compliantkubernetes-apps
compliantkubernetes-apps copied to clipboard
elastisys
falco - host alert
Describe the bug Falco is generating the below host alert on a test cluster setup:
{"output":": Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> user_loginuid=-1 cur_uid= parent=<NA> command=<NA> uid=<NA> container_id=host image=<NA>) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","source":"syscall","tags":["mitre_privilege_escalation","users"],"time":"", "output_fields": {"container.id":"host","container.image.repository":null,"evt.arg.uid":"<NA>","evt.time":,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.loginuid":-1,"user.name":null,"user.uid":}}
Expected behaviour Alert not being triggered or an exception added if it's a know behaviour that doesn't affect our security.
Definition of Done
- wait until we complete the falco v0.33 upgrade task
- check if the alert is still present (check after 24h or 48h)
- if still there investigate the issue and propose a solution
