From 6dfdadf527dd44830d936979ab07534b43d26cbd Mon Sep 17 00:00:00 2001 From: Mark Stemm Date: Fri, 25 Aug 2017 08:16:39 -0700 Subject: [PATCH] Also let runc:[1:CHILD] count as an entrypoint. Handles cases where we lose system events and have incomplete state. --- rules/falco_rules.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/falco_rules.yaml b/rules/falco_rules.yaml index e897ef0d..6e46cb65 100644 --- a/rules/falco_rules.yaml +++ b/rules/falco_rules.yaml @@ -643,8 +643,11 @@ # As soon as 1:CHILD is created, 0:PARENT exits, so there's a race # where at the time 2:INIT execs the root program, 0:PARENT might have # already exited, or might still be around. So we handle both. +# We also let runc:[1:CHILD] count as the parent process, which can occur +# when we lose events and lose track of state. + - macro: container_entrypoint - condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], docker-runc)) + condition: (not proc.pname exists or proc.pname in (runc:[0:PARENT], runc:[1:CHILD], docker-runc)) - rule: Launch Sensitive Mount Container desc: >