rule(write_etc_common): Ignore writes by etckeeper under /etc/.git/ #23
Conversation
|
@petterreinholdtsen: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Welcome @petterreinholdtsen! It looks like this is your first PR to falcosecurity/rules 🎉 |
89cac7e to
f39d569
Compare
f39d569 to
b647b73
Compare
|
/kind design |
|
@leogr: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/area rules |
|
Hi @petterreinholdtsen, thanks for the contribution. |
|
cc @LucaGuerra |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
|
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
|
@poiana: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[Leonardo Grasso]
cc @LucaGuerra
When can feedback from @LucaGuerra be expected? As far as I can tell
from the default rules for falco still cause events every time etckeeper
update /etc/.git/.
…--
Happy hacking
Petter Reinholdtsen
|
|
Sorry, we lost track of this. We are currently going to release Falco 0.37 in about 2 weeks, then we should have more cycles to look at this. Meanwhile, let's reopen this Also, I recommend you to take a look at the new rules maturity framework since I guess this PR needs to be updated to reflect the new way we ship rules. I apologize again for this to have been taken so long. cc @falcosecurity/rules-maintainers |
|
@leogr: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
b647b73 to
a5357eb
Compare
Rules files suggestionsfalco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
a5357eb to
5fc89ae
Compare
Rules files suggestionsfalco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
Every time etckeeper update the git history of the content in /etc/, it update files in /etc/.git/ (nd /etc/.etckeeper). This trigger a warning from falco about writes in /etc/ for every time the cron job or package update. This change tell the write_etc_common macro to ignore all writes under /etc/.git/ by a process whos anchestor is etckeeper and one of the scripts called by etckeeper to do the /etc/.git updates. /kind bug /kind design /kind feature /area rules Signed-off-by: Petter Reinholdtsen <pere@hungry.com>
5fc89ae to
2b2e33b
Compare
Rules files suggestionsfalco-sandbox_rules.yamlComparing Minor changes:
Patch changes:
|
|
/area maturity-sandbox |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
It is unclear to me what you want me to do here. As far as I know, we
are waiting for feedback from one of the developers, and it seem
contra-productive to close the issue after the developers fail to
respond for 90 days.
--
Happy hacking
Petter Reinholdtsen
|
I apologize again. The re: feedback
I will ping @LucaGuerra, in case he has lost track of this. Thank you! |
|
I thought I already approved this. Apologies and thank you for your patience (a lot of it 😅). |
|
LGTM label has been added. Git tree hash: 689a72b75b14584366df221197f473213e2c19dd
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: LucaGuerra, petterreinholdtsen The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
As soon as the |
|
[Luca Guerra]
As soon as the `WIP` is removed from the PR title it will be merged
automatically.
Done.
…--
Happy hacking
Petter Reinholdtsen
|
Every time etckeeper update the git history of the content in /etc/, it update files in /etc/.git/. This trigger a warning from falco about writes in /etc/ for every time the cron job or package update. This change tell the write_etc_common macro to ignore all writes under /etc/.git/ by a process whos great grandparent is etckeeper. The parent is 'git' and the grandparent is 50vcs-commit.
/kind bug
/kind design
/kind feature
/area rules
Signed-off-by: Petter Reinholdtsen pere@hungry.com
Setting WIP to get feedback on the approach, in case there is a better way to do this. I want to create a similar pull request for cups and /etc/cups/printers.conf, and want feedback on the best alternative.