Hi, I see below error for falco service - Mock-1 Exam Q6: I have done the requi . . .

Deepak Ladwa:
Hi,

I see below error for falco service - Mock-1 Exam Q6: I have done the required changes to local config file.

Jun 07 15:28:31 node01 falco[12409]: 15:28:31.636338090: Error File below known binary directory renamed/removed (user=root user_loginuid=-1 command=tar -xmf - -C /bin pcmdline=<NA> operation=unlinkat file=<NA> res=0 dirfd=3(<d>/bin) name=sleep(/bin/sleep) flags=0  container_id=c5fb4eb9e75c image=httpd)
Jun 07 15:28:31 node01 falco[12409]: 15:28:31.636374087: Critical File below a known binary directory opened for writing (user=root file_updated=/bin/sleep command=tar -xmf - -C /bin)

Mohamed Ayman:
Did you follow those steps?

$ssh node01
$ mkdir -p /opt/security_incidents
#Enable file_output in /etc/falco/falco.yaml

file_output:
  enabled: true
  keep_alive: false
  filename: /opt/security_incidents/alerts.log

#Add the updated rule under the /etc/falco/falco_rules.local.yaml and hot reload the #Falco service on node01:

  • rule: Write below binary dir
    desc: an attempt to write to any file below a set of binary directories
    condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
    output: >
    File below a known binary directory opened for writing (user=%user.name file_updated=%fd.name command=%proc.cmdline)
    priority: CRITICAL
    tags: [filesystem, mitre_persistence]

To perform hot-reload falco use ‘kill -1 /SIGHUP’ on node01:

$ kill -1 $(cat /var/run/falco.pid)

Deepak Ladwa:
Yes.