Drift detected (open+create) priority does not change

[balpreet-telnyx]

Describe the bug
I have been testing falco-master(containerized) in our environment. "Drift detected (open+create)" rule is causing a lot of False positives and sending messages to our logging systems which I want to avoid. My falco_rules.yaml does not have this rule anywhere -

falco/rules/falco_rules.yaml

Line 2939 in 32bae35

# * "Container Drift Detected (open+create)" requires FALCO_ENGINE_VERSION 6 *

so I am assuming it's enabled by default somewhere.

To override this I added a custom rule in my custom rules file as ->

  desc: New executable created in a container due to open+create
  condition: >
    evt.type in (open,openat,creat) and
    evt.is_open_exec=true and
    container and
    not runc_writing_exec_fifo and
    not runc_writing_var_lib_docker and
    not user_known_container_drift_activities and
    evt.rawres>=0
  output: Drift detected (open+create), new executable created in a container (user=%user.name command=%proc.cmdline filename=%evt.arg.filename name=%evt.arg.name mode=%evt.arg.mode event=%evt.type)
  priority: NOTICE

If you observe, I modified the priority to NOTICE, but falco config file for some reason is not respecting that. Now, if I define the priority as WARNING, Falco respects it and shows the message with priority WARNING.

How to reproduce it

On ubuntu 18.04, use falco-master docker image and try changing the priority of the rule from ERROR -> NOTICE or something lower

Expected behaviour
Priority should change to Notice/info etc. If I found the rule in my falco_rules.yaml, I could simply remove it. But its not there, so must be defined somewhere else. I want to override this rule.

Screenshots

Environment
Ubuntu 18.04
Docker falco master image - pulled and tagged 5 days ago

• Falco version:

• System info:

• Cloud provider or hardware configuration:
• OS:

• Kernel:

• Installation method:

Additional context

I have also tried uncommenting the falco_engine_version and change it but that hasn't helped much.

[balpreet-telnyx]

Modifying the falco_rules.yaml inside the container as a temporary fix. I see this rule exists in falco:master(updated 4 days ago) but not in falco:latest(updated 2 months ago)

[leogr]

/milestone 0.25.0

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

[poiana]

@poiana: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[atulgcp]

1. ssh node01

2. vim /etc/falco/falco_rules.yaml - search for Container Drift Detected & paste in falco_rules.local.yaml

3. vim /etc/falco/falco_rules.local.yaml

• rule: Container Drift Detected (open+create)
  desc: New executable created in a container due to open+create
  condition: >
  evt.type in (open,openat,creat) and
  evt.is_open_exec=true and
  container and
  not runc_writing_exec_fifo and
  not runc_writing_var_lib_docker and
  not user_known_container_drift_activities and
  evt.rawres>=0
  output: >
  %evt.time,%user.uid,%proc.name # Add this/Refer falco documentation
  priority: ERROR

4. vim /etc/falco/falco.yaml
   file_output:
   enabled: true
   keep_alive: false
   filename: /home/cert_masters/report. #give file path#

5. /etc/falc# ps -ef | grep falco

6. /etc/falc# kill -1 10127