Hello, Need some details…
I completed this task and verified the solution at the end of the exam. my steps exactly matches the solution. But, the exam still says “Incomplete”. It does not give what is missing or wrong…
is the falco.yaml not updated for output??
is the local rules file does not have the correct rules or output??
did the “Systemctl restart Falco” not worked??
It would greatly help which step is not correct or compeleted.
Seems like I am having problems with “Falco” tasks… even in Mock 2 question 4, I am getting the incomplete task.
When checked the status of Falco service, i am seeing a failure… Below is the message:
● falco.service - Falco: Container Native Runtime Security
Loaded: loaded (/usr/lib/systemd/system/falco.service; enabled; vendor pre
Active: activating (auto-restart) (Result: exit-code) since Sat 2022-07-16
Docs: The Falco Project | Falco
Process: 3479 ExecStopPost=/sbin/rmmod falco (code=exited, status=0/SUCCESS
Process: 3445 ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid -c /etc
Process: 3431 ExecStartPre=/sbin/modprobe falco (code=exited, status=0/SUCC
Main PID: 3445 (code=exited, status=1/FAILURE)
Jul 16 15:56:00 controlplane systemd[1]: falco.service: Failed with result 'e
lines 1-10/10 (END)
It’s been almost a week since this post, and No responses. Hope Someone watching this board.
Hi @spaspunoori ,
Can you please give it another try? I checked twice and didn’t see any issues.
and I also followed the GitHub Solution.
Regards,
I just tried the Mock exam 1 again… again the Q 6 did not pass… it is still reports “InComplete”… I checked the custom log file, it have entries… and I also checked the status of FALCO, it is in running status.
Here are entries from log:root@controlplane:/# cat /opt/security_incidents/alerts.log
22:38:39.274594000: Notice Privileged container started (user= user_loginuid=0 command=container:aefd11d3934b k8s_weave-npc_weave-net-xcrmk_kube-system_8510ac9f-d13f-4fda-94ef-b90a17fee717_0 (id=aefd11d3934b) image=weaveworks/weave-npc:2.8.1)
22:38:39.279953000: Notice Privileged container started (user=root user_loginuid=0 command=container:45961764d3f2 k8s_weave_weave-net-xcrmk_kube-system_8510ac9f-d13f-4fda-94ef-b90a17fee717_1 (id=45961764d3f2) image=weaveworks/weave-kube:2.8.1)
22:38:39.350907000: Notice Container with sensitive mount started (user= user_loginuid=0 command=container:05d0fddf9a95 k8s_kube-apiserver_kube-apiserver-controlplane_kube-system_4c14b2053a32e40cfbaa574cf120b8e8_1 (id=05d0fddf9a95) image=k8s.gcr.io/kube-apiserver:v1.19.0 mounts=/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro:false:rprivate,/usr/share/ca-certificates:/usr/share/ca-certificates:ro:false:rprivate,/root/CKS/ImagePolicy:/etc/admission-controllers:ro:false:rprivate,/var/lib/kubelet/pods/4c14b2053a32e40cfbaa574cf120b8e8/etc-hosts:/etc/hosts::true:rprivate,/var/lib/kubelet/pods/4c14b2053a32e40cfbaa574cf120b8e8/containers/kube-apiserver/b7e52bb0:/dev/termination-log::true:rprivate,/etc/ssl/certs:/etc/ssl/certs:ro:false:rprivate,/etc/ca-certificates:/etc/ca-certificates:ro:false:rprivate,/etc/kubernetes/pki:/etc/kubernetes/pki:ro:false:rprivate)
22:38:50.812913000: Notice Privileged container started (user= user_loginuid=0 command=container:aefd11d3934b k8s_weave-npc_weave-net-xcrmk_kube-system_8510ac9f-d13f-4fda-94ef-b90a17fee717_0 (id=aefd11d3934b) image=weaveworks/weave-npc:2.8.1)
22:38:50.817243000: Notice Privileged container started (user= user_loginuid=0 command=container:45961764d3f2 k8s_weave_weave-net-xcrmk_kube-system_8510ac9f-d13f-4fda-94ef-b90a17fee717_1 (id=45961764d3f2) image=weaveworks/weave-kube:2.8.1)
22:38:50.926287000: Notice Container with sensitive mount started (user= user_loginuid=0 command=container:05d0fddf9a95 k8s_kube-apiserver_kube-apiserver-controlplane_kube-system_4c14b2053a32e40cfbaa574cf120b8e8_1 (id=05d0fddf9a95) image=k8s.gcr.io/kube-apiserver:v1.19.0 mounts=/etc/ssl/certs:/etc/ssl/certs:ro:false:rprivate,/etc/ca-certificates:/etc/ca-certificates:ro:false:rprivate,/etc/kubernetes/pki:/etc/kubernetes/pki:ro:false:rprivate,/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro:false:rprivate,/usr/share/ca-certificates:/usr/share/ca-certificates:ro:false:rprivate,/root/CKS/ImagePolicy:/etc/admission-controllers:ro:false:rprivate,/var/lib/kubelet/pods/4c14b2053a32e40cfbaa574cf120b8e8/etc-hosts:/etc/hosts::true:rprivate,/var/lib/kubelet/pods/4c14b2053a32e40cfbaa574cf120b8e8/containers/kube-apiserver/b7e52bb0:/dev/termination-log::true:rprivate)
FALCO STATUS:
oot@controlplane:/# systemctl status falco
● falco.service - Falco: Container Native Runtime Security
Loaded: loaded (/usr/lib/systemd/system/falco.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2022-07-22 22:38:49 UTC; 31min ago
Docs: The Falco Project | Falco
Process: 26420 ExecStopPost=/sbin/rmmod falco (code=exited, status=0/SUCCESS)
Process: 26426 ExecStartPre=/sbin/modprobe falco (code=exited, status=0/SUCCESS)
Main PID: 26445 (falco)
Tasks: 6 (limit: 2314)
CGroup: /system.slice/falco.service
└─26445 /usr/bin/falco --pidfile=/var/run/falco.pid -c /etc/falco/falco.yaml
Jul 22 23:08:31 controlplane falco[26445]: 23:08:31.418094353: Critical File below a known binary directory opened for writi
Jul 22 23:08:31 controlplane falco[26445]: 23:08:31.418094353: Critical File below a known binary directory opened for writi
Jul 22 23:09:01 controlplane falco[26445]: 23:09:01.845772918: Error File below known binary directory renamed/removed (user
Jul 22 23:09:01 controlplane falco[26445]: 23:09:01.845852155: Critical File below a known binary directory opened for writi
Jul 22 23:09:01 controlplane falco[26445]: 23:09:01.845772918: Error File below known binary directory renamed/removed (user
Jul 22 23:09:01 controlplane falco[26445]: 23:09:01.845852155: Critical File below a known binary directory opened for writi
Jul 22 23:09:31 controlplane falco[26445]: 23:09:31.840358841: Error File below known binary directory renamed/removed (user
Jul 22 23:09:31 controlplane falco[26445]: 23:09:31.840391063: Critical File below a known binary directory opened for writi
Jul 22 23:09:31 controlplane falco[26445]: 23:09:31.840358841: Error File below known binary directory renamed/removed (user
Jul 22 23:09:31 controlplane falco[26445]: 23:09:31.840391063: Critical File below a known binary directory opened for writi
lines 1-21/21 (END)
Please ignore Mack 1 Q 6, I found what I was doing wrong. In the command executed, i was referring pcmdline instead of cmdline.
Thanks for response, i will watch others falco exercises closely.
Thanks for your prompt response. Glad you were able to solve it by yourself.
