Change chread namespace #1222
Change chread namespace #1222
Conversation
|
/milestone 0.24.0 |
|
@marier-nico thanks for submitting this PR. I like the changes to the rule |
@Kaizhe yeah, I was hoping to discuss that a bit! I had the feeling it would be too loose, but I didn't get much feedback in the Slack channel, so I figured it could be discussed in this PR. The thing is, I'm not really sure what to do with that macro, because there are thousands of events that I'm getting where |
can you describe more about your scenario? |
@Kaizhe Sure! So it's a bit odd, but I just went in our log stack to find some sample events to show you what types of events I wanted to ignore, and I couldn't find any that had Given that I can't find those events anymore, I think I'll just remove the commit that makes the macro too permissive! 😄 |
While using Falco, I noticed we were getting many events that were virtually identical to those that were previously filtered out by the `exexe_running_docker_save` macro, but where the `cmdline` was something like `exe /var/run/docker/netns/cc5c7b9bb110 all false`. I believe this is caused by the use of docker-in-docker. Signed-off-by: Nicolas Marier <nmarier@coveo.com>
…i` and `aws` These application binaries raise events in the `Change thread namespace` rule as part of their normal operation. Here are more details regarding each binary : - `protokube` : See [this](https://github.com/kubernetes/kops/tree/master/protokube) - `dockerd` : The `dockerd` process name is whitelisted already in this rule, but not if it is the parent, which will happen if you are doing docker-in-docker. - `tini` : See [this](https://github.com/krallin/tini) - `aws` : This one I noticed because Falco itself uses the AWS CLI to send events to SNS, which was triggering this rule. Signed-off-by: Nicolas Marier <nmarier@coveo.com>
|
LGTM label has been added. Git tree hash: 6ff5548ff9f7ae1cc072cc87705df293ba44f33a
|
|
@leodido test hangs? |
|
Thanks again @marier-nico ! |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fntlnz, Kaizhe The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
If you see an edit in the description, I just edited the release notes to follow our convention |
What type of PR is this?
/kind feature
/kind rule-update
Any specific area of the project related to this PR?
/area rules
What this PR does / why we need it:
Editing the
exe_running_docker_savemacro:While using Falco, I noticed we were getting many events that were virtually identical to those that were previously filtered out by the
exe_running_docker_savemacro, but where thecmdlinewas something likeexe /var/run/docker/netns/cc5c7b9bb110 all false. I believe this is caused by the use of docker-in-docker. This is removed by the newor proc.cmdline contains "/var/run/docker"part of the macro.Change thread namespacerule edit:These application binaries raise events in the
Change thread namespacerule as part of their normal operation.Here are more details regarding each binary :
protokube: See thisdockerd: Thedockerdprocess name is whitelisted already in thisrule, but not if it is the parent, which will happen if you are doing
docker-in-docker.
tini: See thisaws: This one I noticed because Falco itself uses the AWS CLI tosend events to SNS, which was triggering this rule.
Which issue(s) this PR fixes:
None
Does this PR introduce a user-facing change?: