falco icon indicating copy to clipboard operation
falco copied to clipboard

Published 20 hours ago verified publisher icon falcosecurity

name=<NA> pid=-1 Unable to collect proc.name and proc.pid, etc.

Open ox01024 opened this issue 8 months ago • 3 comments 

21:04:17.936567615: Warning (evt_type=page_fault name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936566121: Warning (evt_type=ppoll name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936568724: Warning (evt_type=ioctl name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936569197: Warning (evt_type=ppoll name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936569578: Warning (evt_type=ioctl name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936570097: Warning (evt_type=rt_sigprocmask name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936570269: Warning (evt_type=switch name=<NA> pid=-1 tid=818 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936570324: Warning (evt_type=rt_sigprocmask name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936570685: Warning (evt_type=recvmsg name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936571374: Warning (evt_type=futex name=<NA> pid=-1 tid=7495 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936572862: Warning (evt_type=futex name=<NA> pid=-1 tid=7495 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936573214: Warning (evt_type=rt_sigprocmask name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936573335: Warning (evt_type=futex name=<NA> pid=-1 tid=7495 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936573424: Warning (evt_type=rt_sigprocmask name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936574579: Warning (evt_type=page_fault name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936575098: Warning (evt_type=page_fault name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936574142: Warning (evt_type=ppoll name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936576150: Warning (evt_type=page_fault name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936577013: Warning (evt_type=page_fault name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936574738: Warning (evt_type=recvmsg name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936577544: Warning (evt_type=switch name=<NA> pid=-1 tid=32024 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936581440: Warning (evt_type=sendmsg name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936589245: Warning (evt_type=sendmsg name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936590776: Warning (evt_type=switch name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936592159: Warning (evt_type=poll name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936592335: Warning (evt_type=futex name=<NA> pid=-1 tid=7495 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936594368: Warning (evt_type=recvmsg name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936594525: Warning (evt_type=switch name=<NA> pid=-1 tid=7495 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936596330: Warning (evt_type=recvmsg name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936601814: Warning (evt_type=futex name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936607360: Warning (evt_type=switch name=<NA> pid=-1 tid=7494 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936615481: Warning (evt_type=futex name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936617043: Warning (evt_type=poll name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936620105: Warning (evt_type=switch name=<NA> pid=-1 tid=816 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936628825: Warning (evt_type=access name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)
21:04:17.936633291: Warning (evt_type=access name=<NA> pid=-1 tid=336 user_loginuid=-1 process=<NA> proc_exepath= parent=<NA> command=<NA> terminal=0 exe_flags=<NA>)

Linux ubuntu22 6.5.0-28-generic #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

root@ubuntu22:~# docker info Client: Version: 24.0.5 Context: default Debug Mode: false

Server: Containers: 48 Running: 0 Paused: 0 Stopped: 48 Images: 12 Server Version: 24.0.5 Storage Driver: overlay2 Backing Filesystem: extfs Supports d_type: true Using metacopy: false Native Overlay Diff: true userxattr: false Logging Driver: json-file Cgroup Driver: systemd Cgroup Version: 2 Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: io.containerd.runc.v2 runc Default Runtime: runc Init Binary: docker-init containerd version: runc version: init version: Security Options: apparmor seccomp Profile: builtin cgroupns Kernel Version: 6.5.0-28-generic Operating System: Ubuntu 22.04.4 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.712GiB Name: ubuntu22 ID: f6a2ad8b-6601-48e8-8d90-fef119a4aa17 Docker Root Dir: /var/lib/docker Debug Mode: false Experimental: false Insecure Registries: registry.ahcloud-private.com:5000 registry.storm.io 10.50.26.198:80 127.0.0.0/8 Live Restore Enabled: false

root@ubuntu22:~# kubectl version Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.12", GitCommit:"b058e1760c79f46a834ba59bd7a3486ecf28237d", GitTreeState:"clean", BuildDate:"2022-07-13T14:59:18Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

On Ubuntu deployed with docker + k8s, using Falco version greater than 0.36.1 (estimated), the default configuration does not collect process information such as proc.pid and proc.name.

Mitigation Measures Guidance

image
  • Falco version: Tue Jun 4 21:29:15 2024: Falco version: 0.38.0 (x86_64) Tue Jun 4 21:29:15 2024: Falco initialized with configuration files: Tue Jun 4 21:29:15 2024: /etc/falco/falco.yaml Tue Jun 4 21:29:15 2024: System info: Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 Falco version: 0.38.0 Libs version: 0.17.1 Plugin API: 3.5.0 Engine: 0.40.0 Driver: API version: 8.0.0 Schema version: 2.0.0 Default driver: 7.2.0+driver
  • System info:

root@ubuntu22:~# falco --support | jq .system_info Tue Jun 4 21:29:31 2024: Falco version: 0.38.0 (x86_64) Tue Jun 4 21:29:31 2024: Falco initialized with configuration files: Tue Jun 4 21:29:31 2024: /etc/falco/falco.yaml Tue Jun 4 21:29:31 2024: System info: Linux version 6.5.0-28-generic (buildd@lcy02-amd64-098) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 Tue Jun 4 21:29:31 2024: Loading rules from file /etc/falco/falco_rules.yaml Tue Jun 4 21:29:31 2024: Loading rules from file /etc/falco/falco_rules.local.yaml { "machine": "x86_64", "nodename": "ubuntu22", "release": "6.5.0-28-generic", "sysname": "Linux", "version": "#29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2" }

  • Kernel: PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy
  • Installation method: Linux ubuntu22 6.5.0-28-generic #29~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr 4 14:39:20 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes

ox01024 avatar Jun 04 '24 13:06 ox01024