Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some inbound file descriptors not fully resolved #86

Closed
mstemm opened this issue Jun 1, 2016 · 1 comment
Closed

Some inbound file descriptors not fully resolved #86

mstemm opened this issue Jun 1, 2016 · 1 comment
Assignees
@mstemm
Labels
wontfix

Comments

@mstemm
Copy link
Contributor

mstemm commented Jun 1, 2016

While working through some updates to the falco rules, I found that with the current set of rules, network file descriptors won't have their state (hostname and port) fully resolved. For example, the installer_bash_starts_network_server rule can't show the address/port on which the process is trying to listen.

The reason for this is that file descriptor resolution generally occurs during a bind. However, as no current rule looks for bind events, the file descriptor meta-information isn't associated with the fd.

We'll have to figure out a way to get the bind events to libsinsp so the meta-information can be saved.
@mstemm mstemm self-assigned this Jun 1, 2016
mstemm added a commit that referenced this issue Jun 1, 2016
@mstemm
Update fbash rules to use proc.sname.
f2cd684 
Update fbash rules to use proc.sname instead of proc.aname and to rely
on sessions instead of process ancestors.

I also wanted to add details on the address/port being listened to but
that's blocked on #86.
mstemm added a commit that referenced this issue Jun 1, 2016
@mstemm
Update fbash rules to use proc.sname.
31c87c2 
Update fbash rules to use proc.sname instead of proc.aname and to rely
on sessions instead of process ancestors.

I also wanted to add details on the address/port being listened to but
that's blocked on #86.

Along with this change, there are new positive trace files
installer-bash-starts-network-server.scap and
installer-bash-starts-session.scap that test these updated rules.
@mstemm mstemm mentioned this issue Jun 1, 2016
Merged
@stale
Copy link

stale bot commented Mar 6, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Mar 6, 2019
@stale stale bot closed this as completed Mar 13, 2019
leogr pushed a commit to falcosecurity/rules that referenced this issue Dec 21, 2022
@mstemm
Update fbash rules to use proc.sname.
44ff6b7 
Update fbash rules to use proc.sname instead of proc.aname and to rely
on sessions instead of process ancestors.

I also wanted to add details on the address/port being listened to but
that's blocked on falcosecurity/falco#86.

Along with this change, there are new positive trace files
installer-bash-starts-network-server.scap and
installer-bash-starts-session.scap that test these updated rules.
leogr pushed a commit to falcosecurity/rules that referenced this issue Dec 21, 2022
@mstemm
Update fbash rules to use proc.sname.
d485230 
Update fbash rules to use proc.sname instead of proc.aname and to rely
on sessions instead of process ancestors.

I also wanted to add details on the address/port being listened to but
that's blocked on falcosecurity/falco#86.

Along with this change, there are new positive trace files
installer-bash-starts-network-server.scap and
installer-bash-starts-session.scap that test these updated rules.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mstemm mstemm

Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mstemm