Reputation: 55
What is causing rules to fire repeatedly?
I have created a local test environment using minikube to test custom falco rules.
The goal is to search for keywords in the namespace and pod names and set an Info priority on them so they can be filtered out in Kibana.
The following are the custom macros and rules that I have written:
- macro: ns_contains_whitelist_terms
condition: k8s.ns.name = monitoring or k8s.ns.name = jenkins
- macro: pod_name_contains_whitelist_terms
condition: >
(k8s.pod.name startswith meseeks or
k8s.pod.name startswith jenkins or
k8s.pod.name startswith wazuh)
- rule: priority_whitelist_ns_alert
desc: add an Info priority to the monitoring and jenkins namespaces
condition: ns_contains_whitelist_terms
output: "Namespace is jenkins or monitoring findme1"
priority: INFO
tag: whitelist
- rule: priority_whitelist_pod_name_alert
desc: add an Info priority to pods that start with wazuh, jenkins or meseeks
condition: pod_name_contains_whitelist_terms
output: "Pod name starts with wazuh, jenkins or meseeks findme2"
priority: INFO
tag: whitelist
I have created namespaces and pods to test the rules, and they are firing when I expect them to (when falco starts up, when I spawn shells or interact with the pods, for example).
However, the alerts are firing repeatedly, sometimes hundreds at a time, so that the output when I grep the logs looks something like this sample.
Out of curiosity, I took line counts of the different rule alerts when different events occurred and noted that they are not the same. See the below table:
| Event | Namespace rule fired #: | Pod name rule fired #: |
|---|---|---|
| Startup | 6 | 4 |
| Spawn shell | 106 | 55 |
| apt update | 943 | 23 |
| install wget | 84 | 26 |
The only two reasons that I can think of that these rules would be triggered so many times is
- I have written the rules incorrectly, or
- There are events taking place in the background (not directly triggered by me) that are causing the rules to fire repeatedly.
I believe 2 is the more likely, but would appreciate anyone who is able to confirm that the rules I have written look alright or has any other insights.
Upvotes: 1
Views: 189
Answers (0)
Related Questions
- Firebase rules continually revert to the default rule
- Debug firebase database rules errors
- snakemake "rule all" is rerunning unnecessary rules
- How to stop rule repeating activation on facts that have already been modified?
- Easy-Rules Rule engine, cannot fire on multiple facts at once
- Firebase realtime database rules resetting itself
- Some rule is not fired again when fact is modified
- Rule Item: how to check if it has to be re-run?
- Firebase rules reset by themselves
- drools: rules executed more than one time