syscall.DisallowedSSHConnectionNonStandardPort does not trigger the Falco rules (at least in my enviroment).
How to reproduce it
sudo ./event-generator -l debug test syscall.DisallowedSSH
Screenshots
sudo ./event-generator -l debug test syscall.DisallowedSSH
DEBU running with args: ./event-generator -l debug test syscall.DisallowedSSH
DEBU running without a configuration file
DEBU running with options loglevel=debug
INFO sleep for 100ms action=syscall.DisallowedSSHConnectionNonStandardPort
DEBU failed to run ssh command (this is expected) action=syscall.DisallowedSSHConnectionNonStandardPort error="signal: killed"
ERRO action error action=syscall.DisallowedSSHConnectionNonStandardPort error="context deadline exceeded"
N.B. signal: killed
Environment
Fri Sep 20 17:19:58 2024: Falco version: 0.38.2 (aarch64)
Fri Sep 20 17:19:58 2024: Falco initialized with configuration files:
Fri Sep 20 17:19:58 2024: /etc/falco/falco.yaml
Fri Sep 20 17:19:58 2024: System info: Linux version 6.8.0-41-generic (buildd@bos03-arm64-063) (aarch64-linux-gnu-gcc-13 (Ubuntu 13.2.0-23ubuntu4) 13.2.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #41-Ubuntu SMP PREEMPT_DYNAMIC Fri Aug 2 23:26:06 UTC 2024
Falco version: 0.38.2
Libs version: 0.17.3
Plugin API: 3.6.0
Engine: 0.40.0
Driver:
API version: 8.0.0
Schema version: 2.0.0
Default driver: 7.2.1+driver
Additional context
Related to #220 cc @prezha
Also note that manually running ssh user@example.com -p 443 worked for me.
prezha
commented
2 months ago
Describe the bug
syscall.DisallowedSSHConnectionNonStandardPortdoes not trigger the Falco rules (at least in my enviroment).How to reproduce it
Screenshots
N.B. signal: killed
Environment
Additional context
Related to #220 cc @prezha
Also note that manually running
ssh user@example.com -p 443worked for me.