compliantkubernetes-apps icon indicating copy to clipboard operation
compliantkubernetes-apps copied to clipboard

Published 20 hours ago verified publisher icon elastisys

falco - namespace change alert

Open crssnd opened this issue 2 years ago • 0 comments

Describe the bug Falco is generating the below namespace change alerts on a test cluster setup:

{"output":"09:51:41.088557396: Notice Namespace change (setns) by unexpected program (user=root user_loginuid=-1 command=nsenter -m/proc/1/ns/mnt -- test -f /var/run/reboot-required parent=kured k8s.ns=kured k8s.pod=kured-lj9qq container=8855c699d6d5 container_id=8855c699d6d5 image=docker.io/weaveworks/kured:1.9.1) k8s.ns=kured k8s.pod=kured-lj9qq container=8855c699d6d5","priority":"Notice","rule":"Change thread namespace","source":"syscall","tags":["mitre_lateral_movement","mitre_privilege_escalation","process"],"time":"2022-08-15T09:51:41.088557396Z", "output_fields": {"container.id":"8855c699d6d5","container.image.repository":"docker.io/weaveworks/kured","container.image.tag":"1.9.1","evt.time":1660557101088557396,"k8s.ns.name":"kured","k8s.pod.name":"kured-lj9qq","proc.cmdline":"nsenter -m/proc/1/ns/mnt -- test -f /var/run/reboot-required","proc.pname":"kured","user.loginuid":-1,"user.name":"root"}}

{"output":"23:38:56.060452745: Notice Namespace change (setns) by unexpected program (user=root user_loginuid=-1 command=snap-confine --base core20 snap.lxd.hook.configure /usr/lib/snapd/snap-exec --hook=configure lxd parent=snapd k8s.ns=<NA> k8s.pod=<NA> container=host container_id=host image=<NA>:<NA>) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","source":"syscall","tags":["mitre_lateral_movement","mitre_privilege_escalation","process"],"time":"2022-08-12T23:38:56.060452745Z", "output_fields": {"container.id":"host","container.image.repository":null,"container.image.tag":null,"evt.time":1660347536060452745,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"snap-confine --base core20 snap.lxd.hook.configure /usr/lib/snapd/snap-exec --hook=configure lxd","proc.pname":"snapd","user.loginuid":-1,"user.name":"root"}}

Expected behaviour Alert not being triggered or an exception added if it's a know behaviour that doesn't affect our security.

Definition of Done

  • wait until we complete the falco v0.33 upgrade task
  • check if the alert is still present (check after 24h or 48h)
  • if still there investigate the issue and propose a solution

crssnd avatar Aug 17 '22 13:08 crssnd