falco
falco copied to clipboard
falcosecurity
Use `proc.exe` and `proc.aexe` Instead of `proc.name` and `proc.aname`
Motivation
Hi,
Given that proc.name truncates process names, it there any reason that the defautl rules use it instead of proc.exe? I noticed the following:
# cat falco_rules.yaml | grep -i "proc.name" | wc
55 712 10852
# cat falco_rules.yaml | grep -i "proc.aname" | wc
27 291 4690
and then you have things like this:
- list: deb_binaries
items: [dpkg, dpkg-preconfigu, dpkg-reconfigur, dpkg-divert, apt, apt-get, aptitude,
frontend, preinst, add-apt-reposit, apt-auto-remova, apt-key,
apt-listchanges, unattended-upgr, apt-add-reposit, apt-cache, apt.systemd.dai
]
- list: python_package_managers
items: [pip, pip3, conda]
which isn't ideal. Thanks
Feature
See above
Alternatives
See above
Additional context
proc.name is truncated because of kernel settings out of our control. There is a subtle distinction between process name and exe and exepath. For example java processes can have custom names vs when looking at proc.exe or proc.exepath you would still know its java. I had updated the upstream rules in such cases.
From a project evolution perspective, proc.aexe and proc.aexepath just got introduced this year so it wasn't possible to recurse the process tree for those fields previously and most of these macros and lists and rules precede those changes. As you see we added lots of new fields this year https://falco.org/docs/reference/rules/supported-fields/
Would you have concrete examples of where we would benefit from using other fields in the upstream rules?
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with
/reopen.Mark the issue as fresh with
/remove-lifecycle rotten.Provide feedback via https://github.com/falcosecurity/community. /close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.