While working through some updates to the falco rules, I found that with the current set of rules, network file descriptors won't have their state (hostname and port) fully resolved. For example, the installer_bash_starts_network_server rule can't show the address/port on which the process is trying to listen.
The reason for this is that file descriptor resolution generally occurs during a bind. However, as no current rule looks for bind events, the file descriptor meta-information isn't associated with the fd.
We'll have to figure out a way to get the bind events to libsinsp so the meta-information can be saved.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
While working through some updates to the falco rules, I found that with the current set of rules, network file descriptors won't have their state (hostname and port) fully resolved. For example, the
installer_bash_starts_network_server
rule can't show the address/port on which the process is trying to listen.The reason for this is that file descriptor resolution generally occurs during a bind. However, as no current rule looks for bind events, the file descriptor meta-information isn't associated with the fd.
We'll have to figure out a way to get the bind events to libsinsp so the meta-information can be saved.