Add list support to rules file. #98
Conversation
| @@ -307,13 +305,13 @@ | |||
| # sshd, sendmail-msp, sendmail attempt to setuid to root even when running as non-root. Excluding here to avoid meaningless FPs | |||
| - rule: non_sudo_setuid | |||
| desc: an attempt to change users by calling setuid. sudo/su are excluded. user "root" is also excluded, as setuid calls typically involve dropping privileges. | |||
| condition: evt.type=setuid and evt.dir=> and not user.name=root and not userexec_binaries and not proc.name in (sshd, sendmail-msp, sendmail) | |||
| condition: evt.type=setuid and evt.dir=> and not user.name=root and not proc.name in (userexec_binaries, sshd, sendmail-msp, sendmail) | |||
There was a problem hiding this comment.
so a list (a, b, c) can contain a mix of lists and individual elements, and the result is a list where the included lists have been automatically expanded? e.g. (a, b, [c, d, e]) is the same thing as (a, b, d, c, e)?
There was a problem hiding this comment.
Currently, lists cannot contain references to other lists. I had started on that support, but it made the code more complex and there wasn't a need for it with the current set of binaries.
Macros/rules, like this one, can contain a mix of individual items and list references, and you're right that the list reference is expanded directly to a single top-level set of items.
Once sysdig adds support for handling "in (...)" filter expressions as set membership tests, it will be advantageous to combine lists of items together into a single list so they can all be checked in a single set membership test. This commit adds support for a new yaml item type "list" containing a field "name" and field "items" containing a list of items. These are represented as a yaml list, which allows yaml to handle some of the initial parsing with the list items maintained natively in lua. Allow lists to contain list references by expanding any references to the items in the list, before storing the list items in state.lists. When parsing macro or rule conditions, replace all references to a list name with the list items as a comma separated string. Modify the falco rules to switch to lists whenever possible. The new convention is to use the suffix _binaries for lists of program names and _procs for macros that define a filter expression using the list.
|
@henridf if you have other feedback lemme know, but I'll go ahead and merge this now. |
Once sysdig adds support for handling "in (...)" filter expressions as
set membership tests, it will be advantageous to combine lists of items
together into a single list so they can all be checked in a single set
membership test.
This commit adds support for a new yaml item type "list" containing a
field "name" and field "items" containing a list of items. These are
represented as a yaml list, which allows yaml to handle some of the
initial parsing with the list items maintained natively in lua.
When parsing macro or rule conditions, replace all references to a list
name with the list items as a comma separated string.
Modify the falco rules to switch to lists whenever possible. The
new convention is to use the suffix _binaries for lists of program names
and _procs for macros that define a filter expression using the list.