falco icon indicating copy to clipboard operation
falco copied to clipboard

No longer run webserver as root under main falco process

Open MprBol opened this issue 9 months ago • 2 comments

Motivation

We want to collect prometheus metrics from all servers.

Feature

I noticed the webserver apparently runs as root, under the same process that Falco binary does:

Netstat:

tcp 0 0 0.0.0.0:8765 0.0.0.0:* LISTEN 0 1 426859/falco

PS:

root 426859 0.0 0.7 584040 27648 ? Ssl Jan20 20:19 /usr/bin/falco -o engine.kind=modern_ebpf

Would it be possible to split this responsibility, having a separate webserver process with less privileges than the main Falco process?

Alternatives

Not that im aware of.

Additional context

Separation of concern, least privilege, and other best practices

MprBol avatar Feb 05 '25 14:02 MprBol

+1 re "Separation of concern, least privilege, and other best practices"

CC @sgaist, ty!

incertum avatar Apr 29 '25 06:04 incertum

I would need inputs from other maintainers but from the looks of it, if we want to keep things "simple", we would need to replace spinning the webserver from a thread by forking the process and then set its user and group id to safe values. This means that these uid and gid needs to be present in the Docker image to be usable.

sgaist avatar May 09 '25 20:05 sgaist

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Aug 07 '25 22:08 poiana

would be nice to have this implemented :)

MprBol avatar Aug 19 '25 09:08 MprBol

@MprBol I haven't forgotten about it. I had a patch lying around be did not have time to finalize it.

sgaist avatar Aug 20 '25 12:08 sgaist

/remove-lifecycle stale

sgaist avatar Sep 01 '25 06:09 sgaist