You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My team and I have recently encountered an issue where alerts triggered by the "Privileged Shell Spawned in Container" rule are missing container-related details.
- rule: Privileged shell spawned inside container
enabled: true
desc: This rule detects the creation of a shell as root for interaction within a container. If this rule fires, it may be an indication of compromise.
condition: spawned_process and container and shell_procs and user.uid = 0 and (proc.args = "" or proc.args startswith "-i") and not container_entrypoint and not user_shell_container_exclusions and not user_expected_terminal_shell_in_container_conditions and proc.tty = 0
exceptions:
[REDACTED]
output: Privileged Shell Spawned in Container (user.uid=%user.uid proc.cmdline=%proc.cmdline proc.name=%proc.name proc.pname=%proc.pname gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] proc.pcmdline=%proc.pcmdline user.name=%user.name user.loginuid=%user.loginuid proc.args=%proc.args container.name=%container.name evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.sid=%proc.sid proc.exepath=%proc.exepath user.loginname=%user.loginname group.gid=%group.gid group.name=%group.name, container.image=%container.image.repository)
priority: CRITICAL
tags: [container, shell, mitre_container_administration_command, mitre_execution, CIS]
Environment:
Falco version: 0.38.2
Driver: Modern eBPF driver
Problem:
The missing container information makes it difficult to troubleshoot and correlate alerts with the actual containers.
Expected Behavior:
We expect the alert output to include detailed container information such as container name, image, image tag, Kubernetes namespace, and pod name.
Additional Context:
It’s critical for us to have complete information in alerts for effective incident response and troubleshooting.
Request:
Could you please provide guidance on how to resolve this issue or if it’s a known issue of Falco? Any suggestions or workarounds would be greatly appreciated.
Thank you for your support!
The text was updated successfully, but these errors were encountered:
Hello,
My team and I have recently encountered an issue where alerts triggered by the "Privileged Shell Spawned in Container" rule are missing container-related details.
Example of Alert Output:
Rule Configuration:
Environment:
Problem:
The missing container information makes it difficult to troubleshoot and correlate alerts with the actual containers.
Expected Behavior:
We expect the alert output to include detailed container information such as container name, image, image tag, Kubernetes namespace, and pod name.
Additional Context:
It’s critical for us to have complete information in alerts for effective incident response and troubleshooting.
Request:
Could you please provide guidance on how to resolve this issue or if it’s a known issue of Falco? Any suggestions or workarounds would be greatly appreciated.
Thank you for your support!
The text was updated successfully, but these errors were encountered: