search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.23k stars 893 forks source link

No user data in Falco 0.32.0 #2048

Closed deepskyblue86 closed 2 years ago

deepskyblue86 commented 2 years ago

Describe the bug Output of any user information leads to <NA>

How to reproduce it

  1. Host install (in my case Fedora 34) Falco rpm package
  2. Run Falco
  3. Trigger any rule with %user

The rule output has <NA> instead of the actual data.

I tested a custom rule with the following output:

  output: "%user.homedir %user.loginname %user.loginuid %user.name %user.shell %user.uid"

and I get

12:57:02.919226024: Notice <NA> <NA> 1000 <NA> <NA> 1000

Expected behaviour User information shall be shown

Screenshots

Wed Jun  8 12:56:56 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b)
...
13:14:03.253972664: Error File below /etc opened for writing (user=<NA> user_loginuid=1000 command=touch /etc/hosts parent=sudo pcmdline=sudo touch /etc/hosts file=/etc/hosts program=touch gparent=bash ggparent=tmux: gggparent=systemd container_id=host image=<NA>)
Wed Jun  8 13:18:40 2022: Falco version 0.31.0 (driver version 319368f1ad778691164d33d59945e00c5752cd27)
...
13:18:53.963391812: Error File below /etc opened for writing (user=root user_loginuid=1000 command=touch /etc/hosts parent=sudo pcmdline=sudo touch /etc/hosts file=/etc/hosts program=touch gparent=bash ggparent=tmux: gggparent=systemd container_id=host image=<NA>)

Environment

FedeDP commented 2 years ago

We are looking into that! Thanks for providing all the info!

It seems like this check went wrong in Falco CI (building locally everything works fine!)

jasondellaluce commented 2 years ago

After some testing with @FedeDP it looks like https://github.com/falcosecurity/libs/pull/383 and https://github.com/falcosecurity/falco/pull/2053 fixed the issue! Apparently, the problem was that in our CMake setup we unnoticeably cut-off the compilation of a piace libsinsp code that populated user data.

Thank you @deepskyblue86 for reporting this bug!

deepskyblue86 commented 2 years ago

Will there be a Falco hotfix version by any chance?

FedeDP commented 2 years ago

Hi! Yes, there will be a 0.32.1 around end of june most probably, together with arm64 support :)