-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falco unable to retrieve correct uid and container names from LXC containers #3213
Comments
Hi! Thanks for opening this issue!
When
I think we are simply failing to retrieve lxc containers (ie: they might be broken :/ ). /assign /milestone 0.39.0 |
Hi! I opened this: falcosecurity/libs#1879 with the fix; it seems like we never supported the new LXC cgroup layout (since 4.0): https://linuxcontainers.org/lxc/news/2020_03_25_13_03.html Unfortunately, the fix will be part of the next Falco release (ie: Falco 0.39 released by the end of September). |
Hi Federico ! We can give your fix a try once it's merged, would be a pleasure. Feel free to ping me once it's done. |
/milestone 0.38.0 |
Can you try with https://github.com/falcosecurity/falco/releases/tag/0.38.0-rc5? |
Thanks for the update ! |
Falco 0.38.0 is now released with my LXC fix ;) so you can now use normal Falco images! |
Hi Federico, To illustrate, below are two Falco logs :
These two entries share a value of And thanks for the update regarding the release of Falco 0.38.0 ! |
Hi! Yes, |
Oh, I was not aware of this, thank you for the link. We will deal with it directly through Falco rules then. Well I think that is all regarding this issue, you fixed our problem and I am grateful for that. Thanks a lot ! |
You are welcome! |
@FedeDP: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Describe the bug
Falco has a hard time retrieving informations from LXC containers (using falco-modern-bpf installed on the host).
Common fields affected are %container.name %container.id %user.loginname.
We have a rule that allow us to triggers events logs whenever a command is executed by a physical or virtual user with some conditions so we don't get every commands executed by a user.
For the users, the problem is that logs generated by events from Falco contains
<NA>
, nulls, and sometimes wrong values when a host and its container have a different username for the same uid. The value retrieved is the name associated with the uid in the /etc/passwd file from the host machine, which can be wrong as the user corresponding to this uid is not the same on the container. Moreover, if the uid is non-existent in the host, the value can be blank or<NA>
.Regarding the container name, an LXC container is always named
<NA>
.We don't have the same problem for our dockers containers or bare-metal machines but the rule still the same.
How to reproduce it
Install Falco on a machine hosting LXC containers with an ansible playbook following installation details and use our rule:
Expected behaviour
It should display the expected container hostname instead of
<NA>
and give the username related to the uid of the containerScreenshots
Environment
Falco version: 0.37.1 <--- Libs version: 0.14.3 Plugin API: 3.2.0 Engine: 0.31.0 Driver: API version: 8.0.0 Schema version: 2.0.0 Default driver: 7.0.0+driver
LXC
Linux lxc-machine-52 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64 GNU/Linux
Installed from installation details provided by Falco documentation through an ansible playbook developed.
Additional context
We don't install clang, llvm or dialog (we set FALCO_FRONTEND to noninteractive and set FALCO_DRIVER_CHOICE during one playbook task).
The text was updated successfully, but these errors were encountered: