falco - grafana alert

[crssnd]

Describe the bug Falco is generating the below grafana alert on a test cluster setup:

{"output":"06:09:22.130958663: Error File below /etc opened for writing (user=<NA> user_loginuid=-1 command=python -u /app/sidecar.py parent=<NA> pcmdline=<NA> file=/etc/grafana/provisioning/datasources/datasource.yaml program=python gparent=<NA> ggparent=<NA> gggparent=<NA> container_id=fd71c image=quay.io/kiwigrid/k8s-sidecar) k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6 container=fd71c k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6 container=fd71c2cbb9d7 k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6 container=fd71c k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6container=fd71c k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6container=fd71c k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6 container=fd71c k8s.ns=monitoring k8s.pod=kube-prometheus-stack-grafana-6 container=fd71c","priority":"Error","rule":"Write below etc","source":"syscall","tags":["filesystem","mitre_persistence"],"time":"2022-08-12T06:09:22.130958663Z", "output_fields": {"container.id":"fd71c2cbb9d7","container.image.repository":"quay.io/kiwigrid/k8s-sidecar","evt.time":1660284562130958663,"fd.name":"/etc/grafana/provisioning/datasources/datasource.yaml","k8s.ns.name":"monitoring","k8s.pod.name":"kube-prometheus-stack-grafana-65b66b569b-558bv","proc.aname[2]":null,"proc.aname[3]":null,"proc.aname[4]":null,"proc.cmdline":"python -u /app/sidecar.py","proc.name":"python","proc.pcmdline":null,"proc.pname":null,"user.loginuid":-1,"user.name":null}}

Expected behaviour Alert not being triggered or an exception added if it's a know behaviour that doesn't affect our security.

Definition of Done

• wait until we complete the falco v0.33 upgrade task
• check if the alert is still present (check after 24h or 48h)
• if still there investigate the issue and propose a solution