commits into from
May 19, 2023
Merged

new: add possibility to retrieve details about rules with filter_details_visitor #2544

merged 10 commits into from
May 19, 2023

Conversation

loresuso
Copy link
Member

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind release

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area tests

/area proposals

/area CI

What this PR does / why we need it:
This PR introduces a specialized visitor that can be used to construct a normalized form of a rule, containing all the macros, lists, operators, and fields it uses in JSON format. The functionality is embedded in the -l/-L flags and can be triggered when the output is set to JSON.
This functionality can be used later in CI tools for rules to e.g understand how to automatically handle and increase rules version.

Example:

$ sudo ./userspace/falco/falco -c ../falco.yaml -l "Launch Privileged Container" -o "json_output=true" | jq 
Fri May 12 10:23:13 2023: Falco version: 0.34.1-194+f5c7574 (x86_64)
Fri May 12 10:23:13 2023: Falco initialized with configuration file: ../falco.yaml
Fri May 12 10:23:13 2023: Loading rules from file /etc/falco/falco_rules.yaml
Fri May 12 10:23:13 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
{
  "conditionFields": [
    "evt.num",
    "container.id",
    "container.privileged",
    "container.image.repository",
    "proc.vpid",
    "evt.dir",
    "evt.type"
  ],
  "description": "Detect the initial process started in a privileged container. Exceptions are made for known trusted images.",
  "exceptionFields": [],
  "lists": [
    "redhat_io_images_privileged",
    "falco_privileged_images",
    "trusted_images"
  ],
  "macros": [
    "redhat_image",
    "aws_eks_core_images",
    "user_trusted_containers",
    "allowed_openshift_registry_root",
    "openshift_image",
    "never_true",
    "falco_privileged_containers",
    "user_privileged_containers",
    "container",
    "spawned_process",
    "allowed_aws_ecr_registry_root_for_eks",
    "container_started"
  ],
  "name": "Launch Privileged Container",
  "operators": [
    "endswith",
    "startswith",
    "in",
    "!=",
    "="
  ],
  "outputFields": [
    "user.name",
    "user.loginuid",
    "proc.cmdline",
    "proc.pid",
    "container.name",
    "container.id",
    "container.image.repository",
    "container.image.tag"
  ],
  "priority": "Informational"
}

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update: get rules details with `-l` or `-L` flags when json output format is specified

@poiana poiana requested review from FedeDP and Kaizhe May 12, 2023 10:26
@loresuso
Copy link
Member Author

cc @jasondellaluce

@FedeDP
Copy link
Contributor

FedeDP commented May 12, 2023

This is super cool and highly requested! Thank you @loresuso !

@jasondellaluce
Copy link
Contributor

Links to #2372 and potentially fixes it, if we just add the information about the evt.types matched by each rule.

@loresuso
Copy link
Member Author

loresuso commented May 15, 2023
edited
Loading

Last two commits address the following:

  • retrieving information about enabled rules
  • information about lists and macros when the global -L option is specified

This will allow to check for instance (check https://github.com/falcosecurity/rules/blob/main/RELEASE.md for further details):

  • if a rule used to be disabled and then enabled, patch number of version of the rule must be increased
  • adding, removing elements from lists, same as above

Currently working on adding evt.type information

@loresuso loresuso force-pushed the filter-details-visitor branch 3 times, most recently from 9b2d14d to eabd030 Compare May 16, 2023 12:44
Andreagit97
Andreagit97 reviewed May 16, 2023
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some minor comments, LGTM!

userspace/engine/falco_engine.cpp Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
userspace/falco/app/actions/load_rules_files.cpp
@@ -126,13 +126,13 @@ falco::app::run_result falco::app::actions::load_rules_files(falco::app::state&

if (s.options.describe_all_rules)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would initialize both describe_all_rules and describe_rule variables here

options::options()
	: event_buffer_format(sinsp_evt::PF_NORMAL),
	  gvisor_config(""),	
	  list_fields(false),
	  list_plugins(false),
	  list_syscall_events(false),
	  markdown(false),
	  modern_bpf(false)
{
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They should already have their default I guess in options.cpp

@poiana poiana added size/XXL and removed size/XL labels May 18, 2023
@leogr
Copy link
Member

leogr commented May 18, 2023

/milestone 0.35.0

@poiana poiana added this to the 0.35.0 milestone May 18, 2023
jasondellaluce
jasondellaluce reviewed May 18, 2023
View reviewed changes
userspace/engine/filter_details_resolver.cpp Outdated Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
@Andreagit97 Andreagit97 mentioned this pull request May 18, 2023
Closed
jasondellaluce
jasondellaluce reviewed May 19, 2023
View reviewed changes
Copy link
Contributor

@jasondellaluce jasondellaluce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good Lore:

userspace/engine/filter_details_resolver.cpp Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Outdated Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Outdated Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Show resolved Hide resolved
userspace/engine/filter_details_resolver.cpp Show resolved Hide resolved
userspace/engine/falco_engine.cpp Outdated Show resolved Hide resolved
@loresuso
Copy link
Member Author

loresuso commented May 19, 2023
edited
Loading

Just rebased and everything's green, I think we are there now!

@loresuso
update(userspace/engine): avoid solving macros AST at each cycle when…
12f21dc 
… getting details of all rules

Signed-off-by: Lorenzo Susini <[email protected]>
@loresuso
update(userspace/engine): add enabled information to json output
0f0d34a 
Signed-off-by: Lorenzo Susini <[email protected]>
@loresuso
update(userspace/engine): add info about all macros and lists in -L o…
053c17d 
…ption

Signed-off-by: Lorenzo Susini <[email protected]>
@loresuso
update(userspace/engine): add event codes to json output
f424b14 
Signed-off-by: Lorenzo Susini <[email protected]>
@loresuso
update(userspace/engine): better modularize the code for getting json…
3117700 
… details

Signed-off-by: Lorenzo Susini <[email protected]>
@loresuso
test(unit_tests/engine): test filter_details_resolver class
af111ea 
Signed-off-by: Lorenzo Susini <[email protected]>
@loresuso
update(userspace/engine): address jasondellaluce comments
f662353 
- avoiding inspector to be allocated for each rule
- use two boolean values for expecting macros and lists
- move items of lists alongside name, under info
- use snake case for json output, like we do for e.g alerts
- correctly retrieve evt names
- consider two levels of lists for exception operators

Signed-off-by: Lorenzo Susini <[email protected]>
jasondellaluce
jasondellaluce approved these changes May 19, 2023
View reviewed changes
Copy link
Contributor

@jasondellaluce jasondellaluce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Thanks! This is great!

@poiana poiana added the lgtm label May 19, 2023
@poiana
Copy link
Contributor

poiana commented May 19, 2023

LGTM label has been added.

Git tree hash: 76ba42e28e821ab6c89ef3774628d821c834d360

@jasondellaluce jasondellaluce mentioned this pull request May 19, 2023
Closed
Andreagit97
Andreagit97 approved these changes May 19, 2023
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented May 19, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, jasondellaluce, loresuso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [Andreagit97,jasondellaluce]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit e47ece4 into falcosecurity:master May 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasondellaluce jasondellaluce jasondellaluce approved these changes

@Andreagit97 Andreagit97 Andreagit97 approved these changes

@FedeDP FedeDP Awaiting requested review from FedeDP

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

Assignees

@jasondellaluce jasondellaluce

@Andreagit97 Andreagit97

Labels
approved area/engine dco-signoff: yes kind/feature lgtm release-note size/XXL
Projects
Falco Roadmap
Archived in project
Milestone
0.35.0
Development

Successfully merging this pull request may close these issues.
6 participants
@loresuso @FedeDP @jasondellaluce @leogr @poiana @Andreagit97