Pulling docker image generates lots of alerts

[fcoelho]

What happened:

Running docker pull nginx (or almost any other image) will cause Falco to generate lots of alerts about files being modified in what seems to be the container filesystem

Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/profile container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/skel/.bash_logout container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/skel/.bashrc container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/skel/.profile container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/root/.bashrc container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/root/.profile container_id=host image=<NA>)

What you expected to happen:

Running docker pull shouldn't generate alerts like the ones above. Containers started by the ecs-agent which trigger image pulls will also generate these errors

How to reproduce it (as minimally and precisely as possible):

On an EC2 instance running the ECS-optimized Amazon Linux 2 (eg., ami-0da6ab8acebc7f9db in sa-east-1):

• Install Falco using the same steps outlined in PR Ignore sensitive mounts from ecs-agent #881
• Run docker pull nginx
• Check Falco's output with journalctl -u falco

Environment:

• Falco version (use falco --version): Falco version: 0.17.1
• System info

{
  "machine": "x86_64",
  "nodename": "ip-172-31-3-140.sa-east-1.compute.internal",
  "release": "4.14.143-118.123.amzn2.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Thu Sep 12 16:54:23 UTC 2019"
}

• Cloud provider or hardware configuration: AWS, using `c5.large' but seen it in different instance types as well
• OS (e.g: cat /etc/os-release):

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

• Kernel (e.g. uname -a): Linux ip-xxx-xxx-xxx-xxx.sa-east-1.compute.internal 4.14.143-118.123.amzn2.x86_64 #1 SMP Thu Sep 12 16:54:23 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
• Install tools (e.g. in kubernetes, rpm, deb, from source):
• Others:

[fcoelho]

Been looking at rules that match the exe /var/lib/docker pattern and found this which could be used to ignore these specific errors too: https://github.com/falcosecurity/falco/blob/dev/rules/falco_rules.yaml#L848

Is there a way to output all available fields & values when a given rule matches to write an updated rule that can handle this appropriately? (i.e., some way that is not just writing a string with dozens of fields in the rule's output)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.