search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.38k stars 902 forks source link

filter_check called with nonexistent field proc.pcmdline #214

Closed juju4 closed 7 years ago

juju4 commented 7 years ago

I still get this issue when trying latest ruleset event with recent sysdig update

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.2 LTS
Release:    16.04
Codename:   xenial
# dpkg -l |egrep '(sysdig|falco)'
ii  falco                                0.5.0                                    amd64        falco, a system-level activity monitoring tool
ii  sysdig                               0.15.0                                   amd64        sysdig, a system-level exploration and troubleshooting tool
ii  sysdig-dkms                          0.8.0-1                                  all          system-level exploration and troubleshooting tool - kernel source

=> force to disable parent_ansible_running_python

mstemm commented 7 years ago

We haven't yet done a falco release that incorporates sysdig code that implements proc.pcmdline. 0.5.0 was released Dec 22, and we added proc.pcmdline to the ruleset on Jan 20. Falco does depend on sysdig code, but it pulls it in at compile time so it's separate from any sysdig version that's installed.

I do plan on a falco release in the next couple of weeks, though.

mstemm commented 7 years ago

I'm about to release 0.6.0, so I'll close this for now. Try 0.6.0 out and let me know if you still run into this problem.