Falco: Valid audit JSON terminates/crashes Falco

Created on 6 Jan 2020  Â·  6Comments  Â·  Source: falcosecurity/falco

Describe the bug

We have the Kubernetes audit endpoint enabled, which is receiving all the JSON audit events. When Falco receives a Pod created event with the following piece of JSON Pod spec:

"spec": {
  "volumes": [ {
    "name": "etc",
    "hostPath": {
      "path": "/etc",
      "type": ""
    }
  }],

It crashes with this error:

terminate called after throwing an instance of 'nlohmann::detail::type_error'
what():  [json.exception.type_error.302] type must be string, but is object

It seems that Falco is not expecting an object for the hostPath field?

How to reproduce it

Create a pod with a hostpath volume.

Expected behaviour

The event should be scanned and processed successfully.

Environment

  • Falco version: 0.18.0 (Docker image built from minimal Dockerfile)
  • System info:
    "system_info": {
    "machine": "x86_64",
    "nodename": "",
    "release": "4.14.152-127.182.amzn2.x86_64",
    "sysname": "Linux",
    "version": "#1 SMP Thu Nov 14 17:32:43 UTC 2019"
    },
  • Cloud provider or hardware configuration: AWS
  • OS: Amazon Linux 2
  • Installation method: Kubernetes / Docker
kinbug

Most helpful comment

I think I already fixed this in https://github.com/falcosecurity/falco/commit/4e39fee54e0f7e51f79e886933ccbc30193f134b. I see that we don't have dev builds at the moment, but if you can compile your own from the dev branch, you could see if the fix I made also fixes this problem.

All 6 comments

Is anyone from the Falco team available to investigate this? It seems like a rather severe bug and it is preventing us from upgrading to the latest Falco version.

@mstemm @fntlnz @leodido any idea what might be triggering this in the Kubernetes audit input. This seems to be similar to the JSON type issue we found in the security audit.

Yes it is similar. Will investigate further next week, thanks for reporting
it!

/assign @leodido

On Fri, 10 Jan 2020 at 17:34, Michael Ducy notifications@github.com wrote:

@mstemm https://github.com/mstemm @fntlnz https://github.com/fntlnz
@leodido https://github.com/leodido any idea what might be triggering
this in the Kubernetes audit input. This seems to be similar to the JSON
type issue we found in the security audit.

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/falcosecurity/falco/issues/990?email_source=notifications&email_token=AAA5J42Z52D6G2LSU2GAMKLQ5CPQ5A5CNFSM4KDFJM4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIUPBNA#issuecomment-573108404,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAA5J4ZTTDQIAAIM67QYM3DQ5CPQ5ANCNFSM4KDFJM4A
.

>

L.

I think I already fixed this in https://github.com/falcosecurity/falco/commit/4e39fee54e0f7e51f79e886933ccbc30193f134b. I see that we don't have dev builds at the moment, but if you can compile your own from the dev branch, you could see if the fix I made also fixes this problem.

I created a custom build from the latest dev branch and that seems to fix the problem. Any ETA on a new official release version?

We released https://github.com/falcosecurity/falco/commit/4e39fee54e0f7e51f79e886933ccbc30193f134b into Falco 0.19.0

So, closing this :)

/close

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kris-nova picture kris-nova  Â·  8Comments

dinvlad picture dinvlad  Â·  7Comments

EppO picture EppO  Â·  3Comments

fntlnz picture fntlnz  Â·  4Comments

danpopSD picture danpopSD  Â·  8Comments