-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container information missing in the alerts generated by the "Privileged Shell Spawned in Container" rule. #3345
Comments
/kind bug |
Hey @poiana any updates for this? |
Hey @dmeetreey Can you share more details about the running environment (OS, Kernel version, etc..) and the setup (installation method, config, etc)? Thanks |
I'm also seeing fields missing from certain alerts. Some have them populated while others don't. For instance, popping a shell into a terminal triggers the following alert, but the fields are usually null (but not always).
I've got falco deployed via helm with the following settings...
|
sure: OS Info
Kernel version:
config:
Installation method: modern eBPF |
These are obvious questions, but they may still help: @doublez13 have you checked the socket filepath exits?
@alacuku the unixsocket may exist, still may not be accessible for some reason since we are using
@doublez13 it would be helpful to know if |
|
The socket file on the host is at
Ah setting |
Thank you so much! I hope we are close to finding a solution. @doublez13 The missing capability is containerSecurityContext:
securityContext:
capabilities:
add:
- BPF
- SYS_RESOURCE
- PERFMON
- SYS_PTRACE
- CAP_DAC_READ_SEARCH
driver:
kind: modern_ebpf
modernEbpf:
leastPrivileged: true Thanks |
Hi, @leogr!
|
Hey @dmeetreey Thank you! Just one doubt:
The helm chart should correctly set the |
Unfortunately I'm not seeing any difference between the following two configs.
Both have the container fields displayed as follows: ( |
@leogr |
If you are deploying Falco via Helm, you should only use collectors setting in the helm values. The chart will configure Falco's config for you. On the other hand, if you're not using Helm, you should configure container_engines by yourself. So, if you haven't enabled collectors in the Helm chart, please try to enable them (note that they are enabled by default; also, please check that the container unix socket path matches your environment). If you have collectors enabled already, I would have expected to see the container configuration translated to the container_engines setting in Falco config. I'm unsure what is happening in your case since I did not see Hoping my explanation makes sense now 😇 |
Is AppArmor enabled on your system? If yes, this should be the only possible cause. If this is the case, we don't have a solution at this time, so I recommend you use To address this in the long term, I will open a specific issue for the least privileged issue with the Helm chart (or feel free to open it by you if you want). |
AppArmor seems to be the cause! |
Good to know, thank you! I guess we need both to update the documentation and find a way to force AppArmor profile to |
Just noticed @doublez13 was already working on the chart, awesome! falcosecurity/charts#769 |
Hello,
My team and I have recently encountered an issue where alerts triggered by the "Privileged Shell Spawned in Container" rule are missing container-related details.
Example of Alert Output:
Rule Configuration:
Environment:
Problem:
The missing container information makes it difficult to troubleshoot and correlate alerts with the actual containers.
Expected Behavior:
We expect the alert output to include detailed container information such as container name, image, image tag, Kubernetes namespace, and pod name.
Additional Context:
It’s critical for us to have complete information in alerts for effective incident response and troubleshooting.
Request:
Could you please provide guidance on how to resolve this issue or if it’s a known issue of Falco? Any suggestions or workarounds would be greatly appreciated.
Thank you for your support!
The text was updated successfully, but these errors were encountered: