falco: Falco Provides Unclear Error Message When Kevt in Condition and Source Type is Syscall

Describe the bug When parsing certain rules file, Falco can give unclear error messages as to why it failed to parse such as “Error loading rules: parser API error”. It is not clear to the end user how to fix this.

How to reproduce it Create a Falco file with the following content:

---
- macro: "kevt"
  condition: "(jevt.value[/stage] in (k8s_audit_stages))"
  append: false

- rule: "test"
  desc: "test"
  condition: "kevt"
  output: "output"
  priority: "WARNING"
  tags: []
  source: "syscall"
  append: false

Run falco -V kevt.yaml or whatever you name the file

Falco outputs:

Thu Sep  3 00:10:22 2020: Validating rules file(s):
Thu Sep  3 00:10:22 2020:    kevt.yaml
Rule test: warning (no-evttype):
kevt
         did not contain any evt.type restriction, meaning it will run for all event types.
         This has a significant performance penalty. Consider adding an evt.type restriction if possible.
Error loading rules: parser API error
Thu Sep  3 00:10:22 2020: Runtime error: Error loading rules: parser API error. Exiting.

Expected behaviour An informative error message. It is not clear to the user how to fix “parser API error”

Screenshots N/A

Environment

  • Falco version: 0.22.1 “system_info”:{“machine”:“x86_64”,“nodename”:“vagrant-ubuntu-trusty-64”,“release”:“3.13.0-163-generic”,“sysname”:“Linux”,“version”:“#213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018”}
  • Kernel: Linux vagrant-ubuntu-trusty-64 3.13.0-163-generic #213-Ubuntu SMP Thu Nov 15 02:19:07 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  • Installation method: DEB

Additional context N/A

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 20 (7 by maintainers)

Most upvoted comments

Can this issue please be kept open and addressed? I think it is important to fix the error message

+2
ykcilborw on Nov 2, 2020

Following up on this. Right now, the rule loader would output the following:

Wed Apr  6 15:32:07 2022: Runtime error: Could not load rules file ../rules/falco_rules.yaml: 1 errors:
Rule test: error filter_check called with nonexistent field jevt.value[/stage]
---
- rule: "test"
  desc: "test"
  condition: "kevt"
  output: "output"
  priority: "WARNING"
  tags: []
  source: "syscall"
  append: false
---

Which is the correct error message I would expect. In fact what it is saying here is that no field jevt.value is available because the rule uses the “syscall” source. By changing the rule source to “k8s_audit” the ruleset is accepted. ykcilborw, WDYT? If you would like the error message to be more explicit, any feedback would be appreciated!

+1
jasondellaluce on Apr 6, 2022
Read more comments on GitHub
← falco: Falco pod failure for GKE 5.10.133+ kernel
falco: Falco runtime error in k8s_replicationcontroller_handler_state for large k8s clusters (400+ nodes) →