Deepak Ladwa:
Hi,
I see below error for falco service - Mock-1 Exam Q6: I have done the required changes to local config file.
Jun 07 15:28:31 node01 falco[12409]: 15:28:31.636338090: Error File below known binary directory renamed/removed (user=root user_loginuid=-1 command=tar -xmf - -C /bin pcmdline=<NA> operation=unlinkat file=<NA> res=0 dirfd=3(<d>/bin) name=sleep(/bin/sleep) flags=0 container_id=c5fb4eb9e75c image=httpd)
Jun 07 15:28:31 node01 falco[12409]: 15:28:31.636374087: Critical File below a known binary directory opened for writing (user=root file_updated=/bin/sleep command=tar -xmf - -C /bin)
Mohamed Ayman:
Did you follow those steps?
$ssh node01
$ mkdir -p /opt/security_incidents
#Enable file_output in /etc/falco/falco.yaml
file_output:
enabled: true
keep_alive: false
filename: /opt/security_incidents/alerts.log
#Add the updated rule under the /etc/falco/falco_rules.local.yaml and hot reload the #Falco service on node01:
- rule: Write below binary dir
desc: an attempt to write to any file below a set of binary directories
condition: >
bin_dir and evt.dir = < and open_write
and not package_mgmt_procs
and not exe_running_docker_save
and not python_running_get_pip
and not python_running_ms_oms
and not user_known_write_below_binary_dir_activities
output: >
File below a known binary directory opened for writing (user=%user.name file_updated=%fd.name command=%proc.cmdline)
priority: CRITICAL
tags: [filesystem, mitre_persistence]
To perform hot-reload falco use ‘kill -1 /SIGHUP’ on node01:
$ kill -1 $(cat /var/run/falco.pid)
In the solution it does not says that it should be performed in node01? this is only a single node cluster - controlplane? I am getting failed on this mock exam even I followed the solution.
same here :
Also for the ImagePolicyWebhook question , what is this implemented policy ? If we enable admission controllers properly then it should be take care of it. There should be proper reason
Whole exam interface is not smooth in the first place : takes too long to load , apiserver crashes without modifying any options etc
Hi @joseoscar.garciajr , @komaragiri.yogananda ,
Sorry for this inconvenience.
There is an issue with new version of falco itself.
No user data in Falco 0.32.0 · Issue #2048 · falcosecurity/falco · GitHub
We are working on a fix.
Regards,
Issue has been resolved. Please give it another try.
Regards,
We have to perform on the controlplane
node because it’s a single node cluster. I updated the Solution on the GitHub page.
thank you, so that is why it is failing, because I am doing the mock exama gain and again and getting same message that I failed on that item. Is falco part of the actual CKS exam?
Thank you for the fixed, before all I can see in that log for the user is NA. Thanks… I will try again and provide feedback…
Yes, falco is part of the syllabus so you may expect to see questions on it.