-
Notifications
You must be signed in to change notification settings - Fork 876
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some inbound file descriptors not fully resolved #86
Labels
Comments
mstemm
added a commit
that referenced
this issue
Jun 1, 2016
Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on #86.
mstemm
added a commit
that referenced
this issue
Jun 1, 2016
Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on #86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
leogr
pushed a commit
to falcosecurity/rules
that referenced
this issue
Dec 21, 2022
Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on falcosecurity/falco#86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules.
leogr
pushed a commit
to falcosecurity/rules
that referenced
this issue
Dec 21, 2022
Update fbash rules to use proc.sname instead of proc.aname and to rely on sessions instead of process ancestors. I also wanted to add details on the address/port being listened to but that's blocked on falcosecurity/falco#86. Along with this change, there are new positive trace files installer-bash-starts-network-server.scap and installer-bash-starts-session.scap that test these updated rules.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
While working through some updates to the falco rules, I found that with the current set of rules, network file descriptors won't have their state (hostname and port) fully resolved. For example, the
installer_bash_starts_network_server
rule can't show the address/port on which the process is trying to listen.The reason for this is that file descriptor resolution generally occurs during a bind. However, as no current rule looks for bind events, the file descriptor meta-information isn't associated with the fd.
We'll have to figure out a way to get the bind events to libsinsp so the meta-information can be saved.
The text was updated successfully, but these errors were encountered: