-
Notifications
You must be signed in to change notification settings - Fork 902
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trigger alert whenever there is any manual command executed inside a container [approx solution via new filter fields proc.is_vpgid_leader
or proc.vpgid.exepath
or proc.vpgid.name
]
#2338
Comments
@poiana Not able to apply label to the issue created. Please help with applyIng support label. |
/kind bug Falco rules' condition does not support regex matching ye (only globs and search based on |
Expectation is to get an alert whenever we hit enter / new line char inside a container. Installed falco drivers on the ubuntu vm. falco version is as follows: Tried capturing all the commands executed in bash/sh shell of a container by using proc.pname in the condition as shown below.
Alert generated for reference: |
Hi @hjampala, I don't have a specific answer to your question at the moment, but I can tell you that both |
@hjampala what you describe is something I have been thinking a lot. The dilemma between syscalls logging and associated process cmd args versus keystroke type of command logging. Basically a common misconception is "what you type into your terminal is what would be logged as cmdline" in tools like Falco that are based on syscalls events -> not exactly true, because as Lorenzo perfectly described the shell itself interprets the input and most often "destroys" your command or doesn't even cause a new execve in the case of shell built-ins. More examples: [1] Typed into terminal: [2] Typed into terminal: [3] [4] Typed into terminal:
UNLESS your command gets passed with Lastly few more tips, have you explored the fields |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
@poiana: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-lifecycle rotten |
/reopen |
@incertum: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This PR is not directly addressing this issue falcosecurity/libs#1178, still it could be regarded as an attempt to make progress. |
proc.is_vpgid_leader
or proc.vpgid.exepath
or proc.vpgid.name
]
Marking this as solved via an approximation for now. Please note Falco is still not a keystroke logger and bash built-ins not causing a newly spawned process are not being logged via a syscalls logging approach in general. A possible filter expression you could add to your custom rule to only log spawned processes when in a tty from direct executions and not subprocesses from for example scripts could look like the following:
/milestone 0.36.0 |
/kind support
Hi,
I have an requirement to generate alert whenever manual command gets executed inside a container.
Tried giving so many regex combinations in the rule condition to acheive this. But that didnt trigger any alert.
rule: shell_in_container
desc: notice shell activity within a container
condition: >
container.id != host and
proc.cmdline contains "\n"
output: >
shell in a container
(user=%user.name container_id=%container.id container_name=%container.name
shell=%proc.name parent=%proc.pname source_ip=%fd.rip cmdline=%proc.cmdline)
priority: WARNING
Is there any custom condition we can use to trigger alert whenever there is any manual command executed inside a container
The text was updated successfully, but these errors were encountered: