New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I expect an absolute path to the new file, but I get a relative path to the new file #3014
Comments
Thank you for reporting! We will try to take a look ASAP! |
Have you tried |
@LucaGuerra Yes. We ran falco container and ran falco return alert with evt.abspath: Falco alert:
Falco rule:
|
Thanks, now I think I understand the request. Falco always considers the path inside the container and currently does not show any other paths (from any other mountpoints if any). This is what adopters normally want as it makes it easier to understand what is going on. This AFAICT is not a feature that was ever planned; in order to better understand this what would be the use case? Is it just for inspecting where overlayfs of containers are mounted or for every potential chrooted and pivot_root environment? |
The main idea using "rule": "created_files" we want to get absolute paths to all files that are created or modified. Next, we scan these files using Yara rules and hashes. This functionality is important because we are able to detect known malware and ransomware |
Got it. I believe that at this point it would be hard for Falco to retrieve absolute paths inside the underlying directories of an overlayfs for every access, mostly because we attempt to inspect overlay data only in very specific cases (is_exe_upper_layer) and Falco normally works by examining syscalls and their arguments and return values rather than hooking inside the filesystem implementation. Among the things we want to work on in the future there are improvements for our container engine metadata, we can keep in mind and investigate if it will be doable. However, I would like to offer a potential workaround for your specific use case because I may understand what you are trying to do. First of all, I believe that your
You can get both the container ID and the file path from the Falco rule. You could also use the PID of the process that has triggered the rule or one of its ancestors inside the container but it may be risky because processes can be short lived. Hope this helps! |
My task is to always have the absolute path to a file that is created, modified, etc. I run Falco version: 0.36.2 (x86_64) in the first Docker container, and in the second Docker container I create and modify the file. And I get the relative path (container path but not the host path). A must receive absolute path (a path host).
I use rule:
I've tried using other file path options:
file_2=%evt.arg.name
orfile_3=%fd.name
but it didn't work, I always get a relative path to the file in the container, and I need an absolute path to the host file.Examples of the output of the rule, it can be seen that the path to the file is relative - the path in the container, and not the absolute path of the host:
If the file is not created in the container (created on the host) , then everything works as it should with an absolute path:
How can I always get the absolute path to the file?
Environment
The text was updated successfully, but these errors were encountered: