Skip to content

Commit

Permalink
update(sandbox): Added systemd to list of programs ignored when using…
Browse files Browse the repository at this point in the history 
… BPF.

On Fedora 39, events like this is logged:

  Notice BPF Program  Not Profiled (bpf_cmd=5 evt_type=bpf user=root
  user_uid=0 user_loginuid=-1 process=systemd proc_exepath=/usr/lib/systemd/systemd
  parent=<NA> command=systemd --switched-root --system --deserialize=36 rhgb terminal=0
  exe_flags=<NA> container_id=host container_name=host)

This is just normal systemd behaviour, and not really interesting to log.  The provided
patch include systemd in the list of processes allowed to use BPF without any event logged.

Signed-off-by: Petter Reinholdtsen <pere@hungry.com>
  • Loading branch information
@petterreinholdtsen @poiana
petterreinholdtsen authored and poiana committed Mar 1, 2024
1 parent f88b991 commit dc7970d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion rules/falco-sandbox_rules.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1699,7 +1699,7 @@
tags: [maturity_sandbox, container, filesystem, mitre_initial_access, T1611]

- list: bpf_profiled_binaries
items: [falco, bpftool]
items: [falco, bpftool, systemd]

- macro: bpf_profiled_procs
condition: (proc.name in (bpf_profiled_binaries))
Expand Down

0 comments on commit dc7970d

Please sign in to comment.