Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(rules): fix ptrace attach and injection rule #37

Merged
merged 4 commits into from
Mar 22, 2023
Merged

fix(rules): fix ptrace attach and injection rule #37

merged 4 commits into from
Mar 22, 2023

Conversation

loresuso
Copy link
Member

@loresuso loresuso commented Mar 15, 2023
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:
This rule was built on top of a bug, see falcosecurity/libs#970
Once that one will be merged and Falco can use it, we should merge this PR as well.
For the same reason, some other rules stopped working, like https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml#L2950 because the flag was not retrieved as string anymore. This makes me think we need a better CI :)

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

@poiana
Copy link

poiana commented Mar 15, 2023

@loresuso: The label(s) kind/bug, area/rules cannot be applied, because the repository doesn't have them.

In response to this:

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

What this PR does / why we need it:
This rule was built on top of a bug, see falcosecurity/libs#970
Once that one will be merged and Falco can use it, we should merge this PR as well.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@poiana poiana requested review from darryk10 and leodido March 15, 2023 09:08
@poiana poiana added the size/S label Mar 15, 2023
@leogr leogr added this to the falco-rules-0.2 milestone Mar 19, 2023
@leogr
Copy link
Member

leogr commented Mar 19, 2023

/kind bug

@poiana poiana added the kind/bug Something isn't working label Mar 19, 2023
@leogr
Copy link
Member

leogr commented Mar 19, 2023

/area rules

@darryk10
Copy link
Contributor

hi @loresuso, thanks for the that and the rule seems more accurate then before so that's great.
Reviewing the PR isn't clear the other rules that stopped working since the link point to a macro https://github.com/falcosecurity/rules/blob/main/rules/falco_rules.yaml#L2950. Can you clarify that pls?
Thanks

@loresuso
Copy link
Member Author

Yes, something must have been merged in the meanwhile and the link it's not pointing to the right place anymore :) my bad, sorry. Anyway, I was referring to the rule Packet socket created in container and the use of AF_PACKET in its condition

@darryk10
Copy link
Contributor

noted! thanks.
this LGTM.

darryk10
darryk10 previously approved these changes Mar 20, 2023
View reviewed changes
@poiana poiana added the lgtm label Mar 20, 2023
@poiana
Copy link

poiana commented Mar 20, 2023

LGTM label has been added.

Git tree hash: 955fd662da37c2ffeb06527d6a2896c2d9895164

@loresuso loresuso force-pushed the fix/ptrace-attach branch from aafb062 to fc854d5 Compare March 22, 2023 13:46
@poiana poiana removed the lgtm label Mar 22, 2023
@poiana poiana requested a review from darryk10 March 22, 2023 13:46
@loresuso
Copy link
Member Author

I have added other commits to:

  • make the "Packet socket created in container" work again. This commit can be cherry picked if we want to release a patched ruleset
  • revert the commit before
  • let the rule use contains operator is better because of the way things are extracted. This is what we will keep after the fix got it.

@loresuso loresuso force-pushed the fix/ptrace-attach branch from fc854d5 to 0dc9ef0 Compare March 22, 2023 13:50
@loresuso loresuso changed the title wip: fix(rules): fix ptrace attach and injection rule fix(rules): fix ptrace attach and injection rule Mar 22, 2023
Andreagit97
Andreagit97 approved these changes Mar 22, 2023
View reviewed changes
Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Mar 22, 2023
@poiana
Copy link

poiana commented Mar 22, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, loresuso

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana
Copy link

poiana commented Mar 22, 2023

LGTM label has been added.

Git tree hash: 829ee4bce0842dcc88b0e1a6b3d6066c0f49e8f1

@poiana poiana merged commit 0b0f50f into falcosecurity:main Mar 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Andreagit97 Andreagit97 Andreagit97 approved these changes

@leodido leodido Awaiting requested review from leodido

@darryk10 darryk10 Awaiting requested review from darryk10

Assignees

@Andreagit97 Andreagit97

@darryk10 darryk10

Labels
approved area/rules dco-signoff: yes kind/bug Something isn't working lgtm size/S
Projects
Falco Roadmap
Archived in project
Milestone
falco-rules-1.0.0
Development

Successfully merging this pull request may close these issues.
5 participants
@loresuso @poiana @leogr @darryk10 @Andreagit97