Closed aberezovski closed 7 months ago
Thank you for reporting this and for the research! we will take a look! Looking at your example it seems we have an issue @FedeDP
Hi! Thanks for opening this issue!
Can you share the rule you are using?
It is really weird since when we update the user, we update both uid
and name
: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/threadinfo.cpp#L503, so i don't get how they can be out of sync :/
I have a similar observation, if I run the the agent in container using eBPF probe
, I am able to see the user.loginuid
and user.loginname
; however if I switch to use the modern eBPF
, it does not work.
For eBPF probe
I am running following the doc: https://falco.org/docs/install-operate/running/#docker-privileged
docker run --rm -i -t \
--privileged \
-e FALCO_BPF_PROBE="" \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
-v /boot:/host/boot:ro \
-v /lib/modules:/host/lib/modules:ro \
-v /usr:/host/usr:ro \
-v /etc:/host/etc:ro \
falcosecurity/falco:latest
For the modern eBPF
I am running following the doc: https://falco.org/docs/install-operate/running/#modern-ebpf
docker run --rm -i -t \
--privileged \
-v /var/run/docker.sock:/host/var/run/docker.sock \
-v /proc:/host/proc:ro \
falcosecurity/falco-no-driver:latest falco --modern-bpf
Please let me know if it's better to create a separate issue to track this.
Hi! Thanks for opening this issue! Can you share the rule you are using? It is really weird since when we update the user, we update both
uid
andname
: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/threadinfo.cpp#L503, so i don't get how they can be out of sync :/
Hi @FedeDP,
The falco rule I used for my tests is very simple one:
- rule: Uncommon Process Execution
desc: Detects execution of an uncommon process
condition: >
evt.type in (execve, execveat) and evt.dir=< and not proc.name in (bash, sh, ls, rm)
output: >
Unexpected process execution: process=%proc.name command=%proc.cmdline parent=%proc.pname path=%proc.cwd (file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid user_loginname=%user.loginname process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
priority: WARNING
Hi @ycaoT,
your assumption is correct one. I used modern-bpf
driver for the falco instance used as linux service.
And the falco service status is:
BTW, regarding the falco running as DaemonSet using driver modern-bpf
the user evidences are even worse. Check my comments I left on another ticket https://github.com/falcosecurity/falco/issues/2952#issuecomment-1850464920
I checked the new falco version 0.37.1 (x86_64) that was installed as service on Ubuntu VM as falco-modern-bpf.service
.
All users' details (effective user and audit/login user) are properly reflected in falco generated logs.
Taking that in consideration the current issue is not relevant anymore and could be close
Great to hear that!! Thanks for taking the time to report this issue :) /close
@FedeDP: Closing this issue.
Hello guys,
I was evaluating falco as solution for tracking privilege activities on Linux hosts and observed an unexpected behaviour.
Bug details
For any privileged command like
sudo cat /etc/passwd
, the audit user's name and id are correct, BUT the real/effective user's name and id are misrelated.user.name
: shows the real/effective username for the user who executed the actionuser.uid
: shows the root user's id that is not correct in context of user who is executing the commandsudo cat /etc/passwd
. Root user's name and id should be provided only for the following eventcat /etc/passwd
which parent process will besudo
.How to reproduce it
I logged into VM as
user_account_one (1001)
and switched to another useruser_account_two (1002)
. After that I tried to execute the privileged commandsudo cat /etc/passwd
and basing on a custom rule got the following output:Expected behaviour
The attributes
user.name
anduser.uid
should be in sync and according to the use case above they should reflect the following values:Additional context
For non privileged command like
cat /etc/passwd
the generated event properly reflected all users' details:Environment
Falco was installed on Ubuntu VM on GCP by following the installation steps described on official page.