tracee icon indicating copy to clipboard operation
tracee copied to clipboard

Published 20 hours ago verified publisher icon aquasecurity

TRC-11 triggered from runc process

Open rafaeldtinoco opened this issue 3 years ago • 2 comments

image

and related discussion:

image

rafaeldtinoco avatar Mar 29 '22 11:03 rafaeldtinoco

i think the easy aaproach which is also good is to check whether its the runc process, with tid == 1. if it is the case - do not trigger.

the other approach is to create an event of container_start, and only trigger after the container started. in this case, this signature should be rewritten to go, as it becomes statefull (need to keep track of started containers).

@rafaeldtinoco @yanivagman any thoughts?

roikol avatar Mar 30 '22 10:03 roikol

image

With the change we made, we have already probably got rid of most of the false positives. There is still a catch from Yaniv's comment that we could address, thus the reason for me to re-open this (but with less priority now).

rafaeldtinoco avatar Jun 28 '22 15:06 rafaeldtinoco

We now have the container_started flag which can be used in this rule to distinguish runc processes. @roikol @AsafEitani I think all existing rules should be revisted and use this flag instead of excluding the runc process

yanivagman avatar Oct 26 '22 20:10 yanivagman