double qoute in rule's condition is not working as expected

[developer-guy]

Describe the bug

We use Falco custom rules defined in the Cloud Native Security Hub. For example, we noticed that there is a rule defined for CVE-2019-5736 contains a list of binary names to bypass Falco rules like the following:

items: [dockerd, containerd-shim, "runc:[1:CHILD]"]

These are the proc.name's.

We've fixed it by adding an and condition to the rule.

and proc.name=runc\:\[1\:CHILD\]

When a proc.name escaping the special character such as ", Falco couldn't apply the rule against it and triggers the rule which it shouldn't.

How to reproduce it

Apply the following rule I mentioned above and see it triggers an alert based on that rule even proc.name field equals "runc:[1:CHILD]".

Expected behaviour

It should not trigger an alert

Screenshots

`falco-d2lgx falco {"priority":"Critical","rule":"Modify container entrypoint (CVE-2019-5736)","source":"syscall","tags":[],"time":"2022-01-19T10:51:15.706952699Z", "output_fields": {"container.id":"3ae6b31f8538","evt.time":1642589475706952699,"fd.name":"/proc/self/fd/5","k8s.ns.name":null,"k8s.pod.name":null,"proc.exeline":"runc init","proc.name":"runc:[1:CHILD]"}}`

Environment

• Falco version: 0.30.0
• Falco Chart version: 1.16.3

• System info:

• Cloud provider or hardware configuration:
• OS:

• Kernel:

• Installation method: Kubernetes

Additional context

[developer-guy]

cc: @Dentrax @eminaktas @necatican @yasintahaerol @f9n

[leogr]

Please note that the Cloud Native Security Hub is not maintained anymore.

Interesting issue anyway. I will take a look! Thank you for having reported it.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale
/milestone 0.32.0

[jasondellaluce]

/remove-milestone 0.32.0

/milestone 0.33.0

I fully acknowledge that string escaping is an issue in the Rule Engine. In Falco 0.32, we had many structural refactorings in it, but we aimed to not introduce any breaking changes due to the limited time window. Fixing this is in the roadmap but would mean breaking many existing rulesets, which in turn would mean providing migration guidelines/tools. I personally aim for this for Falco 0.33! In the meanwhile, Falco 0.32 fixes many other bugs in the Falco Engine and the rule loader 👉🏼 #1966

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[jasondellaluce]

/remove-milestone 0.33.0

/milestone 0.34.0

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[jasondellaluce]

/milestone 0.35.0

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[jasondellaluce]

/assign

[Andreagit97]

/remove-lifecycle rotten

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle rotten

[leogr]

/remove-lifecycle stale
/assign

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

/remove-lifecycle stale