rules_file/rules_files not being respected

[kimberleyhallifax]

Description

I am attempting to include additional rule files including the sandbox and incubating rules. I'm doing this in a Helm chart using the following documentation here to add the following config:

But my config is not being respected.

How to reproduce it

Here is my Chart.yaml:

apiVersion: v2
description: Intrusion detection using Falco
name: falco
version: 1.1.7
dependencies:
  - name: falco
    version: 4.7.0
    repository: https://falcosecurity.github.io/charts

Here is my values.yaml file:

---
falco:
  falco:
    rules_file:
      - /etc/falco/falco_rules.yaml
      - /etc/falco/falco-incubating_rules.yaml
      - /etc/falco/falco-sandbox_rules.yaml
      - /etc/falco/k8s_audit_rules.yaml
      - /etc/falco/rules.d

  falcoctl:
    config:
      allowed_types: ["rulesfile"]
      artifact:
        install:
          rulesfilesDir: /etc/falco/
          refs: [falco-rules:1,falco-incubating-rules:1,falco-sandbox-rules:1,k8s_audit_rules:1]
        follow:
          rulesfilesDir: /etc/falco/
          refs: [falco-rules:1,falco-incubating-rules:1,falco-sandbox-rules:1,k8s_audit_rules:1]

I have also tried this with falco Helm chart version 4.7.2 and with rules_files and that did not work either.

Expected behaviour

I expect the falco-incubating_rules.yaml, falco-sandbox_rules.yaml and k8s_audit_rules.yaml rule files to load in my pod, in addition to the default falco_rules.yaml. However, only falco_rules.yaml loads.

Here are my kubernetes pod logs to confirm that only falco_rules.yaml is being loaded:

Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falco-driver-loader (init), falcoctl-artifact-install (init)
Fri Aug  9 02:15:21 2024: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form).
Fri Aug  9 02:15:21 2024: Falco version: 0.38.1 (x86_64)
Fri Aug  9 02:15:21 2024: Falco initialized with configuration files:
Fri Aug  9 02:15:21 2024:    /etc/falco/falco.yaml
Fri Aug  9 02:15:21 2024: System info: Linux version 5.10.219-208.866.amzn2.x86_64 (mockbuild@ip-10-0-35-201) (gcc10-gcc (GCC) 10.5.0 20230707 (Red Hat 10.5.0-1), GNU ld version 2.35.2-9.amzn2.0.1) falcosecurity/rules#1 SMP Tue Jun 18 14:00:06 UTC 2024
Fri Aug  9 02:15:21 2024: Loading rules from file /etc/falco/falco_rules.yaml

Environment

• Falco version:

4.7.0 and 4.7.2

• OS:

MacOS M1

• Kernel:

Darwin VGW0681 23.6.0 Darwin Kernel Version 23.6.0: Fri Jul 5 17:56:41 PDT 2024; root:xnu-10063.141.1~2/RELEASE_ARM64_T6000 arm64

• Installation method:

Kubernetes Helm

[Andreagit97]

Ei thank you for reporting! We will take a look ASAP!
Please note that we could be slower in addressing it since there are many PTOs during this period :/ @alacuku @FedeDP

[Andreagit97]

I would move this to the main Falco repo since it seems a Falco issue

[kimberleyhallifax]

I would move this to the main Falco repo since it seems a Falco issue

I thought this was the falco repo? Could you link me the repo you're talking about @Andreagit97?

[Andreagit97]

I thought this was the falco repo? Could you link me the repo you're talking about @Andreagit97?

Yes, I moved the issue to this repo some days ago, so now it is in the Falco repo. You can read it in the above issue history, you should find something like:

Andreagit97 transferred this issue from falcosecurity/rules

You initially opened it in falcosecurity/rules while the correct repo is falcosecurity/falco. Now I see that you opened it also in falcosecurity/chart falcosecurity/charts#729 🤔

[kimberleyhallifax]

Yes, I moved the issue to this repo some days ago, so now it is in the Falco repo. You can read it in the above issue history, you should find something like:

Andreagit97 transferred this issue from falcosecurity/rules

You initially opened it in falcosecurity/rules while the correct repo is falcosecurity/falco. Now I see that you opened it also in falcosecurity/chart falcosecurity/charts#729 🤔

Ah okay I didn't realise you can move issues between repositories. I've just closed the issue I created in the charts repo and look forward to hearing a response here, thank you

[LucaGuerra]

Thank you for reporting this! I believe the documentation is out of date there and needs a bit of fixing in both the recommended rule versions and the key name. I have now tested the following

falco:
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/falco-sandbox_rules.yaml
    - /etc/falco/rules.d

falcoctl:
  config:
    allowed_types: ["rulesfile"]
    artifact:
      install:
        rulesfilesDir: /etc/falco/
        refs: [falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4]
      follow:
        rulesfilesDir: /etc/falco/
        refs: [falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4]

And it loads the incubating and sandbox rules. Does it fix your issue?

Re. k8saudit, the setup is a bit more complex because you also need to configure your k8s cluster to output audit events. see https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit for more information.

[kimberleyhallifax]

Thank you for reporting this! I believe the documentation is out of date there and needs a bit of fixing in both the recommended rule versions and the key name. I have now tested the following

falco:
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/falco-sandbox_rules.yaml
    - /etc/falco/rules.d

falcoctl:
  config:
    allowed_types: ["rulesfile"]
    artifact:
      install:
        rulesfilesDir: /etc/falco/
        refs: [falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4]
      follow:
        rulesfilesDir: /etc/falco/
        refs: [falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4]

And it loads the incubating and sandbox rules. Does it fix your issue?

Re. k8saudit, the setup is a bit more complex because you also need to configure your k8s cluster to output audit events. see https://github.com/falcosecurity/plugins/tree/main/plugins/k8saudit for more information.

This unfortunately didn't work for me. What version of the falco helm chart are you using? I'm seeing both references to allowed_types and allowedTypes online and am unsure which one I am meant to use. I am using both ["plugin","rulesfile"]. Even though I'm also using rules_files I'm still getting the warning Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form)..

[kimberleyhallifax]

I ended up working it out. allowed_types needs to be specified under artifact:, it was in the wrong spot.

falco:
  rules_files:
    - /etc/falco/falco_rules.yaml
    - /etc/falco/falco-incubating_rules.yaml
    - /etc/falco/falco-sandbox_rules.yaml
    - /etc/falco/rules.d

falcoctl:
  config:
    artifact:
      allowed_types: ["rulesfile"]
      install:
        rulesfilesDir: /etc/falco/
        refs: [falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4]
      follow:
        rulesfilesDir: /etc/falco/
        refs: [falco-rules:3,falco-incubating-rules:4,falco-sandbox-rules:4]

[alacuku]

@kimberleyhallifax, are you still getting the warning: Using deprecated config key 'rules_file' (singular form). Please use new 'rules_files' config key (plural form)?

[kimberleyhallifax]

Yes I am @alacuku