Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules validation depends on loading files order #1341

Open
Andreagit97 opened this issue Jan 9, 2024 · 12 comments
Open

Rules validation depends on loading files order #1341

Andreagit97 opened this issue Jan 9, 2024 · 12 comments
Assignees
@leogr @LucaGuerra
Labels
kind/documentation

Comments

@Andreagit97
Copy link
Member

Andreagit97 commented Jan 9, 2024
edited
Loading

Describe the bug

add a new list at the beginning of falco-incubating_rules.yaml file.

  - list: dev_creation_binaries
    append: true
    items: ["csi-provisioner", "csi-attacher", "csi-resizer"]

dev_creation_binaries is a list defined in the falco-incubating_rules.yaml file, but it is defined after this append. Now run Falco with the falco-incubating_rules.yaml file loaded.

sudo ./userspace/falco/falco -c ../falco.yaml -r ../rules/falco-incubating_rules.yaml -o engine.kind=modern_ebpf

You should face this error:

Tue Jan  9 12:19:36 2024: Falco version: 0.37.0-231+ad964c0 (x86_64)
Tue Jan  9 12:19:36 2024: Falco initialized with configuration file: ../falco.yaml
Tue Jan  9 12:19:36 2024: System info: Linux version 6.2.0-39-generic (buildd@lcy02-amd64-045) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) falcosecurity/falco#40~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 16 10:53:04 UTC 2
Tue Jan  9 12:19:36 2024: Loading rules from file ../rules/falco-incubating_rules.yaml
Error: ../rules/falco-incubating_rules.yaml: Invalid
1 Errors:
In rules content: (../rules/falco-incubating_rules.yaml:0:0)
    list 'dev_creation_binaries': (../rules/falco-incubating_rules.yaml:34:2)
------
- list: dev_creation_binaries
  ^
------
LOAD_ERR_VALIDATE (Error validating rule/macro/list/exception objects): List has 'append' key but no list by that name already exists

1 Warnings:
In rules content: (../rules/falco-incubating_rules.yaml:0:0)
    list 'dev_creation_binaries': (../rules/falco-incubating_rules.yaml:34:2)
------
- list: dev_creation_binaries
  ^
------
LOAD_DEPRECATED_ITEM (Used deprecated item): 'append' key is deprecated. Add an 'append' entry (e.g. 'condition: append') under 'override' instead.

Now if you move the append after the list definition, all works well!

Expected behaviour

Ideally, the append behavior shouldn't depend on where we put it in the file. we need to check if we can do that
@Andreagit97 Andreagit97 added the kind/bug Something isn't working label Jan 9, 2024
@Andreagit97 Andreagit97 changed the title [BUG] rules validation depends on loading files order Rules validation depends on loading files order Jan 9, 2024
@Andreagit97 Andreagit97 removed the kind/bug Something isn't working label Jan 9, 2024
@Andreagit97
Copy link
Member Author

Probably we don't have a way to solve it because we need to set a precise order, but is important to document it

@Andreagit97 Andreagit97 mentioned this issue Jan 16, 2024
Closed
@poiana
Copy link

poiana commented Apr 9, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale

@poiana
Copy link

poiana commented Jul 9, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@Andreagit97
Copy link
Member Author

/remove-lifecycle stale
Do we need to document it somewhere or it is ok to close it? @leogr @LucaGuerra

@leogr
Copy link
Member

leogr commented Jul 18, 2024

/remove-lifecycle stale Do we need to document it somewhere or it is ok to close it? @leogr @LucaGuerra

I believe yes.
Moving to falco-website
/kind documentation

@leogr leogr transferred this issue from falcosecurity/falco Jul 18, 2024
@leogr
Copy link
Member

leogr commented Jul 18, 2024

/assign @leogr
/assign @LucaGuerra

@poiana
Copy link

poiana commented Oct 16, 2024

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Oct 17, 2024

/remove-lifecycle stale

@poiana
Copy link

poiana commented Jan 15, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

@leogr
Copy link
Member

leogr commented Jan 16, 2025

/remove-lifecycle stale

@leogr
Copy link
Member

leogr commented Jan 16, 2025

Relevant pre-existing sections:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leogr leogr

@LucaGuerra LucaGuerra

Labels
kind/documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@leogr @LucaGuerra @poiana @Andreagit97