Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No user data in Falco 0.32.0 #2048

Closed
deepskyblue86 opened this issue Jun 8, 2022 · 4 comments
Closed

No user data in Falco 0.32.0 #2048

deepskyblue86 opened this issue Jun 8, 2022 · 4 comments
Labels
kind/bug

Comments

@deepskyblue86
Copy link
Contributor

Describe the bug
Output of any user information leads to <NA>

How to reproduce it

  1. Host install (in my case Fedora 34) Falco rpm package
  2. Run Falco
  3. Trigger any rule with %user

The rule output has <NA> instead of the actual data.

I tested a custom rule with the following output:

  output: "%user.homedir %user.loginname %user.loginuid %user.name %user.shell %user.uid"

and I get

12:57:02.919226024: Notice <NA> <NA> 1000 <NA> <NA> 1000

Expected behaviour
User information shall be shown

Screenshots

Wed Jun  8 12:56:56 2022: Falco version 0.32.0 (driver version 39ae7d40496793cf3d3e7890c9bbdc202263836b)
...
13:14:03.253972664: Error File below /etc opened for writing (user=<NA> user_loginuid=1000 command=touch /etc/hosts parent=sudo pcmdline=sudo touch /etc/hosts file=/etc/hosts program=touch gparent=bash ggparent=tmux: gggparent=systemd container_id=host image=<NA>)

Wed Jun  8 13:18:40 2022: Falco version 0.31.0 (driver version 319368f1ad778691164d33d59945e00c5752cd27)
...
13:18:53.963391812: Error File below /etc opened for writing (user=root user_loginuid=1000 command=touch /etc/hosts parent=sudo pcmdline=sudo touch /etc/hosts file=/etc/hosts program=touch gparent=bash ggparent=tmux: gggparent=systemd container_id=host image=<NA>)

Environment

  • Falco version:
    Falco version: 0.32.0
    Driver version: 39ae7d40496793cf3d3e7890c9bbdc202263836b
  • System info:
    {
    "machine": "x86_64",
    "release": "5.11.12-300.fc34.x86_64",
    "sysname": "Linux",
    }
  • Cloud provider or hardware configuration:
  • OS: Fedora 34
  • Kernel: 5.11.12-300.fc34.x86_64
  • Installation method: RPM
    Additional context
@FedeDP
Copy link
Contributor

FedeDP commented Jun 8, 2022

We are looking into that! Thanks for providing all the info!

It seems like this check went wrong in Falco CI (building locally everything works fine!)

@FedeDP FedeDP mentioned this issue Jun 8, 2022
Merged
@jasondellaluce jasondellaluce mentioned this issue Jun 9, 2022
Merged
@jasondellaluce
Copy link
Contributor

After some testing with @FedeDP it looks like falcosecurity/libs#383 and #2053 fixed the issue! Apparently, the problem was that in our CMake setup we unnoticeably cut-off the compilation of a piace libsinsp code that populated user data.

Thank you @deepskyblue86 for reporting this bug!

@deepskyblue86
Copy link
Contributor Author

Will there be a Falco hotfix version by any chance?

@FedeDP
Copy link
Contributor

FedeDP commented Jun 10, 2022

Hi!
Yes, there will be a 0.32.1 around end of june most probably, together with arm64 support :)

@deepskyblue86 deepskyblue86 mentioned this issue Jun 10, 2022
Closed
@Tej-Singh-Rana Tej-Singh-Rana mentioned this issue Jun 20, 2022
Closed
@wdoekes wdoekes mentioned this issue Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FedeDP @jasondellaluce @deepskyblue86