falco icon indicating copy to clipboard operation
falco copied to clipboard
verified publisher icon falcosecurity

new(falco): add rule selection configuration in falco.yaml

Open LucaGuerra opened this issue 1 year ago • 6 comments

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area engine

What this PR does / why we need it:

This is a rather straightforward implementation of https://github.com/falcosecurity/falco/issues/3174#issuecomment-2064152163 . Essentially, it introduces two new ways of enabling/disabling rules without changing the rule files. Following the example:

rules:
  - disable:
      rule: *
  - enable:
      tag: network
  - enable:
      rule: Directory traversal monitored file
  - enable:
      rule: k8s_*
  - disable:
      rule: k8s_noisy_rule

This means: disable everything, enable all rules tagged networking, also enable the rule called Directory traversal monitored file, then enable any rule matching the wildcard pattern k8s_* and disable k8s_noisy_rule.

You can achieve the same via the CLI

falco -o "rules[].disable.rule=*" -o "rules[].enable.tag=network" -o "rules[].enable.rule=Directory traversal monitored file
" -o "rules[].enable.rule=k8s_*" -o "rules[].disable.rule=k8s_noisy_rule"

The new syntax [] allows to append a new element at the end of sequences, which is how the CLI works in this case.

At this point, rule names support wildcard while tag names do not. I am a bit unsure about what to do with tag names. On one side, what you want to do is enable and disable them one by one so wildcards seem a bit too much there. On the other hand we currently allow to "intersect" the tags we want, such as only networking AND exec, which is not supported here. Perhaps we could add a tags option for that?

Which issue(s) this PR fixes:

Fixes #3174

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(falco): allow selecting which rules to load from the configuration file or command line

LucaGuerra avatar Apr 23 '24 14:04 LucaGuerra

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

github-actions[bot] avatar Apr 23 '24 14:04 github-actions[bot]

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

I guess this is a false positive.

leogr avatar Apr 23 '24 14:04 leogr

LGTM label has been added.

Git tree hash: b3c5a8310099e8d4525e0d575604bb9213817734

poiana avatar Apr 24 '24 16:04 poiana

/assign

leogr avatar Apr 30 '24 11:04 leogr

As suggested by Andrea, i'd deprecate -t,-T,-D options so that we can remove them in Falco 0.39: https://github.com/falcosecurity/falco/issues/3174#issuecomment-2078841689

FedeDP avatar May 02 '24 07:05 FedeDP

/unhold

LucaGuerra avatar May 14 '24 08:05 LucaGuerra

LGTM label has been added.

Git tree hash: 8522060cfdb6e3df415296ceda72bc2d8253162b

poiana avatar May 14 '24 10:05 poiana

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, incertum, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [FedeDP,LucaGuerra,incertum]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar May 14 '24 10:05 poiana