Temporarily disable the EACCESS rule.

This rule is exposing a bug in sysdig in debug mode, draios/sysdig#598. I'll disable it for now just so I can get the testing half stable, and decide what to do before merging the PR.
falcosecurity · May 24, 2016 · 355132a · 355132a
1 parent 4751546
commit 355132a
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml
@@ -218,11 +218,12 @@
 #   output: "Loaded .so from unexpected dir (%user.name %proc.name %evt.dir %evt.type %evt.args %fd.name)"
 #   priority: WARNING
 
-- rule: syscall_returns_eaccess
-  desc: any system call that returns EACCESS. This is not always a strong indication of a problem, hence the INFO priority.
-  condition: evt.res = EACCESS
-  output: "System call returned EACCESS (user=%user.name command=%proc.cmdline syscall=%evt.type args=%evt.args)"
-  priority: INFO
+# Temporarily disabling this rule as it's tripping over https://github.com/draios/sysdig/issues/598
+# - rule: syscall_returns_eaccess
+#   desc: any system call that returns EACCESS. This is not always a strong indication of a problem, hence the INFO priority.
+#   condition: evt.res = EACCESS
+#   output: "System call returned EACCESS (user=%user.name command=%proc.cmdline syscall=%evt.type args=%evt.args)"
+#   priority: INFO
 
 - rule: change_thread_namespace
   desc: an attempt to change a program/thread\'s namespace (commonly done as a part of creating a container) by calling setns.