rules: add salt-call as a trusted process

[vin01]

What type of PR is this?

/kind bug
/kind rule-update

Any specific area of the project related to this PR?

/area rules

What this PR does / why we need it:

salt-minion was added as a trusted process in 85f51cf and 1feae90, this however does not cover salt-call which is also a saltstack component and used on minions to apply changes from client-side. It should also be a trusted process along-with salt-minion as part of Saltstack.

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

rule(Read sensitive file untrusted): let salt-call read sensitive files
rule(macro: rpm_procs): let salt-call write to rpm database

Thanks!

[poiana]

Welcome @vin01! It looks like this is your first PR to falcosecurity/falco 🎉

[darryk10]

Hi @vin01 , thanks for contributing :)
I'm wondering if you are suggesting to add salt-call since you have seen some noise coming form it. If this is the case, can you share which kind of noise have you experienced?
thanks

[vin01]

Hi @vin01 , thanks for contributing :) I'm wondering if you are suggesting to add salt-call since you have seen some noise coming form it. If this is the case, can you share which kind of noise have you experienced? thanks

Hi @darryk10, right. It was primarily Warning alerts as a result of attempts by salt-call to read files like /etc/shadow, /etc/sudo.* which is expected as salt is used to manage users, sudo rights using in-built modules. Typically I would just use a custom rule override but since salt-minion is trusted in this rule-set, I think it makes sense to have salt-call as well present in the same. salt-call is used on the client-side to apply states, while salt-minion is used when applying the same changes from Salt master itself.

Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=-1 program=salt-call command=salt-call /usr/bin/salt-call state.apply ..

[jasondellaluce]

/milestone 0.34.0

[darryk10]

Hi @vin01 thanks for the extra info and thanks to contributing to lower the noise :)
LGTM

[darryk10]

LGTM

[poiana]

LGTM label has been added.

Git tree hash: 402fc32a2d8fc5db8f2eeaff71f619984ec861b8

[jasondellaluce]

/approve

[jasondellaluce]

/retest

[jasondellaluce]

closing and reopening to trigger the CI

/close

[poiana]

@jasondellaluce: Closed this PR.

In response to this:

closing and reopening to trigger the CI

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jasondellaluce]

/reopen

[poiana]

@jasondellaluce: Reopened this PR.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: darryk10, jasondellaluce, leogr, vin01

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• rules/OWNERS [jasondellaluce,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment