Closed brness closed 1 year ago
Hi! Thanks for reporting this issue! I honestly think this is rather important, let's give it a try for 0.10.1! /milestone 0.10.1
Mmh running sinsp-example directly works:
./libsinsp/examples/sinsp-example -f "evt.type in (fchownat, stat, access)" -o "%evt.type %syscall.type"
...
{"evt.type":"access","syscall.type":"access"}
{"evt.type":"access","syscall.type":"access"}
{"evt.type":"fchownat","syscall.type":"fchownat"}
{"evt.type":"fchownat","syscall.type":"fchownat"}
...
This gets fixed by: https://github.com/falcosecurity/falco/pull/2347
I don't think we will make it for 0.34.0 though :(
Since it is a Falco issue, i'll move this to Falco!
OK, That would be so nice!!
/milestone 0.35.0
Describe the bug I want to test if falco can capture the
fchownat
syscall in my enviroment, here is the thing, If I set the conditioncondition: container.id != host and evt.type in (fchownat) and k8s.pod.name=nginx-pod-b965fcc45-nk5xx
falco indeed can shows{"hostname":"falco-99tt5","priority":"Notice","rule":"The program is run in a container","source":"syscall","time":"2023-01-11T07:26:36.764431585Z", "output_fields": {"container.id":"1b93d2852905","evt.args":"","evt.time":1673421996764431585,"evt.type":"fchownat","fd.directory":null,"fd.name":null,"k8s.ns.name":"demo","k8s.pod.name":"nginx-pod-b965fcc45-nk5xx","proc.cmdline":"chown root file1","proc.name":"chown","proc.pname":"bash","proc.vmsize":12684,"syscall.type":"fchownat","user.name":"<NA>"}} {"hostname":"falco-99tt5","priority":"Notice","rule":"The program is run in a container","source":"syscall","time":"2023-01-11T07:26:36.764473224Z", "output_fields": {"container.id":"1b93d2852905","evt.args":"","evt.time":1673421996764473224,"evt.type":"fchownat","fd.directory":null,"fd.name":null,"k8s.ns.name":"demo","k8s.pod.name":"nginx-pod-b965fcc45-nk5xx","proc.cmdline":"chown root file1","proc.name":"chown","proc.pname":"bash","proc.vmsize":12684,"syscall.type":"fchownat","user.name":"<NA>"}}
however if I change the condition into
condition: container.id != host and evt.type in (fchownat, stat, access) and k8s.pod.name=nginx-pod-b965fcc45-nk5xx
then onlyaccess
event was captured in falco logs{"hostname":"falco-99tt5","priority":"Notice","rule":"The program is run in a container","source":"syscall","time":"2023-01-11T07:36:14.076586416Z", "output_fields": {"container.id":"1b93d2852905","evt.args":"mode=0(F_OK) ","evt.time":1673422574076586416,"evt.type":"access","fd.directory":null,"fd.name":null,"k8s.ns.name":"demo","k8s.pod.name":"nginx-pod-b965fcc45-nk5xx","proc.cmdline":"chown root file1","proc.name":"chown","proc.pname":"bash","proc.vmsize":364,"syscall.type":"access","user.name":"<NA>"}} {"hostname":"falco-99tt5","priority":"Notice","rule":"The program is run in a container","source":"syscall","time":"2023-01-11T07:36:14.076594852Z", "output_fields": {"container.id":"1b93d2852905","evt.args":"res=-2(ENOENT) name=/etc/ld.so.nohwcap ","evt.time":1673422574076594852,"evt.type":"access","fd.directory":null,"fd.name":null,"k8s.ns.name":"demo","k8s.pod.name":"nginx-pod-b965fcc45-nk5xx","proc.cmdline":"chown root file1","proc.name":"chown","proc.pname":"bash","proc.vmsize":364,"syscall.type":"access","user.name":"<NA>"}} {"hostname":"falco-99tt5","priority":"Notice","rule":"The program is run in a container","source":"syscall","time":"2023-01-11T07:36:14.076619050Z", "output_fields": {"container.id":"1b93d2852905","evt.args":"mode=4(R_OK) ","evt.time":1673422574076619050,"evt.type":"access","fd.directory":null,"fd.name":null,"k8s.ns.name":"demo","k8s.pod.name":"nginx-pod-b965fcc45-nk5xx","proc.cmdline":"chown root file1","proc.name":"chown","proc.pname":"bash","proc.vmsize":372,"syscall.type":"access","user.name":"<NA>"}}
How to reproduce it
condition: container.id != host and evt.type in (fchownat) and k8s.pod.name=nginx-pod-b965fcc45-nk5xx
where the k8s.pod.name is the name of pod to execute chown commandchown root file1
condition: container.id != host and evt.type in (fchownat, stat, access) and k8s.pod.name=nginx-pod-b965fcc45-nk5xx
chown nobody file1
Expected behaviour log_multi_name would contains the syscall events of
fchownat
just as log_previous would doScreenshots this is the previous one this is the multi_name log
Environment
Helm falco Additional context
I already try to use -A to get general syscall events, and if I don't specify the evt.names,
fchownat
can't show up as well