[Policies] Rules or scope not being respected by Tracee

[hangrymuppet]

Description

Tracee is emitting events that are not included in container scope and also events that are not in the rules list in its output. There are thousands of events per second and this is overwhelming logging infrastructure.

There are two examples below; both have empty matchedPolicies fields.

Event Output

1. net_packet_http_request event not in the policy.

json

```json { "timestamp": 1708472596270507125, "threadStartTime": 1707279037876750021, "processorId": 1, "processId": 13, "cgroupId": 10372, "threadId": 15, "parentProcessId": 1, "hostProcessId": 302149, "hostThreadId": 302162, "hostParentProcessId": 302089, "userId": 0, "mountNamespace": 4026533464, "pidNamespace": 4026533465, "processName": "flb-pipeline", "executable": { "path": "" }, "hostName": "fluent-bit-t9hm", "containerId": "XXXX", "container": { "id": "XXXX", "name": "fluent-bit", "image": "XXXX/fluent-bit:v2.2.0", "imageDigest": "XXXX/fluent-bit@sha256:XXXX" }, "kubernetes": { "podName": "fluent-bit-t9hm6", "podNamespace": "logging", "podUID": "b26961b3-17c8-4add-9aa0-79bc67dad116" }, "eventId": "2010", "eventName": "net_packet_http_request", "matchedPolicies": [ "" ], "argsNum": 2, "returnValue": 0, "syscall": "sendto", "stackAddresses": [ 0 ], "contextFlags": { "containerStarted": true, "isCompat": false }, "threadEntityId": 3807349527, "processEntityId": 3197503450, "parentEntityId": 4130927439, "args": [ { "name": "metadata", "type": "trace.PktMeta", "value": { "src_ip": "XXXXX", "dst_ip": "XXXXX", "src_port": 56988, "dst_port": 3100, "protocol": 6, "packet_len": 225, "iface": "any" } }, { "name": "http_request", "type": "trace.ProtoHTTPRequest", "value": { "method": "POST", "protocol": "HTTP/1.1", "host": "XXXX", "uri_path": "/loki/api/v1/push", "headers": { "Connection": [ "keep-alive" ], "Content-Length": [ "1499" ], "Content-Type": [ "application/json" ], "User-Agent": [ "Fluent-Bit" ] }, "content_length": 1499 } } ] } ```

2. security_socket_connect event not in the policy and is in host scope whereas the policy specifies container scope.

json

```json { "timestamp": 1708472596370235936, "threadStartTime": 1706192218472036490, "processorId": 0, "processId": 1820340, "cgroupId": 1, "threadId": 1820407, "parentProcessId": 1, "hostProcessId": 1820340, "hostThreadId": 1820407, "hostParentProcessId": 1, "userId": 0, "mountNamespace": 4026531840, "pidNamespace": 4026531836, "processName": "kubelet", "executable": { "path": "" }, "hostName": "k8s", "containerId": "", "container": {}, "kubernetes": {}, "eventId": "735", "eventName": "security_socket_connect", "matchedPolicies": [ "" ], "argsNum": 3, "returnValue": 0, "syscall": "connect", "stackAddresses": null, "contextFlags": { "containerStarted": false, "isCompat": false }, "threadEntityId": 1725199941, "processEntityId": 3203671770, "parentEntityId": 1844877023, "args": [ { "name": "sockfd", "type": "int", "value": 639893506 }, { "name": "type", "type": "string", "value": "SOCK_STREAM" }, { "name": "remote_addr", "type": "struct sockaddr*", "value": { "sa_family": "AF_INET", "sin_addr": "169.254.25.10", "sin_port": "9254" } } ] } ```

Config file

yaml

```yaml apiVersion: v1 data: config.yaml: |- blobPerfBufferSize: "" cache: size: 512 type: mem cri: - runtime: name: containerd socket: /var/run/containerd/containerd.sock - runtime: name: docker socket: /var/run/docker.sock - runtime: name: cri-o socket: /var/run/crio/crio.sock - runtime: name: podman socket: /var/run/podman/podman.sock healthz: true installPath: "" listenAddr: :3366 log: level: info metrics: true output: json: files: - stdout options: execEnv: true execHash: true parseArguments: true relativeTime: true sortEvents: false stackAddresses: false perfBufferSize: 1024 pprof: false pyroscope: false signaturesDir: "" kind: ConfigMap metadata: creationTimestamp: "2024-02-16T00:08:34Z" labels: app.kubernetes.io/instance: tracee app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: tracee app.kubernetes.io/version: 0.20.0 helm.sh/chart: tracee-0.20.0 name: tracee-config namespace: nanna-tracee resourceVersion: "277500421" uid: be8ee520-3e80-4f53-b8bb-dc3a07660974 ```

Policy file

yaml

```yaml apiVersion: tracee.aquasec.com/v1beta1 kind: Policy metadata: annotations: description: traces default events meta.helm.sh/release-name: tracee meta.helm.sh/release-namespace: nanna-tracee creationTimestamp: "2024-02-16T00:08:34Z" generation: 1 labels: app.kubernetes.io/managed-by: Helm name: default-policy resourceVersion: "272161700" uid: e5284373-d8a8-49cc-b008-4bff9843652b spec: rules: - event: stdio_over_socket - event: k8s_api_connection - event: aslr_inspection - event: proc_mem_code_injection - event: docker_abuse - event: scheduled_task_mod - event: ld_preload - event: cgroup_notify_on_release - event: default_loader_mod - event: sudoers_modification - event: sched_debug_recon - event: system_request_key_mod - event: cgroup_release_agent - event: rcd_modification - event: core_pattern_modification - event: proc_kcore_read - event: proc_mem_access - event: hidden_file_created - event: anti_debugging - event: ptrace_code_injection - event: process_vm_write_inject - event: disk_mount - event: dynamic_code_loading - event: fileless_execution - event: illegitimate_shell - event: kernel_module_loading - event: k8s_cert_theft - event: proc_fops_hooking - event: syscall_hooking - event: dropped_executable - event: container_create - event: container_remove scope: - container ```

Output of tracee version:

The below command was run from inside the container in k8s

~ # /tracee/tracee version
Tracee version: v0.20.0

Output of uname -a:

~ # uname -a
Linux nanna-tracee-2wxv7 4.18.0-513.5.1.el8_9.x86_64 #1 SMP Fri Sep 29 05:21:10 EDT 2023 x86_64 GNU/Linux

Additional details

It looks like all events (network, syscalls, extra) are being emitted by tracee.

[hangrymuppet]

Updating the policy to have just 1 event still results in all events being shown in the logs.

Policy

yaml

```yaml apiVersion: tracee.aquasec.com/v1beta1 kind: Policy metadata: annotations: description: traces default events meta.helm.sh/release-name: tracee meta.helm.sh/release-namespace: nanna-tracee creationTimestamp: "2024-02-16T00:08:34Z" generation: 2 labels: app.kubernetes.io/managed-by: Helm name: default-policy resourceVersion: "277834719" uid: e5284373-d8a8-49cc-b008-4bff9843652b spec: rules: - event: stdio_over_socket scope: - container ```

[NDStrahilevitz]

@geyslan net packet is derived and security_socket_connect can be derived, sounds like a possible relation. If we can reproduce I think we should also release a minor with this fixed WDYT?

[geyslan]

If we can reproduce I think we should also release a minor with this fixed WDYT?

@NDStrahilevitz absolutely.

[geyslan]

I wasn't able to reproduce it locally, either in the global or in the container scope - using this single policy.

This

sudo ./dist/tracee --config examples/config/global_config.yaml -s container -e stdio_over_socket,net_packet_http_request

returned only expected:

{"timestamp":325706186936,"threadStartTime":325705730394,"processorId":2,"processId":8,"cgroupId":24903,"threadId":8,"parentProcessId":1,"hostProcessId":504379,"hostThreadId":504379,"hostParentProcessId":503762,"userId":0,"mountNamespace":4026534646,"pidNamespace":4026534649,"processName":"nc","executable":{"path":""},"hostName":"hb0","containerId":"c4908f5d0086bcd349366028811050833066cda685d6e440bf8c6eadaa6f300d","container":{"id":"c4908f5d0086bcd349366028811050833066cda685d6e440bf8c6eadaa6f300d","name":"trusting_pare","image":"alpine:latest","imageDigest":"alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b"},"kubernetes":{},"eventId":"6000","eventName":"stdio_over_socket","matchedPolicies":[""],"argsNum":4,"returnValue":0,"syscall":"dup2","stackAddresses":null,"contextFlags":{"containerStarted":true,"isCompat":false},"threadEntityId":3042714030,"processEntityId":3042714030,"parentEntityId":206480808,"args":[{"name":"IP address","type":"const char *","value":"::1"},{"name":"Port","type":"const char *","value":"4444"},{"name":"File descriptor","type":"int","value":0},{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"oldfd","type":"int","value":3},{"name":"newfd","type":"int","value":0},{"name":"remote_addr","type":"struct sockaddr*","value":{"sa_family":"AF_INET6","sin6_addr":"::1","sin6_flowinfo":"0","sin6_port":"4444","sin6_scopeid":"0"}}],"id":748,"name":"socket_dup","returnValue":0}}],"metadata":{"Version":"2","Description":"A process has its standard input/output redirected to a socket. This behavior is the base of a Reverse Shell attack, which is when an interactive shell being invoked from a target machine back to the attacker's machine, giving it interactive control over the target. Adversaries may use a Reverse Shell to retain control over a compromised target while bypassing security measures like network firewalls.","Tags":null,"Properties":{"Category":"execution","Kubernetes_Technique":"","Severity":3,"Technique":"Unix Shell","external_id":"T1059.004","id":"attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56","signatureID":"TRC-101","signatureName":"Process standard input/output over socket detected"}}}
{"timestamp":325706191314,"threadStartTime":325705730394,"processorId":2,"processId":8,"cgroupId":24903,"threadId":8,"parentProcessId":1,"hostProcessId":504379,"hostThreadId":504379,"hostParentProcessId":503762,"userId":0,"mountNamespace":4026534646,"pidNamespace":4026534649,"processName":"nc","executable":{"path":""},"hostName":"hb0","containerId":"c4908f5d0086bcd349366028811050833066cda685d6e440bf8c6eadaa6f300d","container":{"id":"c4908f5d0086bcd349366028811050833066cda685d6e440bf8c6eadaa6f300d","name":"trusting_pare","image":"alpine:latest","imageDigest":"alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b"},"kubernetes":{},"eventId":"6000","eventName":"stdio_over_socket","matchedPolicies":[""],"argsNum":4,"returnValue":0,"syscall":"dup2","stackAddresses":null,"contextFlags":{"containerStarted":true,"isCompat":false},"threadEntityId":3042714030,"processEntityId":3042714030,"parentEntityId":206480808,"args":[{"name":"IP address","type":"const char *","value":"::1"},{"name":"Port","type":"const char *","value":"4444"},{"name":"File descriptor","type":"int","value":1},{"name":"triggeredBy","type":"unknown","value":{"args":[{"name":"oldfd","type":"int","value":0},{"name":"newfd","type":"int","value":1},{"name":"remote_addr","type":"struct sockaddr*","value":{"sa_family":"AF_INET6","sin6_addr":"::1","sin6_flowinfo":"0","sin6_port":"4444","sin6_scopeid":"0"}}],"id":748,"name":"socket_dup","returnValue":0}}],"metadata":{"Version":"2","Description":"A process has its standard input/output redirected to a socket. This behavior is the base of a Reverse Shell attack, which is when an interactive shell being invoked from a target machine back to the attacker's machine, giving it interactive control over the target. Adversaries may use a Reverse Shell to retain control over a compromised target while bypassing security measures like network firewalls.","Tags":null,"Properties":{"Category":"execution","Kubernetes_Technique":"","Severity":3,"Technique":"Unix Shell","external_id":"T1059.004","id":"attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56","signatureID":"TRC-101","signatureName":"Process standard input/output over socket detected"}}}

This

sudo ./dist/tracee --config examples/config/global_config.yaml -s container -e stdio_over_socket,net_packet_http_request,stdio_over_socket,k8s_api_connection,aslr_inspection,proc_mem_code_injection,docker_abuse,scheduled_task_mod,ld_preload,cgroup_notify_on_release,default_loader_mod,sudoers_modification,sched_debug_recon,system_request_key_mod,cgroup_release_agent,rcd_modification,core_pattern_modification,proc_kcore_read,proc_mem_access,hidden_file_created,anti_debugging,ptrace_code_injection,process_vm_write_inject,disk_mount,dynamic_code_loading,fileless_execution,illegitimate_shell,kernel_module_loading,k8s_cert_theft,proc_fops_hooking,syscall_hooking,dropped_executable,container_create,container_remove

also returned only what was expected without confusion between host and containers.

I also tested the config and policies above in minikube and all worked ok.

Stress from the host:

wrk output

``` wrk -t32 -c1000 -d30s http://example.com Running 30s test @ http://example.com 32 threads and 1000 connections Thread Stats Avg Stdev Max +/- Stdev Latency 134.93ms 27.17ms 758.55ms 96.24% Req/Sec 231.61 66.90 313.00 67.08% 219825 requests in 30.08s, 335.03MB read Socket errors: connect 3, read 0, write 0, timeout 0 Requests/sec: 7307.08 Transfer/sec: 11.14MB ```

ab output

``` ab -n 100000 -c 1000 http://example.com/ This is ApacheBench, Version 2.3 <$Revision: 1903618 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Benchmarking example.com (be patient) Completed 10000 requests Completed 20000 requests Completed 30000 requests Completed 40000 requests Completed 50000 requests Completed 60000 requests Completed 70000 requests Completed 80000 requests Completed 90000 requests apr_socket_recv: Connection reset by peer (104) Total of 90513 requests completed ```

---

@NDStrahilevitz if you are able to reproduce it, please post the steps.

[NDStrahilevitz]

@geyslan I suspect from his issue that this might be an openshift issue. Note that the kernel is 4.18.0-513.5.1.el8_9.x86_64. I'll test this on such an env for now. @hangrymuppet Am I correct in my guess?

[hangrymuppet]

@NDStrahilevitz this is not specifically an openshift issue; we don't use openshift.

We are running on a supported RHEL kernel and we deploy our own rolled k8s.

However, I can repro this on my local mac dev machine (using docker-desktop version 4.26.1) with a different kernel.

Side note: Newer versions of docker-desktop broke Tracee; some features were removed in the linux vm that is shipped with docker. I plan to open a separate issue with them for this (just mentioning it here to explain why I am on an older docker release)

Docker linuxkit kernel

Linux nanna-tracee-8fblb 6.5.11-linuxkit #1 SMP PREEMPT Wed Dec 6 17:08:31 UTC 2023 aarch64 GNU/Linux

Sample of output from tracee in docker-desktop 4.26.1 on mac

events in output

```json {"timestamp":14636357673,"threadStartTime":-10561039386234,"processorId":0,"processId":104,"cgroupId":125436,"threadId":7414,"parentProcessId":1,"hostProcessId":188749,"hostThreadId":202142,"hostParentProcessId":188614,"userId":0,"mountNamespace":4026533686,"pidNamespace":4026533689,"processName":"containerd","executable":{"path":""},"hostName":"kind-control-pl","containerId":"","container":{},"kubernetes":{},"eventId":"735","eventName":"security_socket_connect","matchedPolicies":[""],"argsNum":2,"returnValue":0,"syscall":"connect","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":4257465858,"processEntityId":834751954,"parentEntityId":547845701,"args":[{"name":"sockfd","type":"int","value":149},{"name":"type","type":"string","value":"SOCK_STREAM"},{"name":"remote_addr","type":"struct sockaddr*","value":null}]} {"timestamp":14647615548,"threadStartTime":-10791106133172,"processorId":6,"processId":104,"cgroupId":125436,"threadId":6793,"parentProcessId":1,"hostProcessId":188749,"hostThreadId":201143,"hostParentProcessId":188614,"userId":0,"mountNamespace":4026533686,"pidNamespace":4026533689,"processName":"containerd","executable":{"path":""},"hostName":"kind-control-pl","containerId":"","container":{},"kubernetes":{},"eventId":"735","eventName":"security_socket_connect","matchedPolicies":[""],"argsNum":2,"returnValue":0,"syscall":"connect","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":3389265345,"processEntityId":834751954,"parentEntityId":547845701,"args":[{"name":"sockfd","type":"int","value":149},{"name":"type","type":"string","value":"SOCK_STREAM"},{"name":"remote_addr","type":"struct sockaddr*","value":null}]} {"timestamp":14658404507,"threadStartTime":-10561039386234,"processorId":0,"processId":104,"cgroupId":125436,"threadId":7414,"parentProcessId":1,"hostProcessId":188749,"hostThreadId":202142,"hostParentProcessId":188614,"userId":0,"mountNamespace":4026533686,"pidNamespace":4026533689,"processName":"containerd","executable":{"path":""},"hostName":"kind-control-pl","containerId":"","container":{},"kubernetes":{},"eventId":"735","eventName":"security_socket_connect","matchedPolicies":[""],"argsNum":2,"returnValue":0,"syscall":"connect","stackAddresses":null,"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":4257465858,"processEntityId":834751954,"parentEntityId":547845701,"args":[{"name":"sockfd","type":"int","value":149},{"name":"type","type":"string","value":"SOCK_STREAM"},{"name":"remote_addr","type":"struct sockaddr*","value":null}]} {"timestamp":14660498090,"threadStartTime":-880390126026,"processorId":1,"processId":1,"cgroupId":143361,"threadId":14,"parentProcessId":1,"hostProcessId":228230,"hostThreadId":228286,"hostParentProcessId":228045,"userId":0,"mountNamespace":4026532958,"pidNamespace":4026532959,"processName":"coredns","executable":{"path":""},"hostName":"coredns-5dd5756","containerId":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","container":{"id":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","name":"coredns","image":"registry.k8s.io/coredns/coredns:v1.10.1","imageDigest":"registry.k8s.io/coredns/coredns:v1.10.1"},"kubernetes":{"podName":"coredns-5dd5756b68-p5mcd","podNamespace":"kube-system","podUID":"4032b4af-f34d-474d-a130-ab109e4c8071"},"eventId":"735","eventName":"security_socket_connect","matchedPolicies":[""],"argsNum":3,"returnValue":0,"syscall":"connect","stackAddresses":null,"contextFlags":{"containerStarted":true,"isCompat":false},"threadEntityId":1494091607,"processEntityId":3178261270,"parentEntityId":427614759,"args":[{"name":"sockfd","type":"int","value":13},{"name":"type","type":"string","value":"SOCK_STREAM"},{"name":"remote_addr","type":"struct sockaddr*","value":{"sa_family":"AF_INET","sin_addr":"0.0.0.0","sin_port":"8080"}}]} {"timestamp":14660591048,"threadStartTime":-880373020276,"processorId":8,"processId":1,"cgroupId":143361,"threadId":15,"parentProcessId":1,"hostProcessId":228230,"hostThreadId":228287,"hostParentProcessId":228045,"userId":0,"mountNamespace":4026532958,"pidNamespace":4026532959,"processName":"coredns","executable":{"path":""},"hostName":"coredns-5dd5756","containerId":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","container":{"id":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","name":"coredns","image":"registry.k8s.io/coredns/coredns:v1.10.1","imageDigest":"registry.k8s.io/coredns/coredns:v1.10.1"},"kubernetes":{"podName":"coredns-5dd5756b68-p5mcd","podNamespace":"kube-system","podUID":"4032b4af-f34d-474d-a130-ab109e4c8071"},"eventId":"736","eventName":"security_socket_accept","matchedPolicies":[""],"argsNum":2,"returnValue":0,"syscall":"accept4","stackAddresses":null,"contextFlags":{"containerStarted":true,"isCompat":false},"threadEntityId":4200082076,"processEntityId":3178261270,"parentEntityId":427614759,"args":[{"name":"sockfd","type":"int","value":8},{"name":"local_addr","type":"struct sockaddr*","value":{"sa_family":"AF_INET6","sin6_addr":"::","sin6_flowinfo":"0","sin6_port":"8080","sin6_scopeid":"0"}}]} {"timestamp":14660626715,"threadStartTime":-880373020276,"processorId":8,"processId":1,"cgroupId":143361,"threadId":15,"parentProcessId":1,"hostProcessId":228230,"hostThreadId":228287,"hostParentProcessId":228045,"userId":0,"mountNamespace":4026532958,"pidNamespace":4026532959,"processName":"coredns","executable":{"path":""},"hostName":"coredns-5dd5756","containerId":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","container":{"id":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","name":"coredns","image":"registry.k8s.io/coredns/coredns:v1.10.1","imageDigest":"registry.k8s.io/coredns/coredns:v1.10.1"},"kubernetes":{"podName":"coredns-5dd5756b68-p5mcd","podNamespace":"kube-system","podUID":"4032b4af-f34d-474d-a130-ab109e4c8071"},"eventId":"736","eventName":"security_socket_accept","matchedPolicies":[""],"argsNum":2,"returnValue":0,"syscall":"accept4","stackAddresses":null,"contextFlags":{"containerStarted":true,"isCompat":false},"threadEntityId":4200082076,"processEntityId":3178261270,"parentEntityId":427614759,"args":[{"name":"sockfd","type":"int","value":8},{"name":"local_addr","type":"struct sockaddr*","value":{"sa_family":"AF_INET6","sin6_addr":"::","sin6_flowinfo":"0","sin6_port":"8080","sin6_scopeid":"0"}}]} {"timestamp":14660638298,"threadStartTime":-880390126026,"processorId":1,"processId":1,"cgroupId":143361,"threadId":14,"parentProcessId":1,"hostProcessId":228230,"hostThreadId":228286,"hostParentProcessId":228045,"userId":0,"mountNamespace":4026532958,"pidNamespace":4026532959,"processName":"coredns","executable":{"path":""},"hostName":"coredns-5dd5756","containerId":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","container":{"id":"5980c5c04f4ffc8d21807d885bce3bc59b01c96f568fdae4586a971b2e518aac","name":"coredns","image":"registry.k8s.io/coredns/coredns:v1.10.1","imageDigest":"registry.k8s.io/coredns/coredns:v1.10.1"},"kubernetes":{"podName":"coredns-5dd5756b68-p5mcd","podNamespace":"kube-system","podUID":"4032b4af-f34d-474d-a130-ab109e4c8071"},"eventId":"2010","eventName":"net_packet_http_request","matchedPolicies":[""],"argsNum":2,"returnValue":0,"syscall":"write","stackAddresses":[0],"contextFlags":{"containerStarted":true,"isCompat":false},"threadEntityId":1494091607,"processEntityId":3178261270,"parentEntityId":427614759,"args":[{"name":"metadata","type":"trace.PktMeta","value":{"src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":49196,"dst_port":8080,"protocol":6,"packet_len":144,"iface":"any"}},{"name":"http_request","type":"trace.ProtoHTTPRequest","value":{"method":"GET","protocol":"HTTP/1.1","host":":8080","uri_path":"/health","headers":{"Accept-Encoding":["gzip"],"User-Agent":["Go-http-client/1.1"]},"content_length":0}}]} ```

Tracee config

configmap

```yaml Name: tracee-config Namespace: nanna-tracee Labels: app.kubernetes.io/instance=tracee app.kubernetes.io/managed-by=Helm app.kubernetes.io/name=tracee app.kubernetes.io/version=0.20.0 Annotations: meta.helm.sh/release-name: tracee meta.helm.sh/release-namespace: nanna-tracee Data ==== config.yaml: ---- cache: type: mem size: 512 perf-buffer-size: 1024 healthz: true metrics: true pprof: false pyroscope: false listen-addr: :3366 log: level: info output: json: files: - stdout options: parse-arguments: true stack-addresses: false exec-env: false relative-time: true exec-hash: dev-inode sort-events: false BinaryData ==== Events: ```

Tracee policy

policy

```yaml apiVersion: tracee.aquasec.com/v1beta1 kind: Policy metadata: annotations: description: traces default events heimdall/workload-url: https://gitlab.bjorg.io/core/nanna.git meta.helm.sh/release-name: tracee meta.helm.sh/release-namespace: nanna-tracee creationTimestamp: "2024-02-22T00:55:48Z" generation: 2 labels: app.kubernetes.io/managed-by: Helm heimdall/workload-class: nanna name: default-policy resourceVersion: "2621" uid: 562c0d2b-a11f-43ce-ac69-0d31afa6c6be spec: rules: - event: stdio_over_socket scope: - container ```

[hangrymuppet]

@NDStrahilevitz please ignore the above posts. I figured out the issue and it had to do with the controller not being able to read the policy file and I guess falling back to all event reporting.

{"L":"DEBUG","T":"2024-02-22T20:29:24.480Z","M":"kubernetes cluster","error":"policies.tracee.aquasec.com is forbidden: User \"system:serviceaccount:nanna-tracee:nanna-tracee\" cannot list resource \"policies\" in API group \"tracee.aquasec.com\" at the cluster scope","origin":"cobra:pkg/cmd/cobra/cobra.go:218","calls":"GetTraceeRunner() < glob..func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2024-02-22T20:29:24.480Z","M":"using policies from --scope and --events flag","origin":"cobra:pkg/cmd/cobra/cobra.go:227","calls":"GetTraceeRunner() < glob..func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}

Thank you for looking into this and apologies for the time sink. I will close the issue.