search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.3k stars 897 forks source link

Miscorrelation between real/efective user's name and id for executed privileged command #2962

Closed aberezovski closed 7 months ago

aberezovski commented 9 months ago

Hello guys,

I was evaluating falco as solution for tracking privilege activities on Linux hosts and observed an unexpected behaviour.

Bug details

For any privileged command like sudo cat /etc/passwd, the audit user's name and id are correct, BUT the real/effective user's name and id are misrelated.

How to reproduce it

I logged into VM as user_account_one (1001) and switched to another user user_account_two (1002). After that I tried to execute the privileged command sudo cat /etc/passwd and basing on a custom rule got the following output:

{
    "hostname": "siem-poc-ubuntu-vm",
    "output": "14:23:37.052617707: Warning Unexpected process execution: process=sudo command=sudo cat /etc/passwd parent=sh path=/home/user_account_one/ (file=<NA> gparent=su ggparent=sudo gggparent=bash evt_type=execve user=user_account_two user_uid=0 user_loginuid=1001 [user_account_one]  process=sudo proc_exepath=/usr/bin/sudo parent=sh command=sudo cat /etc/passwd terminal=34816 exe_flags=EXE_WRITABLE container_id=host container_name=host)",
    "priority": "Warning",
    "rule": "Uncommon Process Execution",
    "source": "syscall",
    "tags": [],
    "time": "2023-12-08T14:23:37.052617707Z",
    "output_fields": {
        "container.id": "host",
        "container.name": "host",
        "evt.arg.flags": "EXE_WRITABLE",
        "evt.time": 1702045417052617707,
        "evt.type": "execve",
        "fd.name": null,
        "proc.aname[2]": "su",
        "proc.aname[3]": "sudo",
        "proc.aname[4]": "bash",
        "proc.cmdline": "sudo cat /etc/passwd",
        "proc.cwd": "/home/user_account_one/",
        "proc.exepath": "/usr/bin/sudo",
        "proc.name": "sudo",
        "proc.pname": "sh",
        "proc.tty": 34816,
        "user.loginname": "user_account_one",
        "user.loginuid": 1001,
        "user.name": "user_account_two",
        "user.uid": 0
    }
}

Expected behaviour

The attributes user.name and user.uid should be in sync and according to the use case above they should reflect the following values:

...
        "user.loginname": "user_account_one",
        "user.loginuid": 1001,
        "user.name": "user_account_two",
        "user.uid": 1002
...

Additional context

For non privileged command like cat /etc/passwd the generated event properly reflected all users' details:

{
    "hostname": "siem-poc-ubuntu-vm",
    "output": "14:23:57.239313073: Warning Unexpected process execution: process=cat command=cat /etc/passwd parent=sh path=/home/user_account_one/ (file=<NA> gparent=su ggparent=sudo gggparent=bash evt_type=execve user=user_account_two user_uid=1002 user_loginuid=1001 [user_account_one]  process=cat proc_exepath=/usr/bin/cat parent=sh command=cat /etc/passwd terminal=34816 exe_flags=0 container_id=host container_name=host)",
    "priority": "Warning",
    "rule": "Uncommon Process Execution",
    "source": "syscall",
    "tags": [],
    "time": "2023-12-08T14:23:57.239313073Z",
    "output_fields": {
        "container.id": "host",
        "container.name": "host",
        "evt.arg.flags": "0",
        "evt.time": 1702045437239313073,
        "evt.type": "execve",
        "fd.name": null,
        "proc.aname[2]": "su",
        "proc.aname[3]": "sudo",
        "proc.aname[4]": "bash",
        "proc.cmdline": "cat /etc/passwd",
        "proc.cwd": "/home/user_account_one/",
        "proc.exepath": "/usr/bin/cat",
        "proc.name": "cat",
        "proc.pname": "sh",
        "proc.tty": 34816,
        "user.loginname": "user_account_one",
        "user.loginuid": 1001,
        "user.name": "user_account_two",
        "user.uid": 1002
    }
}

Environment

Falco was installed on Ubuntu VM on GCP by following the installation steps described on official page.

Andreagit97 commented 9 months ago

Thank you for reporting this and for the research! we will take a look! Looking at your example it seems we have an issue @FedeDP

FedeDP commented 9 months ago

Hi! Thanks for opening this issue! Can you share the rule you are using? It is really weird since when we update the user, we update both uid and name: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/threadinfo.cpp#L503, so i don't get how they can be out of sync :/

ycaoT commented 9 months ago

I have a similar observation, if I run the the agent in container using eBPF probe, I am able to see the user.loginuid and user.loginname; however if I switch to use the modern eBPF, it does not work.

For eBPF probe I am running following the doc: https://falco.org/docs/install-operate/running/#docker-privileged docker run --rm -i -t \ --privileged \ -e FALCO_BPF_PROBE="" \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /proc:/host/proc:ro \ -v /boot:/host/boot:ro \ -v /lib/modules:/host/lib/modules:ro \ -v /usr:/host/usr:ro \ -v /etc:/host/etc:ro \ falcosecurity/falco:latest

For the modern eBPF I am running following the doc: https://falco.org/docs/install-operate/running/#modern-ebpf docker run --rm -i -t \ --privileged \ -v /var/run/docker.sock:/host/var/run/docker.sock \ -v /proc:/host/proc:ro \ falcosecurity/falco-no-driver:latest falco --modern-bpf

Please let me know if it's better to create a separate issue to track this.

aberezovski commented 9 months ago

Hi! Thanks for opening this issue! Can you share the rule you are using? It is really weird since when we update the user, we update both uid and name: https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/threadinfo.cpp#L503, so i don't get how they can be out of sync :/

Hi @FedeDP,

The falco rule I used for my tests is very simple one:

- rule: Uncommon Process Execution
      desc: Detects execution of an uncommon process
      condition: >
        evt.type in (execve, execveat) and evt.dir=< and not proc.name in (bash, sh, ls, rm)
      output: >
        Unexpected process execution: process=%proc.name command=%proc.cmdline parent=%proc.pname path=%proc.cwd (file=%fd.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid user_loginname=%user.loginname process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname command=%proc.cmdline terminal=%proc.tty exe_flags=%evt.arg.flags %container.info)
      priority: WARNING
aberezovski commented 9 months ago

Hi @ycaoT, your assumption is correct one. I used modern-bpf driver for the falco instance used as linux service. image

And the falco service status is: image

BTW, regarding the falco running as DaemonSet using driver modern-bpf the user evidences are even worse. Check my comments I left on another ticket https://github.com/falcosecurity/falco/issues/2952#issuecomment-1850464920

aberezovski commented 7 months ago

I checked the new falco version 0.37.1 (x86_64) that was installed as service on Ubuntu VM as falco-modern-bpf.service. All users' details (effective user and audit/login user) are properly reflected in falco generated logs. Taking that in consideration the current issue is not relevant anymore and could be close

FedeDP commented 7 months ago

Great to hear that!! Thanks for taking the time to report this issue :) /close

poiana commented 7 months ago

@FedeDP: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/2962#issuecomment-1943431798): >Great to hear that!! >Thanks for taking the time to report this issue :) >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.