Closed loresuso closed 3 months ago
cc @jasondellaluce for visibility
This is not really a bug Lore -- there's nothing in the model preventing an async event to bundle the "execve" or "execveat" names, so the rule effectively matches async events too at runtime.
Agree with Jason, i don't think this is a bug actually!
Oh I see what you are saying, thank you! Closing
/milestone 0.38.0
Describe the bug
The output of
sudo falco -L -o "json_output=true"
provide us a JSON description of each loaded rules. A piece of very useful information about this is the list of event types, but it currently always returnasyncevent
even if the rule doesn't use it. Example below:How to reproduce it
falco -L -o "json_output=true" | jq
and check theevents
keyExpected behaviour
Just report the events that are actually used in the condition (through used macros as well)
Screenshots
Environment
Additional context