Fix/address addl rules fps #1372
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mstemm
force-pushed
the
fix/address-addl-rules-fps
branch
from
991a2d9 to
57e1b16
Compare
Kaizhe
suggested changes
Aug 28, 2020
In some cases, dropped events around the time a new container is started can result in missing the exec/clone for a process that does a setns to enter the namespace of a container. Here's an example from an oss capture: ``` 282273 09:01:22.098095673 30 runc:[0:PARENT] (168555) < setns res=0 282283 09:01:22.098138869 30 runc:[0:PARENT] (168555) < setns res=0 282295 09:01:22.098179685 30 runc:[0:PARENT] (168555) < setns res=0 517284 09:01:30.128723777 13 <NA> (168909) < setns res=0 517337 09:01:30.129054963 13 <NA> (168909) < setns res=0 517451 09:01:30.129560037 2 <NA> (168890) < setns res=0 524597 09:01:30.162741004 19 <NA> (168890) < setns res=0 527433 09:01:30.179786170 18 runc:[0:PARENT] (168927) < setns res=0 527448 09:01:30.179852428 18 runc:[0:PARENT] (168927) < setns res=0 535566 09:01:30.232420372 25 nsenter (168938) < setns res=0 537412 09:01:30.246200357 0 nsenter (168941) < setns res=0 554163 09:01:30.347158783 17 nsenter (168950) < setns res=0 659908 09:01:31.064622960 12 runc:[0:PARENT] (169023) < setns res=0 659919 09:01:31.064665759 12 runc:[0:PARENT] (169023) < setns res=0 732062 09:01:31.608297074 4 nsenter (169055) < setns res=0 812985 09:01:32.217527319 6 runc:[0:PARENT] (169077) < setns res=0 812991 09:01:32.217579396 6 runc:[0:PARENT] (169077) < setns res=0 813000 09:01:32.217632211 6 runc:[0:PARENT] (169077) < setns res=0 ``` When this happens, it can cause false positives for the "Change thread namespace" rule as it allows certain process names like "runc", "containerd", etc to perform setns calls. Other rules already use the proc_name_exists macro to require that the process name exists. This change adds proc_name_exists to the Change Thread Namespace rule as well. Signed-off-by: Mark Stemm <[email protected]>
Let programs spawned by linux-bench (CIS Linux Benchmark program) read /etc/shadow. Tests in the benchmark check for permissions of the file and accounts in the contents of the file. Signed-off-by: Mark Stemm <[email protected]>
mstemm
force-pushed
the
fix/address-addl-rules-fps
branch
from
24c44cf to
7c9c37b
Compare
poiana
added
dco-signoff: yes
dco-signoff: no
and removed
dco-signoff: no
dco-signoff: yes
labels
mstemm
force-pushed
the
fix/address-addl-rules-fps
branch
from
1cb792c to
a6cf13c
Compare
|
@fntlnz check out the last commit, it changes the trace files that get downloaded by the tests to have versioning now. I think this is a clean way to handle changes in trace files, as I needed for this PR. We can also put the trace files in git somewhere but some of them are pretty big. |
Kaizhe
previously approved these changes
Sep 1, 2020
leogr
requested changes
Sep 2, 2020
|
/milestone 0.26.0 |
Previously any write to a file called sources.list would match the access_repositories condition, even a file /usr/tmp/..../sources.list. Change the macro so the files in repository_files must be somewhere below any of repository_directories. Also allow programs spawned by package management programs to change these files, using package_mgmt_ancestor_procs. Signed-off-by: Mark Stemm <[email protected]>
Add several calico images and command line programs that end up writing below /etc/calico. Signed-off-by: Mark Stemm <[email protected]>
Let mysqlsh write below /root/.mysqlsh. Signed-off-by: Mark Stemm <[email protected]>
Related to https://github.com/GoogleCloudPlatform/guest-oslogin, full cmdline is google_oslogin_control. Signed-off-by: Mark Stemm <[email protected]>
Sort the items in the list falco_privileged_images alphabetically and also separate them into individual lines. Make it easier to note changes to the entries in the list using git blame. Signed-off-by: Mark Stemm <[email protected]>
Most of these are seen in GKE and are uses for core routing/metrics collection. Signed-off-by: Mark Stemm <[email protected]>
Add a set of images known to run in the host network. Mostly related to GKE, sometimes plus metrics collection. Signed-off-by: Mark Stemm <[email protected]>
Seen when using K8s cluster autoscaling or addon manager. Signed-off-by: Mark Stemm <[email protected]>
Add several images seen in GKE environments that can run in the kube-system namespace. Also change the names of the lists to be more specific. The old names are retained but are kept around for backwards compatibility. Signed-off-by: Mark Stemm <[email protected]>
Add system:managed-certificate-controller as a system role that can be modified. Can be changed as a part of upgrades. Signed-off-by: Mark Stemm <[email protected]>
Start versioning trace files with a unique date. Any time we need to
create new trace files, change TRACE_FILES_VERSION in this script and
copy to traces-{positive,negative,info}-<VERSION>.zip.
The zip file should unzip to traces-{positive,negative,info}, without
any version.
Signed-off-by: Mark Stemm <[email protected]>
mstemm
force-pushed
the
fix/address-addl-rules-fps
branch
from
39b97fb to
36bb3b1
Compare
|
LGTM label has been added. Git tree hash: e97492b11997ab0473c3a175601c2480c3802be7
|
Kaizhe
approved these changes
Sep 3, 2020
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Kaizhe, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@mstemm Thanks for the hard work here as alwayas! I have a question, how are the integration tests file generated? Now that they are versioned I would like to understand how we can get them to a shape where everyone can read a document on how to add new ones. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Address several sources of FPs, primarily from GKE environments.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: