Falco Rules not getting Triggered in EKS

[sawanverma]

Describe the bug

Have deployed the falco in our EKS cluster. Was expecting the basic rules to trigger. But its not. Like Write under etc. Mkdir under bin. Tried to simulate this but not worked

How to reproduce it

EKS: 1.25
Installed Falco and Fluent-bit as per this document
https://aws.amazon.com/blogs/containers/implementing-runtime-security-in-amazon-eks-using-cncf-falco/
helm install falco -f values.yaml falcosecurity/falco -- didnt work hence used the following method.
helm upgrade --install falco falcosecurity/falco --set ebpf.enabled=true --reuse-values
where the values.yaml as per this https://github.com/falcosecurity/charts/blob/master/falco/values.yaml

Started a test nginx pod
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
falco-8mhq2 2/2 Running 0 53m
falco-jh7jh 2/2 Running 0 53m
falco-p7668 2/2 Running 0 53m
fluentbit-4k68v 1/1 Running 0 76m
fluentbit-t7bl7 1/1 Running 0 76m
fluentbit-vrpts 1/1 Running 0 76m
nginx2-7d4fdb5f77-445sj 1/1 Running 0 46m
nginx2-7d4fdb5f77-47qs6 1/1 Running 0 46m
nginx2-7d4fdb5f77-48hn4 1/1 Running 0 46m

Ran the following test
kubectl exec -it 'nginx2-7d4fdb5f77-445sj' /bin/bash
$ kubectl exec -it 'nginx2-7d4fdb5f77-445sj' /bin/bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@nginx2-7d4fdb5f77-445sj:/# touch /etc/2
root@nginx2-7d4fdb5f77-445sj:/# cat /etc/shadow > /dev/null 2>&1
root@nginx2-7d4fdb5f77-445sj:/#

Expected behaviour

A error log should have been generated as per following rule.

• rule: Write below etc
  desc: an attempt to write to any file below /etc
  condition: write_etc_common
  output: "File below /etc opened for writing (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline parent=%proc.pname pcmdline=%proc.pcmdline file=%fd.name program=%proc.name gparent=%proc.aname[2] ggparent=%proc.aname[3] gggparent=%proc.aname[4] container_id=%container.id image=%container.image.repository)"
  priority: ERROR
  tags: [filesystem, mitre_persistence]

But I dont see any errors but just warning as following

{
"log": "2023-04-26T13:06:12.005605664Z stdout F 13:01:53.567848579: Warning Environment variables were retrieved from /proc files (user=root user_loginuid=-1 program=tokio-runtime-w command=tokio-runtime-w --worker-threads 8 pid=5050 file=/proc/31767/environ parent=containerd-shim gparent=systemd ggparent= gggparent= container_id=bd2515f5d70f image=031903291036.dkr.ecr.us-east-1.amazonaws.com/aws-guardduty-agent) k8s.ns=amazon-guardduty k8s.pod=aws-guardduty-agent-g947d container=bd2515f5d70f"
}

Screenshots

Environment

• Falco version: 0.34.1
  root@falco-8mhq2:/# falco --version
  Wed Apr 26 13:18:44 2023: Falco version: 0.34.1 (x86_64)
  Wed Apr 26 13:18:44 2023: Falco initialized with configuration file: /etc/falco/falco.yaml
  Falco version: 0.34.1
  Libs version: 0.10.4
  Plugin API: 2.0.0
  Engine: 16
  Driver:
  API version: 3.0.0
  Schema version: 2.0.0
  Default driver: 4.0.0+driver
• System info:

• Cloud provider or hardware configuration: AWA EKS - 1.25
• OS:
  root@falco-8mhq2:/# cat /etc/os-release
  PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
  NAME="Debian GNU/Linux"
  VERSION_ID="11"
  VERSION="11 (bullseye)"
  VERSION_CODENAME=bullseye
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"
• Kernel:
  root@falco-8mhq2:/# uname -a
  Linux falco-8mhq2 5.10.176-157.645.amzn2.x86_64 Digwatch compiler #1 SMP Tue Mar 28 17:49:06 UTC 2023 x86_64 GNU/Linux
• Installation method: Kubernetes , EKS using Helm

Additional context

[sawanverma]

Closing this as this is not an issue found it working as the event takes time to get generated.