falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.38k stars 902 forks source link

Problem detecting sudo usage in container when evt.type is used in condition #378

Closed pogao closed 6 years ago

pogao commented 6 years ago

I'm trying to use the pre-defined rule in falco_rules.local.yaml to detect when a user runs sudo inside a container. The rule is:

 - rule: The program "sudo" is run in a container
   desc: An event will trigger every time you run sudo in a container
   condition: evt.type = execve and evt.dir=< and container.id != host and proc.name = sudo
   output: "Sudo run in container (user=%user.name %container.info parent=%proc.pname cmdline=%proc.cmdline)"
   priority: ERROR
   tags: [users, container]

If I run it using the evt.type filter, nothing is detected. If I remove evt.type and try again, it detects the evt.type=execve event and millions of other events triggered by sudo (basically because now there isn't the filter looking exclusively for the execution of the command), like this:

02:05:28.492207186: Error Sudo run in container (user=root k8s.pod=nginx-77d7f55978-5kpnc container=e9ac82dcd29d parent=bash cmdline=sudo ls /) k8s.pod=nginx-77d7f55978-5kpnc container=e9ac82dcd29d
02:05:28.494431161: Error Sudo run in container (user=root k8s.pod=nginx-77d7f55978-5kpnc container=e9ac82dcd29d parent=bash cmdline=sudo ls /) k8s.pod=nginx-77d7f55978-5kpnc container=e9ac82dcd29d

I'm not really sure what's going on here... could someone let me know what is it that I'm doing wrong or if this is actually a bug?

mfdii commented 6 years ago

@pogao I just went through attempting to recreate this and the rule works fine for me. Could you give me a bit more detail on your setup?

1) Host OS and Kernel Version (uname -a)

2) Are you running Falco as a container or in the host system as a daemon (or via a terminal)

Thanks.

pogao commented 6 years ago

@mfdii sorry for this, I found out what was wrong and solved the problem. Sorry for forgetting to update this.

mfdii commented 6 years ago

No worries, glad you have it working. Would you mind sharing what the problem was?

pogao commented 6 years ago

The problem was me and my own dumbness obviously.

The alerts without the evt.type filter would show up because the number of events generated matching the rest of the condition were enough to fill the buffer and make falco spit something on the screen. When I was using evt.type in the condition, it would only match about 3 lines of output which wasn't enough to fill falco's buffer. I just needed to "break the rule" enough times for the alert to be displayed - but the rule was working fine :)

mfdii commented 6 years ago

Oh yes, you can use the -U flag to disable buffering or change it in the config file.

https://github.com/draios/falco/blob/dev/falco.yaml#L45