Falco Provides Unclear Error Message When Kevt in Condition and Source Type is Syscall

[ykcilborw]

Describe the bug
When parsing certain rules file, Falco can give unclear error messages as to why it failed to parse such as "Error loading rules: parser API error". It is not clear to the end user how to fix this.

How to reproduce it
Create a Falco file with the following content:

---
- macro: "kevt"
  condition: "(jevt.value[/stage] in (k8s_audit_stages))"
  append: false

- rule: "test"
  desc: "test"
  condition: "kevt"
  output: "output"
  priority: "WARNING"
  tags: []
  source: "syscall"
  append: false

Run falco -V kevt.yaml or whatever you name the file

Falco outputs:

Thu Sep  3 00:10:22 2020: Validating rules file(s):
Thu Sep  3 00:10:22 2020:    kevt.yaml
Rule test: warning (no-evttype):
kevt
         did not contain any evt.type restriction, meaning it will run for all event types.
         This has a significant performance penalty. Consider adding an evt.type restriction if possible.
Error loading rules: parser API error
Thu Sep  3 00:10:22 2020: Runtime error: Error loading rules: parser API error. Exiting.

Expected behaviour
An informative error message. It is not clear to the user how to fix "parser API error"

Screenshots
N/A

Environment

• Falco version: 0.22.1
  "system_info":{"machine":"x86_64","nodename":"vagrant-ubuntu-trusty-64","release":"3.13.0-163-generic","sysname":"Linux","version":"Add valgrind #213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018"}
• Kernel: Linux vagrant-ubuntu-trusty-64 3.13.0-163-generic Add valgrind #213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
• Installation method: DEB

Additional context
N/A

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open.

[ykcilborw]

Can this issue please be kept open and addressed? I think it is important to fix the error message

[leogr]

/help

[poiana]

@leogr:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sshayb]

Getting the same error with the following rule on AWS EKS:

- rule: "Kube event on ubuntu"
      desc: "Kube event on ubuntu"
      condition: kevt and pod and ka.req.pod.containers.image. startswith "ubuntu"
      output: Kubernetes audit event (user=%ka.user.name pod=%ka.resp.name ns=%ka.target.namespace images=%ka.req.pod.containers.image volumes=%jevt.value[/requestObject/spec/volumes])
      priority: WARNING
      source: k8s_audit
      tags: []

C:\WINDOWS\system32>helm inspect chart falcosecurity/falco
apiVersion: v1
appVersion: 0.26.2
description: Falco
...

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[ykcilborw]

Can this issue please be kept open and addressed? I think it is important to fix the error message

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[ykcilborw]

/remove-lifecycle stale

[leogr]

/cc @mstemm

[jasondellaluce]

For more context, can you try to reproduce this in the latest falco version? I'm not able to reproduce this failure anymore in Falco 0.29.1.

Looking at the underlying code, it seems to be caused when the in operator is used with a non-substituted macro. The point of failure should be here 👇🏼 https://github.com/falcosecurity/libs/blob/9d2082aa5a84dbd42890c4b5aae73c5ec38e2b65/userspace/chisel/lua_parser_api.cpp#L266

As for the latest version of libs, this seems to throw a more informative error now.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[leogr]

Hey @ykcilborw

is this still an issue?

[jasondellaluce]

Following up on this. Right now, the rule loader would output the following:

Wed Apr  6 15:32:07 2022: Runtime error: Could not load rules file ../rules/falco_rules.yaml: 1 errors:
Rule test: error filter_check called with nonexistent field jevt.value[/stage]
---
- rule: "test"
  desc: "test"
  condition: "kevt"
  output: "output"
  priority: "WARNING"
  tags: []
  source: "syscall"
  append: false
---

Which is the correct error message I would expect. In fact what it is saying here is that no field jevt.value is available because the rule uses the "syscall" source. By changing the rule source to "k8s_audit" the ruleset is accepted. ykcilborw, WDYT? If you would like the error message to be more explicit, any feedback would be appreciated!

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.