rules icon indicating copy to clipboard operation
rules copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

Wrong usage of `evt.arg.*` / `evt.rawarg.*` when more than one event is involved

Open Andreagit97 opened this issue 1 year ago • 7 comments

In some rules like Set Setuid or Setgid bit we use some filter checks like fd=%evt.arg.fd. These filter checks are event-specific so using them with a condition like evt.type in (chmod, fchmod, fchmodat) means that chmod and fchmodat don't have it and will always return an <NA> while fchmod has it.

I'm not sure this is what we want, returning <NA> by default doesn't seem the right choice. IMO we should limit the usage of evt.arg.* / evt.rawarg.* when only one event is involved in the condition and a precise direction is set (e.g. evt.type=open and evt.dir=<). The direction is necessary because enter and exit events have different parameters!

Andreagit97 avatar Jan 05 '24 13:01 Andreagit97

Cross-linked the issue to the feedback tracking https://github.com/falcosecurity/rules/issues/176

incertum avatar Jan 05 '24 17:01 incertum

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Apr 04 '24 21:04 poiana

/remove-lifecycle stale

Andreagit97 avatar Apr 08 '24 07:04 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 07 '24 09:07 poiana

/remove-lifecycle stale

Andreagit97 avatar Jul 08 '24 07:07 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Oct 06 '24 10:10 poiana

/remove-lifecycle stale

Andreagit97 avatar Oct 07 '24 09:10 Andreagit97

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jan 05 '25 10:01 poiana

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

poiana avatar Feb 04 '25 10:02 poiana

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

poiana avatar Mar 06 '25 10:03 poiana

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

poiana avatar Mar 06 '25 10:03 poiana