Hi @Vijin Palazhi, I could not understand how to debug the logs for this specifi . . .

Vinod Kumar Nair:
Hi @Vijin Palazhi, I could not understand how to debug the logs for this specific query on Falco labs…the hint says just analyze the logs…but not sure how to trace the error that was generated as per the options given which are related to apt-get, etc…in error I do not see anything related to apt-get…any idea if I’m missing anything here, thanks:-

Jun 21 07:58:57 node01 falco[7849]: 07:58:57.014843665: Error File below /etc opened for writing (user=root user_loginuid=0 command=vi /etc/falco/falco_rules.yaml parent=bash pcmdline=bash file=/etc/falco/.falco_rules.yaml.swx program=vi gparent=sshd ggparent=sshd gggparent=systemd container_id=host image=<NA>)
Jun 21 07:58:57 node01 falco[7849]: 07:58:57.014925669: Error File below /etc opened for writing (user=root user_loginuid=0 command=vi /etc/falco/falco_rules.yaml parent=bash pcmdline=bash file=/etc/falco/.falco_rules.yaml.swp program=vi gparent=sshd ggparent=sshd gggparent=systemd container_id=host image=<NA>)
Jun 21 08:03:05 node01 falco[7849]: 08:03:05.547468556: Error File below /etc opened for writing (user=root user_loginuid=0 command=vi /etc/falco/falco_rules.yaml parent=bash pcmdline=bash file=/etc/falco/4913 program=vi gparent=sshd ggparent=sshd gggparent=systemd container_id=host image=<NA>)
Jun 21 08:03:05 node01 falco[7849]: 08:03:05.547543148: Error File below /etc opened for writing (user=root user_loginuid=0 command=vi /etc/falco/falco_rules.yaml parent=bash pcmdline=bash file=/etc/falco/falco_rules.yaml program=vi gparent=sshd ggparent=sshd gggparent=systemd container_id=host image=<NA>)
Jun 21 08:03:05 node01 falco[7849]: 08:03:05.547468556: Error File below /etc opened for writing (user=root user_loginuid=0 command=vi /etc/falco/falco_rules.yaml parent=bash pcmdline=bash file=/etc/falco/4913 program=vi gparent=sshd ggparent=sshd gggparent=systemd container_id=host image=<NA>)
Jun 21 08:03:05 node01 falco[7849]: 08:03:05.547543148: Error File below /etc opened for writing (user=root user_loginuid=0 command=vi /etc/falco/falco_rules.yaml parent=bash pcmdline=bash file=/etc/falco/falco_rules.yaml program=vi gparent=sshd ggparent=sshd gggparent=systemd container_id=host image=<NA>)

Vinod Kumar Nair:
my bad…pls ignore…I got it…I was looking into a wrong error statement…the answer is here in the command attribute :-
Error Package management process launched in container (user=root user_loginuid=-1 command=apt update container_id=7837ab51b213 container_name=k8s_simple-webapp_simple-webapp-1_critical-apps_60326921-52ec-4586-9ba0-5fa23d417e46_0 image=nginx:latest)

Bhushan G:
Hi Vinod…
where can we find that error statement in falco…

Vinod Kumar Nair:
@Bhushan G you need to ssh into node01 (where falco is running) then enter below command to see the running falco logs:-
journalctl -fu falco

then in another terminal, ssh into same node01 and make changes in the falco local rules file as asked in the question and restart the falco…you will see these logs on 1st terminal

Bhushan G:
Thanks Mate… I was missing the search part