You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running docker pull nginx (or almost any other image) will cause Falco to generate lots of alerts about files being modified in what seems to be the container filesystem
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/profile container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/skel/.bash_logout container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/skel/.bashrc container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/etc/skel/.profile container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/root/.bashrc container_id=host image=<NA>)
Warning a shell configuration file has been modified (user=root command=exe /var/lib/docker/overlay2/07747301df8c02c56a8cdc3214e6aa927b3f5ec25e1325ea8a26b0618e53abaa/diff file=/root/.profile container_id=host image=<NA>)
What you expected to happen:
Running docker pull shouldn't generate alerts like the ones above. Containers started by the ecs-agent which trigger image pulls will also generate these errors
How to reproduce it (as minimally and precisely as possible):
On an EC2 instance running the ECS-optimized Amazon Linux 2 (eg., ami-0da6ab8acebc7f9db in sa-east-1):
Is there a way to output all available fields & values when a given rule matches to write an updated rule that can handle this appropriately? (i.e., some way that is not just writing a string with dozens of fields in the rule's output)
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
What happened:
Running
docker pull nginx
(or almost any other image) will cause Falco to generate lots of alerts about files being modified in what seems to be the container filesystemWhat you expected to happen:
Running
docker pull
shouldn't generate alerts like the ones above. Containers started by the ecs-agent which trigger image pulls will also generate these errorsHow to reproduce it (as minimally and precisely as possible):
On an EC2 instance running the ECS-optimized Amazon Linux 2 (eg.,
ami-0da6ab8acebc7f9db
insa-east-1
):docker pull nginx
journalctl -u falco
Environment:
falco --version
): Falco version: 0.17.1cat /etc/os-release
):uname -a
):Linux ip-xxx-xxx-xxx-xxx.sa-east-1.compute.internal 4.14.143-118.123.amzn2.x86_64 #1 SMP Thu Sep 12 16:54:23 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: