Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Falco 0.31 cannot record the use of shell in container (podman rootless) #1912

Closed
patrickdung opened this issue Feb 23, 2022 · 6 comments
Closed

Falco 0.31 cannot record the use of shell in container (podman rootless) #1912

patrickdung opened this issue Feb 23, 2022 · 6 comments
Labels
kind/bug

Comments

@patrickdung
Copy link

Describe the bug

Falco 0.31 cannot record the use of shell in containers (podman rootless)

How to reproduce it

This is the related rule

- rule: Terminal shell in container
  desc: A shell was used as the entrypoint/exec point into a container with an attached terminal.
  condition: >
    spawned_process and container
    and shell_procs and proc.tty != 0
    and container_entrypoint
    and not user_expected_terminal_shell_in_container_conditions
  output: "[%evt.time][%container.id] [%container.name]"
  priority: NOTICE
  tags: [container, shell, mitre_execution]

Expected behaviour

There should be log entry when Podman execute a shell shell in a container.

Screenshots

Environment

  • Falco version:

Falco version: 0.31.0
Driver version: 319368f1ad778691164d33d59945e00c5752cd27

  • System info:
Wed Feb 23 15:58:27 2022: Falco version 0.31.0 (driver version 319368f1ad778691164d33d59945e00c5752cd27)
Wed Feb 23 15:58:27 2022: Falco initialized with configuration file /etc/falco/falco.yaml
Wed Feb 23 15:58:27 2022: Loading rules from file /etc/falco/falco_rules.yaml:
Wed Feb 23 15:58:28 2022: Loading rules from file /etc/falco/falco_rules.local.yaml:
Wed Feb 23 15:58:28 2022: Loading rules from file /etc/falco/k8s_audit_rules.yaml:
Wed Feb 23 15:58:28 2022: Loading rules from file /etc/falco/rules.d/local.yaml:
{
  "machine": "x86_64",
  "nodename": "[REDACTED]",
  "release": "5.16.7-200.fc35.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT Sun Feb 6 19:53:54 UTC 2022"
}
  • Cloud provider or hardware configuration:
  • OS: Fedora 35, Falco is using BPF not kernel module
  • Kernel:
  • Installation method:

RPM

Additional context

The shell is executed in the pod by running:
podman exec -it container1 /bin/bash
@FedeDP
Copy link
Contributor

FedeDP commented Mar 2, 2022

Hi! Thanks for opening this issue!
I can confirm the bug: podman as user is not correctly detected by Falco.
I opened a PR to fix this: falcosecurity/libs#236

@FedeDP FedeDP mentioned this issue Mar 3, 2022
Merged
@FedeDP
Copy link
Contributor

FedeDP commented Mar 3, 2022

The fix has been merged and will be released in Falco 0.31.1 in the next couple of weeks ;)

@FedeDP
Copy link
Contributor

FedeDP commented Mar 17, 2022

The fix is now released as part of Falco 0.31.1! Care to test?

@patrickdung
Copy link
Author

It should be ok:

It is triggered by podman exec:

16:30:00.648040656: Notice [16:30:00.648040656][2a91b1303d4c] [container-recon]

@FedeDP
Copy link
Contributor

FedeDP commented Mar 17, 2022

We can close it then :)
Thanks man!

@jasondellaluce
Copy link
Contributor

Closing this as this seems to be fixed by falcosecurity/libs#236 since Falco 0.31.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FedeDP @jasondellaluce @patrickdung