/exec.fifo below root throwing errors with base install on GKE cluster

[jonnymcgow7]

What happened:
Deployed Falco using the guide here: https://sysdig.com/blog/gke-security-using-falco/
After enabling reporting in Slack we are receiving error messages like these

File below / or /root opened for writing (user=root command=runc:[1:CHILD] init parent=<NA> file=/exec.fifo program=runc:[1:CHILD]) k8s.ns=<NA> k8s.pod=<NA> container=host

from either no pod or from one of the falco pods themselves around every 15 minutes or so.

What you expected to happen:
I expect falco to not be reporting on itself.

How to reproduce it (as minimally and precisely as possible):
We are deployed on GKE with version 1.11.10-gke.5. Falco itself is deployed using helm, with ebpf enabled and pubsubOutput enabled as well. Other than this we are following the guide in the previously mentioned link.

Anything else we need to know?:
I have already located where the error is being thrown from and have surmised that adding /exec.fifo to the list here: https://github.com/falcosecurity/falco/blob/dev/rules/falco_rules.yaml#L1265 would solve the issue, but I'm wondering whether or not others are having this problem, and if we've configured something else incorrectly ourselves. Should this possibly be added to the list in the list of known_root_files for everyone? Or is it unique to our configuration.

Environment:

• Falco version (use falco --version):
  Helm chart version is falco-0.7.1, app version is reported as 0.14.0 in helm chart
• System info
• Cloud provider or hardware configuration:
  GKE
• OS (e.g: cat /etc/os-release):
• Kernel (e.g. uname -a):
• Install tools (e.g. in kubernetes, rpm, deb, from source):
• Others:

[metalsong]

Having exact the same issue with GKE.

[leodido]

Thanks @jonnymcgow7 for opening this!

Thanks also to @metalsong for contributing to it. 🎉

This looks like a cool first contribution to me! What do you think of opening a little PR? :)

The rule being thrown is this one:

falco/rules/falco_rules.yaml

Lines 1324 to 1348 in d7956a2

	- rule: Write below root
	desc: an attempt to write to any file directly below / or /root
	condition: >
	root_dir and evt.dir = < and open_write
	and not fd.name in (known_root_files)
	and not fd.directory in (known_root_directories)
	and not exe_running_docker_save
	and not gugent_writing_guestagent_log
	and not dse_writing_tmp
	and not zap_writing_state
	and not airflow_writing_state
	and not rpm_writing_root_rpmdb
	and not maven_writing_groovy
	and not chef_writing_conf
	and not kubectl_writing_state
	and not cassandra_writing_state
	and not galley_writing_state
	and not calico_writing_state
	and not rancher_writing_root
	and not known_root_conditions
	and not user_known_write_root_conditions
	and not user_known_write_below_root_activities
	output: "File below / or /root opened for writing (user=%user.name command=%proc.cmdline parent=%proc.pname file=%fd.name program=%proc.name container_id=%container.id image=%container.image.repository)"
	priority: ERROR
	tags: [filesystem, mitre_persistence]

So you can look at all the macros it uses as conditions.

[jonnymcgow7]

I'd be happy to submit a PR =) I'll post it here a little later today after verifying we aren't getting the errors anymore.

[jonnymcgow7]

Submitted the PR. In order to resolve the issue this change will also need to be propagated through to the stable/falco helm chart. For now I've cloned the chart locally and am deploying with my private copy and it seems to have resolved the problem.

[leodido]

Thanks !

The helm chart will be updated as soon the next release is out (so soon! cc @nestorsalceda ) :)