falco: Audit username is missing for the new driver, user.loginname=

Thanks @deepskyblue86 @incertum . By adding that, I can see it shows, but not all events.

2024-01-09T17:55:18.739020340+0000: Alert Interactive root user activity detected (user.loginname=vagrant user.loginuid=1000 user.name=root user.uid=0)
2024-01-09T17:55:20.904787060+0000: Alert Interactive root user activity detected (user.loginname=vagrant user.loginuid=1000 user.name=root user.uid=0)
2024-01-09T17:55:27.065346515+0000: Alert Interactive root user activity detected (user.loginname=<NA> user.loginuid=1000 user.name=root user.uid=0)
2024-01-09T17:55:27.067583692+0000: Alert Interactive root user activity detected (user.loginname=<NA> user.loginuid=1000 user.name=root user.uid=0)

Closing this, made the PR to update that on falco docs. https://github.com/falcosecurity/falco-website/pull/1236. Thank you the community

Awesome, re it not showing in all events, this may be trickier to debug and won’t land for Falco 0.37.0 but we will keep checking and attempt to improve things!

@incertum /etc:/host/etc:ro is not on the doc here, https://falco.org/docs/install-operate/running/#modern-ebpf. Checking again

oh oh, would you mind opening a PR against https://github.com/falcosecurity/falco-website to update the docs?

What I did was 100% userspace. Nothing comes up in my mind about why with modern bpf we have such an issue… 🤔 I can just confirm that /etc:/host/etc:ro is required (https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/user.cpp#L60)

@deepskyblue86 worked most on it lately, I never touched the user names logic but it all lives in https://github.com/falcosecurity/libs userspace. Let’s wait for Angelo to provide us with some pointers.

It’s not OS specific nor an actual Falco issue. I ran the container (however using falcosecurity/falco-no-driver:master) and can see the missing login usernames as well. But when I run the compiled Falco binary from master on my box natively the login usernames are there (same condition and test).

Hence I am deducting that it’s an issue with some container mounts or other settings. Not the expert on the Falco upstream containers. Tagging @LucaGuerra @FedeDP @Andreagit97 and @jasondellaluce for help with investigating this. Please note some maintainers are still out until next week.

In case anyone wants to help with the issue, you can get a Amazon linux 2023 host through vagrant.

Vagrant.configure("2") do |config|
  config.vm.box = "gbailey/al2023"
  config.vm.hostname = "amazonlinux2023"
  config.vbguest.auto_update = false
  config.vm.synced_folder '.', '/vagrant', disabled: true
end

Once SSH into the VM, create a local falco rule file, falco_rules.local.yaml

- rule: testing_interactive_root_rule 
  desc: Detects when a user performs activities as root 
  condition: spawned_process and not container and proc.tty!=0 
  output: Interactive root user activity detected (user.loginname=%user.loginname user.loginuid=%user.loginuid user.name=%user.name user.uid=%user.uid)
  priority: ALERT

Run the falco agent:

docker run --name modern-bpf -it -d \
           --privileged \
           -v /var/run/docker.sock:/host/var/run/docker.sock \
           -v /proc:/host/proc:ro \
           -v ./falco_rules.local.yaml:/etc/falco/falco_rules.local.yaml \
           falcosecurity/falco-no-driver:latest falco --modern-bpf

You should be able to see the outputs from docker logs

That’s correct, please find my sample rule:

- rule: testing_root_rule
  desc: Detects when a user performs activities as root
  condition: spawned_process and not container and proc.tty!=0
  output: Interactive root user activity detected (user.loginuid=%user.loginuid user.loginname=%user.loginname user.name=%user.name user.uid=%user.uid proc.cmdline=%proc.cmdline file=%fd.name container.id=%container.id evt.type=%evt.type evt.res=%evt.res proc.pid=%proc.pid proc.cwd=%proc.cwd proc.ppid=%proc.ppid proc.pcmdline=%proc.pcmdline proc.sid=%proc.sid proc.exepath=%proc.exepath group.gid=%group.gid group.name=%group.name container.name=%container.name image=%container.image.repository)

ACK, this means you are saying that user.loginuid works as expected for the traditional BPF driver and modern BPF. But user.loginname is working under the same conditions only for the traditional BPF driver BUT NOT for modern BPF?

Did I summarize this correctly?

Mind sharing what you did to test the log outputs?

audit users are different from the regular user ids. Would recommend checking them for separate use case. Ultimately best is always doing hands on experiments. Perhaps log all user.* fields in your experiments to see the differences.

Thanks @incertum, I’ll check back again and provide more details. Regarding the last part for user name, if we use the standard linux /etc/passwd for the use ID and user name mappings, I assume that’s not currently supported by Falco right? If not, do you think it makes sense to request this as a useful feature?

Thanks! Not logging user.loginname w/ Falco as I have to do it off host in our ecosystem, that’s why I mentioned that resolving uids to names is not a straight forward task in Linux in many cases. It always depends. Would recommend to first focus on verifying if you get the expected uids.

Hi @ycaoT I have modern BPF running on some prod servers and I cannot confirm the issue, I do see user.loginuid as expected. https://falco.org/docs/reference/rules/supported-fields/#field-class-user

Let’s zoom into Amazon Linux 2023, I assume the kernel config CONFIG_AUDIT is set. Could you run Falco and have Falco log all spawned_process and not container and proc.tty!=0 and then ssh into a node and share an anonymized version for that log showing the loginuid etc fields? We can then go from there.

Please feel free to share more details on what activity you aim to monitor and what you expect the loginuid to be. For example user.loginuid should be -1 if there is no audit user. Also in containers the concept of audit users is more unusual.

Lastly, what Falco version are you using?

Note that depending on how the audit user is configured on your system Falco may not know about the user name and you’ll have to resolve that in your data lake or by other means.