falco double qoute in rule's condition is not working as expected

double qoute in rule's condition is not working as expected

Open developer-guy opened this issue 2 years ago • 25 comments

Describe the bug

We use Falco custom rules defined in the Cloud Native Security Hub. For example, we noticed that there is a rule defined for CVE-2019-5736 contains a list of binary names to bypass Falco rules like the following:

items: [dockerd, containerd-shim, "runc:[1:CHILD]"]

These are the proc.name's.

We've fixed it by adding an and condition to the rule.

and proc.name=runc\:\[1\:CHILD\]

When a proc.name escaping the special character such as ", Falco couldn't apply the rule against it and triggers the rule which it shouldn't.

How to reproduce it

Apply the following rule I mentioned above and see it triggers an alert based on that rule even proc.name field equals "runc:[1:CHILD]".

Expected behaviour

It should not trigger an alert

Screenshots

`falco-d2lgx falco {"priority":"Critical","rule":"Modify container entrypoint (CVE-2019-5736)","source":"syscall","tags":[],"time":"2022-01-19T10:51:15.706952699Z", "output_fields": {"container.id":"3ae6b31f8538","evt.time":1642589475706952699,"fd.name":"/proc/self/fd/5","k8s.ns.name":null,"k8s.pod.name":null,"proc.exeline":"runc init","proc.name":"runc:[1:CHILD]"}}`

Environment

Falco version: 0.30.0
Falco Chart version: 1.16.3

System info:

Cloud provider or hardware configuration:
OS:

Kernel:

Installation method: Kubernetes

Additional context

Jan 19 '22 11:01 developer-guy

cc: @dentrax @eminaktas @necatican @yasintahaerol @f9n

Jan 19 '22 11:01 developer-guy

Please note that the Cloud Native Security Hub is not maintained anymore.

Interesting issue anyway. I will take a look! Thank you for having reported it.

Jan 20 '22 16:01 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Apr 20 '22 17:04 poiana

/remove-lifecycle stale /milestone 0.32.0

Apr 20 '22 17:04 leogr

/remove-milestone 0.32.0

/milestone 0.33.0

I fully acknowledge that string escaping is an issue in the Rule Engine. In Falco 0.32, we had many structural refactorings in it, but we aimed to not introduce any breaking changes due to the limited time window. Fixing this is in the roadmap but would mean breaking many existing rulesets, which in turn would mean providing migration guidelines/tools. I personally aim for this for Falco 0.33! In the meanwhile, Falco 0.32 fixes many other bugs in the Falco Engine and the rule loader 👉🏼 https://github.com/falcosecurity/falco/pull/1966

May 26 '22 10:05 jasondellaluce

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Aug 24 '22 15:08 poiana

/remove-lifecycle stale

Aug 24 '22 16:08 leogr

/remove-milestone 0.33.0

/milestone 0.34.0

Oct 03 '22 07:10 jasondellaluce

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Jan 01 '23 09:01 poiana

/remove-lifecycle stale

Jan 04 '23 11:01 Andreagit97

/milestone 0.35.0

Jan 10 '23 17:01 jasondellaluce

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Apr 10 '23 19:04 poiana

/remove-lifecycle stale

Apr 11 '23 12:04 Andreagit97

/assign

Apr 27 '23 09:04 jasondellaluce

/milestone 0.36.0

Apr 27 '23 09:04 jasondellaluce

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Jul 26 '23 13:07 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Aug 25 '23 13:08 poiana

/remove-lifecycle rotten

Aug 25 '23 14:08 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Jan 12 '24 09:01 poiana

/remove-lifecycle stale

Jan 12 '24 11:01 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Apr 11 '24 15:04 poiana

/remove-lifecycle stale

Apr 12 '24 15:04 leogr

falco falco copied to clipboard

double qoute in rule's condition is not working as expected

falco
falco copied to clipboard