falco
falco copied to clipboard
falcosecurity
Duplicate exception names for the same rule are allowed
Describe the bug
Falco allows a rule to have multiple exception definitions of the same name. When appending an exception of that name in a separate block, it expects the fields/comps of the first definition in the rule. I believe the duplicate names should not be allowed in the first place as it is unclear as to which exception is being used/applied.
How to reproduce it
Create a rule with 2 exceptions of the same name but with different fields/comps. Falco will not throw an error during validation. There will be an error if you add an exception in a separate block with the number of fields of the 2nd defined exception. Example: Base Rule
- rule: Test Rule
severity: 4
desc: test rule
condition: evt.type=dup2 or evt.type=dup3
exceptions:
- name: exception_1
fields: [proc.name, proc.cmdline, fd.name]
- comps:
- in
fields:
- container.image.repository
name: exception_1
output: Test rule
priority: NOTICE
tags: []
source: syscall
append: false
Exception that passes validation (fields match first definition of exception):
- rule: Test Rule
exceptions:
- name: exception_1
values:
- [a, b, c]
append: true
Exception that fails validation:
- rule: Test Rule
exceptions:
- name: exception_1
values:
- [a]
append: true
error message:
2022-11-03T21:17:28+0000: Falco version: 0.33.0 (x86_64)
2022-11-03T21:17:28+0000: Falco initialized with configuration file: /etc/falco/falco.yaml
2022-11-03T21:17:28+0000: Validating rules file(s):
2022-11-03T21:17:28+0000: test.yaml
test.yaml: Invalid
1 Errors:
In rules content: (test.yaml:0:0)
rule 'Test Rule': (test.yaml:27:2)
exception 'exception_1': (test.yaml:32:6)
------
- name: exception_1
^
------
LOAD_ERR_VALIDATE (Error validating rule/macro/list/exception objects): Fields and values lists must have equal length
Error: test.yaml: Invalid
1 Errors:
In rules content: (test.yaml:0:0)
rule 'Test Rule': (test.yaml:27:2)
exception 'exception_1': (test.yaml:32:6)
------
- name: exception_1
^
------
LOAD_ERR_VALIDATE (Error validating rule/macro/list/exception objects): Fields and values lists must have equal length
Expected behaviour
I would expect Falco to throw a validation error that exception names for a rule must be unique.
Screenshots
Environment
- Falco version: 0.33.0
- System info:
{ "machine": "x86_64", "nodename": "903c0eee6e53", "release": "5.4.39-linuxkit", "sysname": "Linux", "version": "#1 SMP Fri May 8 23:03:06 UTC 2020" }
- Cloud provider or hardware configuration:
- OS: Linux
PRETTY_NAME="Debian GNU/Linux 10 (buster)" NAME="Debian GNU/Linux" VERSION_ID="10" VERSION="10 (buster)" VERSION_CODENAME=buster ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"
- Kernel:
Linux 903c0eee6e53 5.4.39-linuxkit #1 SMP Fri May 8 23:03:06 UTC 2020 x86_64 GNU/Linux
- Installation method:
running a docker container Additional context
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale