Add a macro to whitelist system binaries using the network #1070
Conversation
|
/lgtm |
|
LGTM label has been added. Git tree hash: a8d20d8a789a42cff29701aee203ebfd6bc6b8f9
|
|
This is targeting the wrong branch, changing the base. We are now using master. |
|
@Kaizhe PTAL again And thanks @marier-nico for sending over your first PR to Falco 🎉 |
|
This is the second PR of @marier-nico ! So two times thanks 🤗🤗 |
|
Caught my mistake in |
|
/cc @leodido Want to take a look at this to understand why the CI is not being triggered /hold |
|
Closing and reopening to let the CI handle this |
|
LGTM label has been added. Git tree hash: 4c2971f157e1dfe8b3c116338e1bda5ff78715fa
|
|
Approved, thanks @marier-nico |
…f known procs for convenience This makes it more convenient to add more allowed procs and many other rules have a similar mechanism to whitelist certain processes. Signed-off-by: Nicolas Marier <[email protected]>
…reate the macro It's useful to ignore some system binaries that use the network under certain conditions, so this should be overridable by the user. Signed-off-by: Nicolas Marier <[email protected]>
|
LGTM label has been added. Git tree hash: 00bce8c3272cad81012d1da13c501fb7a2f7dd42
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe, leodido The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
|
/milestone 0.22.0 |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
This PR introduces two things : a list of allowed system binaries and a macro to allow certain system binaries to use the network under certain conditions.
The list is really just for convenience and is not meant to be overridden by users. It's something I noticed many other rules had and I figured it wouldn't hurt to add it here while I was adding the macro.
The macro is useful because someone might want to allow certain system procs to use the network under certain conditions. Our use-case is that we use a program output which publishes a message to an SNS topic in AWS to be picked up by our other tools. To do this, we use AWS CLI, which obviously needs to talk to the network. The issue is that Falco runs the command
sh -c aws cli ...and that raises an event becauseshis a shell binary. The macro resolves this because it allows us to whitelist the command we use (instead of whitelisting the entireshbinary).Which issue(s) this PR fixes:
No issues open for this.
Does this PR introduce a user-facing change?: