Added event for default stable rule "Remove Bulk Data from Disk"

[GLVSKiriti]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:
Added an event for the default stable rule "Remove Bulk Data from Disk" which is very important to test because sometimes bulk data removal can be done with the intention to destroy data, possibly interrupting availability to systems.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

[GLVSKiriti]

Kindly tell me if any changes required!!

[leogr]

I guess we need to clean up the temp dir.

[leogr]

Suggested change

	tmpDir, err := os.MkdirTemp(os.TempDir(), "created-by-falco-event-generator")
	tmpDir, err := os.MkdirTemp(os.TempDir(), "created-by-falco-event-generator")
	defer os.RemoveAll(tmpDir) // clean up

[GLVSKiriti]

@leogr why again defer os.RemoveAll(tmpDir) as we already removing it with shred command in the same code at last

event-generator/events/syscall/remove_bulk_data_from_disk.go

Lines 42 to 44 in da107c6

	cmd := exec.Command("shred", "-u", tmpDir)
	err = cmd.Run()
	return err

[leogr]

I did not consider that, you're likely right.

Just one doubt: what happens if shred fails? 🤔

[GLVSKiriti]

irrespective of shred exist or not ! the rule is triggering in this case

[GLVSKiriti]

See here mkfs utility is not there in my system. Also the rule is triggering irrespective of utility existence

[GLVSKiriti]

@leogr This is also working fine i.e, it produces warning message on left terminal

[leogr]

I did not consider that, you're likely right.

Just one doubt: what happens if shred fails? 🤔

[GLVSKiriti]

@leogr This is also working fine i.e, it produces warning message on left terminal

Just updated and test is also successful now!!

Question: whether to skip action if shred utility not exists?

IMO Instead of directly skipping action can we just run the command so that rule triggers? and if shred not exists clean up happens and remove the file by

    defer os.Remove(filename)

[leogr]

Question: whether to skip action if shred utility not exists?

My original idea was that we should skip the action whenever the preconditions are not met. Here's a clear example of a skipped action due to a missing utility:

event-generator/events/syscall/schedule_cron_jobs.go

Lines 35 to 41 in ddf4731

	path, err := exec.LookPath("crontab")
	if err != nil {
	// if we don't have a crontab, just bail
	return &events.ErrSkipped{
	Reason: "crontab utility not found in path",
	}
	}

That being said, if just trying to execute the shred command, the rule will be triggered (even when the utility is missing), then I am ok with your proposal 👇

IMO Instead of directly skipping action can we just run the command so that rule triggers?

In such a case, please just leave a code comment to explain why what we are doing.

Thanks

[GLVSKiriti]

IMO Instead of directly skipping action can we just run the command so that rule triggers?

In such a case, please just leave a code comment to explain why what we are doing.

Just added the comments!

[poiana]

LGTM label has been added.

Git tree hash: b66fe657a922e9ba9a76595b8ff7b093333a0c53

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: GLVSKiriti, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment