Hi, I see below error for falco service - Mock-1 Exam Q6: I have done the requi . . .

Deepak Ladwa:
Hi,

I see below error for falco service - Mock-1 Exam Q6: I have done the required changes to local config file.

Jun 07 15:28:31 node01 falco[12409]: 15:28:31.636338090: Error File below known binary directory renamed/removed (user=root user_loginuid=-1 command=tar -xmf - -C /bin pcmdline=<NA> operation=unlinkat file=<NA> res=0 dirfd=3(<d>/bin) name=sleep(/bin/sleep) flags=0  container_id=c5fb4eb9e75c image=httpd)
Jun 07 15:28:31 node01 falco[12409]: 15:28:31.636374087: Critical File below a known binary directory opened for writing (user=root file_updated=/bin/sleep command=tar -xmf - -C /bin)

Mohamed Ayman:
Did you follow those steps?

$ssh node01
$ mkdir -p /opt/security_incidents
#Enable file_output in /etc/falco/falco.yaml

file_output:
  enabled: true
  keep_alive: false
  filename: /opt/security_incidents/alerts.log

#Add the updated rule under the /etc/falco/falco_rules.local.yaml and hot reload the #Falco service on node01:

  • rule: Write below binary dir
    desc: an attempt to write to any file below a set of binary directories
    condition: >
    bin_dir and evt.dir = < and open_write
    and not package_mgmt_procs
    and not exe_running_docker_save
    and not python_running_get_pip
    and not python_running_ms_oms
    and not user_known_write_below_binary_dir_activities
    output: >
    File below a known binary directory opened for writing (user=%user.name file_updated=%fd.name command=%proc.cmdline)
    priority: CRITICAL
    tags: [filesystem, mitre_persistence]

To perform hot-reload falco use ‘kill -1 /SIGHUP’ on node01:

$ kill -1 $(cat /var/run/falco.pid)

Deepak Ladwa:
Yes.

In the solution it does not says that it should be performed in node01? this is only a single node cluster - controlplane? I am getting failed on this mock exam even I followed the solution.

same here :

Also for the ImagePolicyWebhook question , what is this implemented policy ? If we enable admission controllers properly then it should be take care of it. There should be proper reason

Whole exam interface is not smooth in the first place : takes too long to load , apiserver crashes without modifying any options etc

Hi @joseoscar.garciajr , @komaragiri.yogananda ,
Sorry for this inconvenience.
There is an issue with new version of falco itself.
No user data in Falco 0.32.0 · Issue #2048 · falcosecurity/falco · GitHub

We are working on a fix.

Regards,

Issue has been resolved. Please give it another try.

Regards,

We have to perform on the controlplane node because it’s a single node cluster. I updated the Solution on the GitHub page.

thank you, so that is why it is failing, because I am doing the mock exama gain and again and getting same message that I failed on that item. Is falco part of the actual CKS exam?

Thank you for the fixed, before all I can see in that log for the user is NA. Thanks… I will try again and provide feedback…

Yes, falco is part of the syllabus so you may expect to see questions on it.