Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update(rule_loader): deprecate the append flag in falco rules #2992

Merged
merged 19 commits into from
Jan 11, 2024
Merged

update(rule_loader): deprecate the append flag in falco rules #2992

merged 19 commits into from
Jan 11, 2024

Conversation

Andreagit97
Copy link
Member

What type of PR is this?

/kind cleanup

/kind design

Any specific area of the project related to this PR?

/area engine

/area tests

What this PR does / why we need it:

In this PR I propose to deprecate the append flag in the Falco rules. With deprecate I mean that we should log a warning when the append key is used suggesting the new override key. The flag shouldn't be removed until Falco 1.0.0 since it could cause a big breaking change between users (I'm open to other ideas, maybe we can wait for some release cycle). In this PR there are also some cleanups.

Side note: I'm not fully convinced by the fact that warnings in the rule loading are suppressed by default...if we introduce a warning I expect that users will see it by default since probably they need to take some actions... To be more concrete, in this PR i added a warning that in my opinion should be shown by default because users should know how to update the rules with the most recent features to avoid breaking changes in the future. Example:

Wed Jan  3 15:46:27 2024: Falco version: 0.37.0-231+ad964c0 (x86_64)
Wed Jan  3 15:46:27 2024: Falco initialized with configuration file: ../falco.yaml
Wed Jan  3 15:46:27 2024: System info: Linux version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2
Wed Jan  3 15:46:27 2024: Loading rules from file ../rules/falco-deprecated_rules.yaml
Wed Jan  3 15:46:27 2024: Loading rules from file ../rules/falco-incubating_rules.yaml
../rules/falco-incubating_rules.yaml: Ok, with warnings
1 Warnings:
In rules content: (../rules/falco-incubating_rules.yaml:0:0)
    rule 'Non sudo setuid': (../rules/falco-incubating_rules.yaml:1275:2)
------
- rule: Non sudo setuid
  ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item): 'append' key is deprecated. Add an append entry (e.g. 'condition: append') under 'override' instead.

Wed Jan  3 15:46:27 2024: Loading rules from file ../rules/falco-sandbox_rules.yaml
Wed Jan  3 15:46:28 2024: Loading rules from file ../rules/falco_rules.yaml
Wed Jan  3 15:46:28 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Wed Jan  3 15:46:28 2024: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Wed Jan  3 15:46:28 2024: Loaded event sources: syscall
Wed Jan  3 15:46:28 2024: Enabled event sources: syscall
Wed Jan  3 15:46:28 2024: Opening 'syscall' source with modern BPF probe.
Wed Jan  3 15:46:28 2024: One ring buffer every '2' CPUs.

Today to obtain the above result users should run Falco with the -v which IMO is not ideal, WDYT @falcosecurity/falco-maintainers ?

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

update(rule_loader): deprecate the `append` flag in Falco rules

@Andreagit97
cleanup(rule_loader): add a common log message
4e52242 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
cleanup(rule_loader): remove useless include
ad964c0 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
update(rule_loader): deprecate append key and add a warning
55b1c02 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97 Andreagit97 requested a review from LucaGuerra January 3, 2024 15:03
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2024

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

@Andreagit97 Andreagit97 changed the title [WIP] update(rule_loader): deprecate the append flag in falco rules [WIP] PROPOSAL: update(rule_loader): deprecate the append flag in falco rules Jan 3, 2024
@FedeDP
Copy link
Contributor

FedeDP commented Jan 3, 2024

I fully agree with the proposal, and with keeping the deprecated append until Falco 1.0.0 too.

Today to obtain the above result users should run Falco with the -v which IMO is not ideal, WDYT @falcosecurity/falco-maintainers ?

I think we should split real warnings from verbose messages (if any); in your example, the warning message should always be visible; also, given that Falco is a "fire and forget" tool, i think that having a more verbose startup by default is not that impactful after all.

@incertum
Copy link
Contributor

incertum commented Jan 3, 2024

I like this a lot @Andreagit97, also ok to keep this warning until Falco 1.0.0
What about the special snowflake enabled override?

@jasondellaluce
Copy link
Contributor

What about the special snowflake enabled override?

+1 for this.

@Andreagit97 Andreagit97 mentioned this pull request Jan 4, 2024
Closed
6 tasks
@Andreagit97
update(rule_loader): deprecate enabled usage
7484bde 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
cleanup(tests): use new check_error_message helper
66cea67 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
update(rule_loader): deprecate all non-SemVer compatible values
4a1fe2f 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
cleanup(falco_engine): remove unused methods
e930f40 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
update(falco): always enable rules warnings
468897b 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@poiana poiana added size/XL and removed size/L labels Jan 4, 2024
@Andreagit97
Copy link
Member Author

Andreagit97 commented Jan 4, 2024
edited
Loading

Update:

This PR deprecates 2 things now (with relative tests):

  1. append usage without override
  2. enabled usage without override
  3. required_engine_version not SemVer compatible

Summary for Falco 0.37.0 here: #2763

I have enabled all rules warnings by default, let me know if it is OK for you. This is a possible output example:

Thu Jan  4 18:10:03 2024: Falco version: 0.37.0-231+ad964c0 (x86_64)
Thu Jan  4 18:10:03 2024: Falco initialized with configuration file: ../falco.yaml
Thu Jan  4 18:10:03 2024: System info: Linux version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2
Thu Jan  4 18:10:03 2024: Loading rules from file ../rules/falco-incubating_rules.yaml
Thu Jan  4 18:10:03 2024: Loading rules from file ../rules/falco-sandbox_rules.yaml
Thu Jan  4 18:10:03 2024: Loading rules from file ../rules/falco_rules.yaml
Thu Jan  4 18:10:03 2024: ../rules/falco_rules.yaml: Ok, with warnings
1 Warnings:
In rules content: (../rules/falco_rules.yaml:0:0)
    rule 'Fileless execution via memfd_create': (../rules/falco_rules.yaml:1252:2)
------
- rule: Fileless execution via memfd_create
  ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item): 'append' key is deprecated. Add an 'append' entry (e.g. 'condition: append') under 'override' instead.
Thu Jan  4 18:10:03 2024: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Thu Jan  4 18:10:03 2024: Starting health webserver with threadiness 8, listening on 0.0.0.0:8765
Thu Jan  4 18:10:03 2024: Loaded event sources: syscall
Thu Jan  4 18:10:03 2024: Enabled event sources: syscall
Thu Jan  4 18:10:03 2024: Opening 'syscall' source with modern BPF probe.
Thu Jan  4 18:10:03 2024: One ring buffer every '2' CPUs.

I don't love the multi-line log but at the moment this is what we have... @jasondellaluce there was a particular reason to use fprintf(stderr,...) instead of falco::log?

@Andreagit97 Andreagit97 changed the title [WIP] PROPOSAL: update(rule_loader): deprecate the append flag in falco rules update(rule_loader): deprecate the append flag in falco rules Jan 10, 2024
@Andreagit97 Andreagit97 mentioned this pull request Jan 10, 2024
Merged
@Andreagit97
chore: bump testing submodule manually to fix e2e tests
9db9ecb 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
@Andreagit97
Copy link
Member Author

Now this should be ready

FedeDP
FedeDP previously approved these changes Jan 11, 2024
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Jan 11, 2024
@poiana
Copy link
Contributor

poiana commented Jan 11, 2024

LGTM label has been added.

Git tree hash: 0d42da1acd26344d1de3091beac0fa0d750eb7b3

@Andreagit97 Andreagit97 mentioned this pull request Jan 11, 2024
Closed
LucaGuerra
LucaGuerra reviewed Jan 11, 2024
View reviewed changes
userspace/engine/rule_loader_collector.cpp
@@ -244,10 +240,7 @@ void rule_loader::collector::append(configuration& cfg, rule_update_info& info)
{
auto prev = m_rule_infos.at(info.name);

THROW(!prev,
// "Rule has 'append' key or an append override but no rule by that name already exists", // TODO replace with this and update testing
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for updating these errors <3

@LucaGuerra
Copy link
Contributor

Great job Andrea! 🎉

Just a couple minor comments and I can approve :)

@Andreagit97 @LucaGuerra
cleanup: restore the name of a variable
0dcf972 
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Co-authored-by: Luca Guerra <luca.guerra@sysdig.com>
@poiana poiana removed the lgtm label Jan 11, 2024
@poiana poiana requested a review from FedeDP January 11, 2024 14:03
LucaGuerra
LucaGuerra approved these changes Jan 11, 2024
View reviewed changes
Copy link
Contributor

@LucaGuerra LucaGuerra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@poiana poiana added the lgtm label Jan 11, 2024
@poiana
Copy link
Contributor

poiana commented Jan 11, 2024

LGTM label has been added.

Git tree hash: 4534eddb97a798dc1d15551b691fd293e31bdd1b

FedeDP
FedeDP approved these changes Jan 11, 2024
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Jan 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP, LucaGuerra

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [Andreagit97,FedeDP,LucaGuerra]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP
Copy link
Contributor

FedeDP commented Jan 11, 2024

/unhold

@poiana poiana merged commit a6a1a97 into falcosecurity:master Jan 11, 2024
30 checks passed
@Andreagit97 Andreagit97 mentioned this pull request Jan 15, 2024
Closed
@Andreagit97 Andreagit97 mentioned this pull request Jan 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@incertum incertum incertum left review comments

@LucaGuerra LucaGuerra LucaGuerra approved these changes

@FedeDP FedeDP FedeDP approved these changes

@jasondellaluce jasondellaluce Awaiting requested review from jasondellaluce

@Kaizhe Kaizhe Awaiting requested review from Kaizhe

Assignees

@FedeDP FedeDP

@LucaGuerra LucaGuerra

Labels
approved area/engine area/tests dco-signoff: yes kind/cleanup kind/design lgtm release-note size/XXL
Projects
Falco Roadmap
Archived in project
Milestone
0.37.0
Development

Successfully merging this pull request may close these issues.
7 participants
@Andreagit97 @FedeDP @incertum @jasondellaluce @leogr @poiana @LucaGuerra