falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Can mistakenly append to a base rule from a rule with a different source.

Open mstemm opened this issue 4 months ago • 0 comments

Describe the bug

There is a bug in rule loading where a second rule definition with a different source and append: true is mistakenly being combined with the original rule instead of reporting an error.

How to reproduce it

Put this content in a file invalid_append.yaml and try to validate it with falco using falco -V ./invalid_append.yaml. You need to enable the k8saudit plugin.

- rule: my rule
  desc: Some desc
  condition: evt.name[xxx]=true
  output: some output
  priority: INFO
  source: k8s_audit

- rule: my rule
  desc: Some desc
  condition: and proc.name=apache
  output: Some output
  priority: INFO
  source: syscall
  append: true

You get this validation error. Note that the second rule condition is appended to the first rule when it should not:

./invalid_append.yaml: Invalid
1 Errors:
In rules content: (./invalid_append.yaml:0:0)
    rule 'my rule': (./invalid_append.yaml:0:2)
    rule condition: (./invalid_append.yaml:2:13)
    condition expression: ("evt.name[xxx]=t...":3:14)
------
evt.name[xxx]=true and proc.name=apache
                                        ^
------
LOAD_ERR_COMPILE_CONDITION (Error compiling condition): filter_check called with nonexistent field evt.name[xxx]

Expected behaviour

Instead, the rule loader should return the same error that you get when defining a rule again with a different source "Rule has been re-defined with a different source".

Screenshots

Environment

  • Falco version: 0.39.0
  • System info: { "machine": "x86_64", "nodename": "mstemm-ubuntu-2004", "release": "5.15.0-113-generic", "sysname": "Linux", "version": "#123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024" }
  • Cloud provider or hardware configuration: None
  • OS: PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
  • Kernel: Linux mstemm-ubuntu-2004 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
  • Installation method: DEB

Additional context

mstemm avatar Oct 16 '24 21:10 mstemm