interface conversion: interface {} is []string, not string

[ctdfo]

Describe the bug
We are getting the interface conversion: interface {} is []string, not string error in our logs.

How to reproduce it
Install the Falco Helm chart with Falcosidekick (using version 4.3.0, which corresponds to app version 0.37.1). Have the UI open at the Events section with refresh on (I put it at the default of 10s). Then create an event (I opened a shell in one of the running pods to cause the Terminal shell in container alert). You will notice the interface conversion: interface {} is []string, not string in the logs.

Expected behaviour
No interface conversion: interface {} is []string, not string error.

Screenshots

Environment

• Falco version:
  0.37.1

• System info:
  Linux version 5.15.148.2-2.cm2 (root@CBL-Mariner) (gcc (GCC) 11.2.0, GNU ld (GNU Binutils) 2.37) UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024

• Cloud provider or hardware configuration:
  AKS
• OS:
  NAME="Alpine Linux"
  ID=alpine
  VERSION_ID=3.15.10
  PRETTY_NAME="Alpine Linux v3.15"
  HOME_URL="https://alpinelinux.org/"
  BUG_REPORT_URL="https://bugs.alpinelinux.org/"
  /app $

• Kernel:
  Linux falco-falcosidekick-ui-5f89b8bc9d-zn869 5.15.148.2-2.cm2 UI updates #1 SMP Fri Feb 23 23:44:30 UTC 2024 x86_64 Linux

• Installation method:
  Kubernetes

Additional context
I am not quite sure where this is coming from. Could it possibly be from the string conversion in the CountKeyBy function:

[Issif]

Hi,

Can you provide me the exact json payload generated by Falco? Did you customize the rule to change the tags or used output fields?

[ctdfo]

Hi,

Can you provide me the exact json payload generated by Falco? Did you customize the rule to change the tags or used output fields?

Hi @Issif, I am not quite sure what you meant by the exact json generated by Falco, but this is the Falco log output of the event that replicates the issue:
{"hostname":"aks-default-32511568-vmss000087","output":"14:50:45.460592981: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc _exepath=/usr/bin/dash parent=runc command=sh terminal=34816 exe_flags=EXE_WRITABLE container_id=9af8a917fc3e container_image=docker.io/falcosecurity/falco-no-driver container_image_tag=0.37.1 container_name=falco k8s_ns=falco k8s_pod_name=falco-44ddf)","priority":"Notice","rule":"Terminal shell in container","source":"syscall","tags":["T1059","container","maturity_stable","mitre_execution","shell"],"time":"2024-04-24T14:50: 45.460592981Z", "output_fields": {"container.id":"9af8a917fc3e","container.image.repository":"docker.io/falcosecurity/falco-no-driver","container.image.tag":"0.37.1","container.name":"falco","evt.arg.flags":"EXE_WR ITABLE","evt.time":1713970245460592981,"evt.type":"execve","k8s.ns.name":"falco","k8s.pod.name":"falco-44ddf","proc.cmdline":"sh","proc.exepath":"/usr/bin/dash","proc.name":"sh","proc.pname":"runc","proc.tty":34816 ,"user.loginuid":-1,"user.name":"root","user.uid":0}}

Please, let me know if this is not what you meant.

[Issif]

This is exactly what I wanted, thanks a lot, it will allow me to try to reproduce. Thanks

[Issif]

The PR #145 fixes that issue, it will be included in the next release. The ETA is before summer.