Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container information missing in the alerts generated by the "Privileged Shell Spawned in Container" rule. #3345

Open
dmeetreey opened this issue Sep 26, 2024 · 1 comment
Open

Container information missing in the alerts generated by the "Privileged Shell Spawned in Container" rule. #3345

dmeetreey opened this issue Sep 26, 2024 · 1 comment
Labels
kind/bug

Comments

@dmeetreey
Copy link

dmeetreey commented Sep 26, 2024
edited
Loading

Hello,

My team and I have recently encountered an issue where alerts triggered by the "Privileged Shell Spawned in Container" rule are missing container-related details.

Example of Alert Output:

Critical Privileged Shell Spawned in Container (user.uid=0 proc.cmdline=sh proc.name=sh proc.pname=<NA> gparent=<NA> ggparent=<NA> gggparent=<NA> proc.pcmdline=<NA> user.name=root user.loginuid=-1 proc.args= container.name=<NA> evt.type=execve evt.res=SUCCESS proc.pid=2121961 proc.cwd= proc.ppid=2121895 proc.sid=1 proc.exepath=/bin/sh user.loginname=<NA> group.gid=0 group.name=root, container.image=<NA>)
container_id=827accfc01b7 
container_image=<NA> 
container_image_tag=<NA> 
container_name=<NA> 
k8s_ns=<NA> 
k8s_pod_name=<NA>

Rule Configuration:

- rule: Privileged shell spawned inside container
  enabled: true
  desc: This rule detects the creation of a shell as root for interaction within a container. If this rule fires, it may be an indication of compromise.
  condition: spawned_process and container and shell_procs and user.uid = 0 and (proc.args = "" or proc.args startswith "-i") and not container_entrypoint and not user_shell_container_exclusions and not user_expected_terminal_shell_in_container_conditions and proc.tty = 0
  exceptions:
  [REDACTED]
  output: Privileged Shell Spawned in Container (user.uid=%user.uid proc.cmdline=%proc.cmdline proc.name=%proc.name proc.pname=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] proc.pcmdline=%proc.pcmdline user.name=%user.name user.loginuid=%user.loginuid proc.args=%proc.args container.name=%container.name evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.sid=%proc.sid proc.exepath=%proc.exepath user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name, container.image=%container.image.repository)
  priority: CRITICAL
  tags: [container, shell, mitre_container_administration_command, mitre_execution, CIS]

Environment:

  • Falco version: 0.38.2
  • Driver: Modern eBPF driver

Problem:
The missing container information makes it difficult to troubleshoot and correlate alerts with the actual containers.

Expected Behavior:
We expect the alert output to include detailed container information such as container name, image, image tag, Kubernetes namespace, and pod name.

Additional Context:
It’s critical for us to have complete information in alerts for effective incident response and troubleshooting.

Request:
Could you please provide guidance on how to resolve this issue or if it’s a known issue of Falco? Any suggestions or workarounds would be greatly appreciated.

Thank you for your support!
@dmeetreey
Copy link
Author

/kind bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@poiana @dmeetreey