CKS Lab Mock Exam 1. Falco Always crashes

Subsandrew · January 10, 2024, 11:52am

I’ve been taking the mock exam for a few weeks now and every time the Falco service crashes and i’m unable to complete the excercise. This is very frustrating. Please advise on what I could be doing wrong. Working on Killershell’s exercises and Falco there never crashes. What is the difference here?
A systemctl restart falco does not restart the service. Here are my actions.
I get the rule to be edited from falco_rules.yaml
I copy the rule to falco_rules_local.yaml, modify, save.
Check status of falco so that I can soft restart it with kill -1 PID and I always get this error

ERROR Below
root@controlplane ~ ➜ systemctl status falco
● falco.service - Falco: Container Native Runtime Security
Loaded: loaded (/usr/lib/systemd/system/falco.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Wed 2024-01-10 07:24:21 EST; 11s ago
Docs: The Falco Project | Falco
Process: 9716 ExecStopPost=/sbin/rmmod falco (code=exited, status=0/SUCCESS)
Process: 9709 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid -c /etc/falco/falco.yaml (code=exited, status=1/FAILURE)
Process: 9699 ExecStartPre=/sbin/modprobe falco (code=exited, status=0/SUCCESS)
Main PID: 9709 (code=exited, status=1/FAILURE)

Alistair_KodeKloud · January 10, 2024, 7:53pm

It is fine. I suspect you have a syntax error in the rule you are adding.

root@controlplane ~ ➜  mkdir -p /opt/security_incidents

root@controlplane ~ ➜  vi /etc/falco/falco.yaml 

root@controlplane ~ ➜  vi /etc/falco/falco_rules.local.yaml 

root@controlplane ~ ➜  ps aux | grep falco
root      7470  2.4  1.8 837940 36996 ?        Ssl  14:46   0:04 /usr/bin/falco --pidfile=/var/run/falco.pid -c /etc/falco/falco.yaml
root     10024  0.0  0.0  14432  1044 pts/0    S+   14:50   0:00 grep --color=auto falco

root@controlplane ~ ✖ kill -1 7470

root@controlplane ~ ➜  systemctl status falco
● falco.service - Falco: Container Native Runtime Security
   Loaded: loaded (/usr/lib/systemd/system/falco.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2024-01-10 14:46:46 EST; 3min 59s ago
     Docs: https://falco.org/docs/

You should view the full log of falco to see what it is complaining about if it fails to start:

journalctl -u falco

Alistair_KodeKloud · January 10, 2024, 7:54pm

Also you can skip the step of having to find the pid of falco by doing this

kill -1 $(pidof falco)

Subsandrew · January 11, 2024, 12:02pm

Hello @Alistair_KodeKloud
You were correct!. Looks like I was fat fingering when I pasted into falco_rules_local. Double/tripple checked this time and falco did not crash.
Thank you for your quick response, much appreciated!
Andrew.