Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

salt-call is parsed wrongly #2491

Closed
zadjadr opened this issue Apr 13, 2023 · 3 comments
Closed

salt-call is parsed wrongly #2491

zadjadr opened this issue Apr 13, 2023 · 3 comments
Labels
kind/bug

Comments

@zadjadr
Copy link

zadjadr commented Apr 13, 2023

When running something like sudo salt-call state.apply test=True falco parsed the command and program name wrong.

The output I get is the following:

Warning Sensitive file opened for reading by non-trusted program (user=root user_loginuid=1001 program=run command=run call state.apply test=True pid=2123116 file=/etc/sudoers.d/[REDACTED] parent=sudo gparent=bash ggparent=sshd gggparent=sshd container_id=host image=<NA>)

As you can see, the command field looks wrong; it interprets salt-call as run call while program is seen as run.

  • Activate default rules for falco
  • run sudo salt-call state.apply test=True

Unfortunately this needs salt installed but it might be enough to just use an alias like alias echo=salt-call.

I expect program=salt-call and command=salt-call state.apply test=True

Environment

  • Falco version: 0.34.1
  • System info:
Thu Apr 13 16:29:08 2023: Falco version: 0.34.1 (x86_64)
Thu Apr 13 16:29:08 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
Thu Apr 13 16:29:08 2023: Loading rules from file /etc/falco/falco_rules.yaml
Thu Apr 13 16:29:08 2023: Loading rules from file /etc/falco/falco_rules.local.yaml
{
  "machine": "x86_64",
  "nodename": "[REDACTED]",
  "release": "5.15.0-60-generic",
  "sysname": "Linux",
  "version": "#66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023"
}
  • Cloud provider or hardware configuration: VM in Openstack
  • OS: Ubuntu 22.04.2 LTS
  • Kernel: 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • Installation method: DEB
@FedeDP
Copy link
Contributor

FedeDP commented Apr 13, 2023
edited
Loading

Hi! Thanks for opening this issue!
This issue is well known and is being tracked:

And a couple of related PRs:

This is actively being worked on :)

@zadjadr
Copy link
Author

zadjadr commented Apr 13, 2023

Thanks @FedeDP, then I'd close this one!

@zadjadr zadjadr closed this as completed Apr 13, 2023
@FedeDP
Copy link
Contributor

FedeDP commented Apr 13, 2023

Feel free to comment on other issues if you feel :) every feedback is appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FedeDP @zadjadr