search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.25k stars 893 forks source link

vscode opens files remotely, falco generates multiple repeated events #2991

Open YanjiangChen opened 8 months ago

YanjiangChen commented 8 months ago

rule:

- rule: procoess exec
  desc: notice process exec
  condition: >
    (evt.dir=< and evt.type in (execve, execveat) and not proc.exepath in (dyrace) and not proc.cmdline contains "/opt/dyrace/bin" and not proc.cmdline contains "/dev/shm/dylco/event" and not proc.sname in (dyrace-bin))
  output:
    process exec (esource=%evt.source systype=%syscall.type evt_time=%evt.rawtime file=%fd.name evt_type=%evt.type user=%user.name user_uid=%user.uid user_loginuid=%user.loginuid psname=%proc.sname psexepath=%proc.sid.exepath process=%proc.name proc_exepath=%proc.exepath parent=%proc.pname cwd=%proc.cwd pacommand=%proc.acmdline command=%proc.cmdline exeline=%proc.exeline terminal=%proc.tty pid=%proc.pid tid=%thread.tid paexepath=%proc.aexepath  exe_flags=%evt.arg.flags)
  priority: WARNING

events:

21:13:42.749980255: Warning process exec (esource=syscall systype=execve evt_time=1704248022749980255 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750026301: Warning process exec (esource=syscall systype=execve evt_time=1704248022750026301 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750043537: Warning process exec (esource=syscall systype=execve evt_time=1704248022750043537 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750062579: Warning process exec (esource=syscall systype=execve evt_time=1704248022750062579 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dn$
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPr$
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRIT$
BLE)
21:13:42.750079309: Warning process exec (esource=syscall systype=execve evt_time=1704248022750079309 file=<NA> evt_type=execve user=root user_uid=0 user_log$
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/$
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/ou$
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dn$
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPr$
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRIT$
BLE)
21:13:42.750096491: Warning process exec (esource=syscall systype=execve evt_time=1704248022750096491 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/$oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750111443: Warning process exec (esource=syscall systype=execve evt_time=1704248022750111443 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750126167: Warning process exec (esource=syscall systype=execve evt_time=1704248022750126167 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750142389: Warning process exec (esource=syscall systype=execve evt_time=1704248022750142389 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)
21:13:42.750158537: Warning process exec (esource=syscall systype=execve evt_time=1704248022750158537 file=<NA> evt_type=execve user=root user_uid=0 user_logi
nuid=0 psname=bash psexepath=/usr/bin/bash process=node proc_exepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node parent=node cwd=/r
oot/tracing-agent/ pacommand=<NA>proc.acmdline command=node --dns-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out
/bootstrap-fork --type=extensionHost --transformURIs --useHostProxy=false exeline=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/node --dns
-result-order=ipv4first /root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/out/bootstrap-fork --type=extensionHost --transformURIs --useHostPro
xy=false terminal=0 pid=3530084 tid=3530084 paexepath=/root/.vscode-server/bin/0ee08df0cf4527e40edc9aa28f4b5bd38bbff2b2/nodeproc.aexepath  exe_flags=EXE_WRITA
BLE)

...Multiple identical events

Andreagit97 commented 8 months ago

Thank you for reporting! I will take a look to understand if there is a real issue or not, it could be possible that multiple execve events are called

YanjiangChen commented 8 months ago

The process ID and thread ID of these events are the same, and the exit event is not triggered before a new execve event is started.

YanjiangChen commented 8 months ago

Thank you for reporting! I will take a look to understand if there is a real issue or not, it could be possible that multiple execve events are called

Have you ever encountered this situation where execve was started multiple times? If so, can you tell me in detail?

YanjiangChen commented 8 months ago

I found a new problem. After opening the file in vscode, only the execve event was generated, but no process exit event was generated.

poiana commented 4 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 4 months ago

/remove-lifecycle stale

poiana commented 2 weeks ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale