required_engine_version is not working for source k8s_audit

[leogr]

Describe the bug

When required_engine_version is set at rule level in any with source: k8s_audit then the rule is not detected anymore.

How to reproduce it

I have used the Create Disallowed Pod to test this behavior, and run the following command (similar to the integration test one):

../build/userspace/falco/falco -r ../rules/falco_rules.yaml -r ../rules/k8s_audit_rules.yaml -r ./rules/k8s_audit/allow_only_apache_container.yaml   -c ../falco.yaml -e ../build/test/trace_files/k8s_audit/create_nginx_pod_unprivileged.json

Without the required_engine_version it works as expected:

Tue Jul 14 10:31:12 2020: Falco initialized with configuration file ../falco.yaml
Tue Jul 14 10:31:12 2020: Loading rules from file ../rules/falco_rules.yaml:
Tue Jul 14 10:31:12 2020: Loading rules from file ../rules/k8s_audit_rules.yaml:
Tue Jul 14 10:31:12 2020: Loading rules from file ./rules/k8s_audit/allow_only_apache_container.yaml:
Tue Jul 14 10:31:12 2020: Reading k8s audit events from file: ../build/test/trace_files/k8s_audit/create_nginx_pod_unprivileged.json
16:09:49.761315072: Warning Pod started with container not in allowed list (user=system:serviceaccount:kube-system:replicaset-controller pod=nginx-deployment-78f5d695bd-nxqz5 ns=default images=nginx)
Events detected: 1
Rule counts by severity:
   WARNING: 1
Triggered rules by rule name:
   Create Disallowed Pod: 1
Syscall event drop monitoring:
   - event drop detected: 0 occurrences
   - num times actions taken: 0

Note that the rule was triggered

On the other hand, adding required_engine_version as following:

- rule: Create Disallowed Pod
  required_engine_version: 5
  desc: >
    Detect an attempt to start a pod with a container image outside of a list of allowed images.
  condition: kevt and pod and kcreate and not allowed_k8s_containers
  output: Pod started with container not in allowed list (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image)
  priority: WARNING
  source: k8s_audit
  tags: [k8s]

It prevents the rule from working:

Tue Jul 14 10:33:37 2020: Falco initialized with configuration file ../falco.yaml
Tue Jul 14 10:33:37 2020: Loading rules from file ../rules/falco_rules.yaml:
Tue Jul 14 10:33:37 2020: Loading rules from file ../rules/k8s_audit_rules.yaml:
Tue Jul 14 10:33:37 2020: Loading rules from file ./rules/k8s_audit/allow_only_apache_container.yaml:
Tue Jul 14 10:33:37 2020: Reading k8s audit events from file: ../build/test/trace_files/k8s_audit/create_nginx_pod_unprivileged.json
Events detected: 0
Rule counts by severity:
Triggered rules by rule name:
Syscall event drop monitoring:
   - event drop detected: 0 occurrences
   - num times actions taken: 0

Note that I've also tried with different engine version, I can put any number but the behavior is the same.

Expected behaviour

The rule with required_engine_version: 5 should work normally.

Screenshots

Environment

• Falco version: 0.23.0-97+d1b0ccb

• System info:

• Cloud provider or hardware configuration:
• OS:

• Kernel:

• Installation method:
  built from sources

Additional context

Not sure if this problem relates to the -e command only, or it's a general problem. I'm investigating.

cc @fntlnz as we talked about this yestarday

[leogr]

I can confirm that when the required_engine_version is present on a rule with source: k8s_audit then the rule is simply not loaded:

$ ../build/userspace/falco/falco -r ../rules/falco_rules.yaml -r ../rules/k8s_audit_rules.yaml -r ./rules/k8s_audit/allow_only_apache_container.yaml   -c ../falco.yaml -l "Create Disallowed Pod"
Tue Jul 14 16:02:20 2020: Falco initialized with configuration file ../falco.yaml
Tue Jul 14 16:02:20 2020: Loading rules from file ../rules/falco_rules.yaml:
Tue Jul 14 16:02:21 2020: Loading rules from file ../rules/k8s_audit_rules.yaml:
Tue Jul 14 16:02:21 2020: Loading rules from file ./rules/k8s_audit/allow_only_apache_container.yaml:

Rule                                               Description
----                                               -----------
Tue Jul 14 16:02:21 2020: Runtime error: Could not describe rule Create Disallowed Pod: [string "-- Copyright (C) 2019 The Falco Authors...."]:766: No such rule: Create Disallowed Pod. Exiting.

I still don't get why :)

[leogr]

Update:

As I've discovered (see this comment), this issue cannot be strictly considered a bug. Actually, it's just a missing feature: basically the engine does NOT support required_engine_version at the rule level, and if it's added by mistake no warning is emitted.

I'm closing this, then I'll open a new one (as a feature request).
/close

[poiana]

@leogr: Closing this issue.

In response to this:

Update:

As I've discovered (see this comment), this issue cannot be strictly considered a bug. Actually, it's just a missing feature: basically the engine does NOT support required_engine_version at the rule level, and if it's added by mistake no warning is emitted.

I'm closing this, then I'll open a new one (as a feature request).
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.