http_output not working, libcurl error: Problem with the SSL CA cert (path? access rights?) #2274
Comments
|
Hi @exiett, thanks for reporting the issue. The following PR was made to fix the bug: falcosecurity/libs#442 but it seems that the issue is still present. We are going to investigate further and fix the bug. |
|
The issue is still there btw. I am testing it by pointing Falco to a pipedream request bin like |
|
The certificates for CA were missing in the docker image, the PR #2355 fixes that for the upcoming release |
|
/milestone 0.34.0 |
|
I am assuming #2355 has fixed this PR, so |
|
@leogr: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Reopening this I'm experiencing the same problem but in normal package install on a Debian Linux. I want to talk to Falcosidekick via HTTPS.
|
|
/reopen |
|
@movd: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Quoting @movd :
👍 /reopen Note the issue may be different. Could you provide more detail about your OS/distro/environment? Or a detailed repro. Thanks in advance |
|
@leogr: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
I'm pretty sure it's same issue. If it's ok in the next release 0.34 we'll be sure. |
|
Yes sure. I can update the issue once 0.34 is out. Our setup will automatically install it. Describe the bug When I set up http_output:
enabled: true
url: https://falcosidekick.apps.example.comI'll receive the following errors: As the URL states, I deploy a Falcosidekick inside a Kubernetes Cluster, but our Falco processes lives outside of the cluster and are installed via apt. When using unencrypted HTTP, it works just fine. How to reproduce it Enable Trigger root@node01:~# echo "bad file" > /etc/falco_test.shFalco can't forward the alert: Expected behaviour Event gets forwarded to the https destination Environment
root@node01:~# falco --version
Falco version: 0.33.1
Libs version: 0.9.2
Plugin API: 2.0.0
Driver:
API version: 2.0.0
Schema version: 2.0.0
Default driver: 3.0.1+driver
root@node01:~# falco --support | jq .system_info
Wed Jan 25 09:46:01 2023: Falco version: 0.33.1 (x86_64)
Wed Jan 25 09:46:01 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Wed Jan 25 09:46:01 2023: Loading rules from file /etc/falco/falco_rules.yaml
Wed Jan 25 09:46:01 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
{
"machine": "x86_64",
"nodename": "node01.example.com",
"release": "5.10.0-21-amd64",
"sysname": "Linux",
"version": "#1 SMP Debian 5.10.162-1 (2023-01-21)"
}
# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@node01:~# uname -a
Linux node01.example.com 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
# systemctl status falco.service
● falco.service - Falco: Container Native Runtime Security
Loaded: loaded (/lib/systemd/system/falco.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/falco.service.d
└─ebpf.conf
Active: active (running) since Wed 2023-01-25 09:43:16 CET; 3min 36s ago
Docs: https://falco.org/docs/
Main PID: 939076 (falco)
Tasks: 18 (limit: 19165)
Memory: 62.7M
CPU: 7.204s
CGroup: /system.slice/falco.service
└─939076 /usr/bin/falco --pidfile=/var/run/falco.pid
...root@node01:~# cat /etc/systemd/system/falco.service.d/ebpf.conf
# Ansible managed
# Ref: https://falco.org/docs/event-sources/drivers/#ebpf-probe
# Empty FALCO_BPF_PROBE environment variable enables eBPF support
[Service]
Environment=FALCO_BPF_PROBE=""
ExecStartPre=
ExecStopPost=Additional context The certificate is valid and works fine with plain curl (from same host to the same destination). $ curl -vL 'https://falcosidekick.apps.example.com' 2>&1 | grep -A6 'Server certificate:'
* Server certificate:
* subject: CN=*.apps.example.com
* start date: May 3 00:00:00 2022 GMT
* expire date: May 3 23:59:59 2023 GMT
* subjectAltName: host "falcosidekick.apps.example.com" matched cert's "*.apps.example.com"
* issuer: C=US; O=DigiCert Inc; CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
* SSL certificate verify ok. |
|
Sadly, even with 0.34 we face SSL issues #2395 (comment) |
|
Can confirm I'm still sadly facing the same issue. falco.yaml unit journal: I'm using a valid certificate: Environment: Let me know If I can be of any help :) |
|
I'm working on that: #2412 . I'm gonna run some tests to make sure that solves the problem! |
|
Moving to next milestone for now; possibly a 0.34.1 patch-release will be released though! |
|
Even after those fixes, this is still not fixed for RHEL-based distros, I left more details in a comment here: https://github.com/falcosecurity/libs/pull/871/files#r1142781849 It would also be great if the HTTP feature allowed users to specify a custom path to a CA bundle (ex: for using internal purpose-specific CAs). If you added an option |
|
cc @alacuku |
|
Hi @PaulFurtado, thanks for testing and reporting this. We definitely need to make the CA/certs path configurable. |
Describe the bug
After installing Falco in a Kubernetes cluster using the official Helm chart, whenever I try to output the results in a JSON format to an HTTP endpoint, Falco gives me a SSL error. Isn't this ca-certificate package supposed to come with the default installation?
How to reproduce it
helm repo add falcosecurity https://falcosecurity.github.io/chartshelm repo updatehelm install falco falcosecurity/falcoexecinto one of the pods running Falco.falco -o json_ouput=true http_output.enabled=true http_output.url=<REQUESTBIN_ADDRESS>execinto another pod (or even the same pod) to generate a Falco event.Expected behaviour
Falco sends an HTTP call to the endpoint containing the JSON of the syscall it just registered.
Screenshots
curl <MY_REQUEST_BIN>from inside a pod running Falco:{"about":"Pipedream is the fastest way to connects APIs. Build and run workflows with code-level control when you need it — and no code when you don't.","event_id":"2GfreizFr8I0hJjji77gNQEoP8Y","workflow_id":"p_LQCDnkR","owner_id":"u_KDh7vnG","deployment_id":"d_zqs7eNxx","timestamp":"2022-10-26T13:22:56.700Z","inspect":"https://pipedream.com/@/p_LQCDnkR","quickstart":"https://pipedream.com/quickstart/"}json_output=trueandhttp_output=trueenabled to the same requestbin address:falco -o json_ouput=true -o http_output.enabled=true -o http_output.url=<MY_REQUEST_BIN_ADDRESS>Environment
"machine":"x86_64","nodename":"falco-2tcqs","release":"5.13.0-1031-aws","sysname":"Linux","version":"#35~20.04.1-Ubuntu SMP Mon Jun 13 22:30:30 UTC 2022"Linux falco-2tcqs 5.13.0-1031-aws #35~20.04.1-Ubuntu SMP Mon Jun 13 22:30:30 UTC 2022 x86_64 GNU/LinuxAdditional context
TL;DR: We're trying to use the built-in functionality of HTTP Output that comes with Falco to send JSON output about syscalls that Falco catches inside our containers. The main idea is to understand if this works or Sidekick is the only alternative.
The text was updated successfully, but these errors were encountered: