search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.16k stars 884 forks source link

Falco v0.31.0: <NA> output for %user.name, %user.loginuid (and %user.uid) #1921

Closed clmssz closed 1 year ago

clmssz commented 2 years ago

Metadatas are empty for %user.name %user.loginuid %user.uid in a rule detecting SSH connections. Also at the first occurrence, proc.cmdline is empty, then not

rule lies in falco_local_rules.yaml macros are the one from the default ruleset

- rule: New SSH Connection
  desc: Detect any new ssh connection to a host
  condition: (inbound_outbound) and ssh_port
  output: New SSH Connection (command=%proc.cmdline connection=%fd.name user=%user.name uid=%user.uid)
  priority: NOTICE
  tags: [network, mitre_remote_service]
Mar  2 14:09:20 redacted-hostname falco: Falco version 0.31.0 (driver version 319368f1ad778691164d33d59945e00c5752cd27)
Mar  2 14:09:20 redacted-hostname falco: Falco initialized with configuration file /etc/falco/falco.yaml
Mar  2 14:09:20 redacted-hostname falco: Loading rules from file /etc/falco/falco_rules.yaml:
Mar  2 14:09:21 redacted-hostname falco: Loading rules from file /etc/falco/falco_rules.local.yaml:
Mar  2 14:12:19 redacted-hostname falco: {"output":"14:12:19.271700748: Notice New SSH Connection (command=<NA> connection=x.x.x.x:56429->x.x.x.x:22 user=<NA> user_loginuid=-1)","priority":"Notice","rule":"New SSH Connection","source":"syscall","tags":["mitre_remote_service","network"],"time":"2022-03-02T14:12:19.271700748Z", "output_fields": {"evt.time":1646230339271700748,"fd.name":"x.x.x.x:56429->x.x.x.x:22","proc.cmdline":"<NA>","user.loginuid":-1,"user.name":null}}
Mar  2 14:12:19 redacted-hostname falco[3721]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Mar  2 14:12:19 redacted-hostname falco[3721]:                                  Dload  Upload   Total   Spent    Left  Speed
Mar  2 14:12:19 redacted-hostname falco[3721]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100   145    0     2  100   143     14   1007 --:--:-- --:--:-- --:--:--  1021
Mar  2 14:12:33 redacted-hostname falco: {"output":"14:12:33.752877760: Notice New SSH Connection (command=sshd -D connection=x.x.x.x:56445->x.x.x.x:22 user=<NA> user_loginuid=-1)","priority":"Notice","rule":"New SSH Connection","source":"syscall","tags":["mitre_remote_service","network"],"time":"2022-03-02T14:12:33.752877760Z", "output_fields": {"evt.time":1646230353752877760,"fd.name":"x.x.x.x:56445->x.x.x.x:22","proc.cmdline":"sshd -D","user.loginuid":-1,"user.name":null}}
Mar  2 14:12:33 redacted-hostname falco[3721]: ok  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Mar  2 14:12:33 redacted-hostname falco[3721]:                                  Dload  Upload   Total   Spent    Left  Speed
Mar  2 14:12:33 redacted-hostname falco[3721]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100   148    0     2  100   146     15   1097 --:--:-- --:--:-- --:--:--  1112

On a @FedeDP suggestion I tried %user.uid and it yields 4294967295 (-1)

Falco version: 0.31.0
Driver version: 319368f1ad778691164d33d59945e00c5752cd27
{
  "machine": "x86_64",
  "nodename": redacted-hostname",
  "release": "5.4.0-1064-gcp",
  "sysname": "Linux",
  "version": "#68~18.04.1-Ubuntu SMP Sun Feb 6 07:26:13 UTC 2022"
}

https://github.com/juju4/ansible-falco (Packages)

ii  falco                              0.31.0                                    amd64        Falco - Container Native Runtime Security

There are no containers involved in this test, it's installed directly on the VM

FedeDP commented 2 years ago

In theory, user.uid -1 means that there is no thread information associated with the event; basically (see here: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/filterchecks.cpp#L4781): evt->get_thread_info() is NULL. In fact, uid is obtained from the event threadinfo:

case TYPE_UID:
        RETURN_EXTRACT_VAR(tinfo->m_uid);

I don't really know how that could happen on inbound_outbound macro (that expands to events: evt.type in (accept,listen,connect) and evt.dir=<).

Can you print thread.tid too in your rule and report back its value?

clmssz commented 2 years ago 
Mar  3 08:48:37 redacted-hostname falco: {"output":"08:48:37.630357321: Notice New SSH Connection (command=<NA> connection=x.x.x.x:50046->x.x.x.x:22 user=<NA> user_loginuid=-1 uid=4294967295 thread=7286)","priority":"Notice","rule":"New SSH Connection","source":"syscall","tags":["mitre_remote_service","network"],"time":"2022-03-03T08:48:37.630357321Z", "output_fields": {"evt.time":1646297317630357321,"fd.name":"x.x.x.x:50046->x.x.x.x:22","proc.cmdline":"<NA>","thread.tid":7286,"user.loginuid":-1,"user.name":null,"user.uid":4294967295}}
Mar  3 08:48:37 redacted-hostname falco[15001]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Mar  3 08:48:37 redacted-hostname falco[15001]:                                  Dload  Upload   Total   Spent    Left  Speed
Mar  3 08:48:37 redacted-hostname falco[15001]: #015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0#015100   172    0     2  100   170     13   1133 --:--:-- --:--:-- --:--:--  1139
root      7286  0.0  0.0  72304  5844 ?        Ss   Feb16   0:00 /usr/sbin/sshd -D
FedeDP commented 2 years ago

So, we got a valid and actually correct thread id. Nice! I will try to reproduce the issue! ;)

andreabonanno commented 2 years ago

Hello! I just failed to reproduce this issue with the following setup:

Do you have any additional configs that could be relevant? Thanks!

clmssz commented 2 years ago

Hi @andreabonanno, we use OSlogin on GCP vm's, it adds pam configurations, maybe it's a lead ? https://cloud.google.com/compute/docs/oslogin

jasondellaluce commented 2 years ago

Hey @clmssz, are you able to reproduce this in the newly-released Falco 0.32 too?

deepskyblue86 commented 2 years ago

Please be aware of https://github.com/falcosecurity/falco/issues/2048

clmssz commented 2 years ago

I'll follow up after the 0.32 patch @jasondellaluce

R-Studio commented 2 years ago

The issue still occurs in v0.32.1: image

FedeDP commented 2 years ago

Hi! This is expected since we are not able to extract users and groups list from containers. Me and @loresuso are working on a solution involving accessing the overlayfs of the containers to read /etc/pwd and /etc/group. Hopefully 0.33 will fix this one too!

FedeDP commented 2 years ago

I'll keep you posted :)

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

R-Studio commented 1 year ago

/remove-lifecycle stale

R-Studio commented 1 year ago

Hi! This is expected since we are not able to extract users and groups list from containers. Me and @loresuso are working on a solution involving accessing the overlayfs of the containers to read /etc/pwd and /etc/group. Hopefully 0.33 will fix this one too!

Hi @FedeDP I tried v0.33 and unfortunately the issue is still there: image

FedeDP commented 1 year ago

Hi! Yes, you won't believe it but we are working on another approach to solve the issue: https://github.com/falcosecurity/libs/pull/677 Hopefully this will be the best solution. @deepskyblue86

R-Studio commented 1 year ago

@FedeDP This sounds good, do you know when this will be implemented or in which version?

FedeDP commented 1 year ago

Hi! Falco 0.34 will surely have this feature. I am not sure if we will make a 0.33.1 patch release for this one (and perhaps some more fixes). Let's say that you can expect the fixed version by the end of january for sure; if you are lucky enough, even before through a Falco patch release :)

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

R-Studio commented 1 year ago

/remove-lifecycle stale

poiana commented 1 year ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

R-Studio commented 1 year ago

/remove-lifecycle stale

manojdeshmukh45 commented 1 year ago

Hello every one even im facing same issue, im not able to fetch user. 12:29:34.022226956: Notice Ingress remote file copy tool launched in container (user=<NA> user_loginuid=-1 command=curl -o /dev/null -w %{http_code} --max-time 3 -XGET -g -s -k -u elastic-internal-probe: http://127.0.0.1:9200/ pid=363194 parent_process=bash

R-Studio commented 1 year ago

@manojdeshmukh45 which version do you use?

Andreagit97 commented 1 year ago

is this still an issue?

manojdeshmukh45 commented 1 year ago

No Andrea, It get fixed using new version and I used custom-rules which override the old rules. its working goog.

On Tue, Jul 18, 2023 at 3:48 AM Andrea Terzolo @.***> wrote:

is this still an issue?

— Reply to this email directly, view it on GitHub https://github.com/falcosecurity/falco/issues/1921#issuecomment-1638965064, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIRWHSDN5UBFY6HCERSGLCDXQW237ANCNFSM5PXTN5XA . You are receiving this because you were mentioned.Message ID: @.***>

--

Thanks & Regards

Manoj Deshmukh

Cybersecurity Analyst

CEH Practical v12 | CompTIA CySA+

FedeDP commented 1 year ago

/close

poiana commented 1 year ago

@FedeDP: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/1921#issuecomment-1641503990): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.