"Drop and execute new binary in container rule" not working using modern_ebpf driver on EKS 1.29 #3286
Comments
|
Thank you! We will take a look ASAP! |
|
/assign |
|
Was able to reproduce this issue on an ec2 node. |
|
Ok the new implementation of the |
|
Put this in |
|
/milestone 0.38.2 |
|
Falco 0.38.2 is now released! I have tested this flag on EC2 and GCP with kmod/modern_ebpf and it looks like it is detected properly. Hopefully this is fixed but if not please open another issue. |
|
Can confirm that issue is solved with Falco 0.38.2. Thank you! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
The Drop and execute new binary in container rule does not work when using modern_ebpf as driver and Falco runs on EKS 1.29. Some other rules, for example Read sensitive file untrusted do work.
The Drop and execute new binary in container rule rule does work when:
The kernel version is 5.10.219-208.866.amzn2.x86_64. I have tested in both privileged mode and least privilege mode using CAP_SYS_PTRACE, CAP_SYS_RESOURCE, CAP_BPF, and CAP_PERFMON. I also tried CAP_SYS_ADMIN instead of CAP_BPF and CAP_PERFMON. Issue remains, the rule does not trigger.
How to reproduce it
cp /usr/bin/echo my_echo && ./my_echo hello!Expected behaviour
Falco does emit log message:
"Critical Executing binary not part of base image (proc_exe=./my_echo proc_sname=sh gparent=sh ...)
Environment
Falco version: 0.38.1
default_driver_version : 7.2.0+driver
driver_api_version : 8.0.0
driver_schema_version : 2.0.0
engine_version : 40
engine_version_semver : 0.40.0
libs_version : 0.17.2
plugin_api_version : 3.6.0
Cloud provider or hardware configuration: Amazon EKS 1.29
OS: Amazon Linux 2
Kernel: 5.10.219-208.866.amzn2.x86_64
Installation method: official helm chart
The text was updated successfully, but these errors were encountered: