FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude noisy alerts from Falco (classicfullstack) - Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=oneagenthelper

Romanenkov_Al3x
DynaMight Champion
DynaMight Champion

‎04 Mar 2024 09:54 AM - edited ‎04 Mar 2024 09:55 AM

Hello everyone!falco.png

You can see some noisy alerts from Falco  after installation Dynatrace with

Dynatrace operator, mode classicfullstack.

Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=oneagenthelper...

This is example alert from falco for proc.name oneagenthelper

Romanenkov_Al3x_0-1709544058086.png

To avoid this behavior you can easly add oneagenthelper in list know_ptrace_binaries:

1) You can easly disable this noisy alert with changing rules configuration

sudo vi /etc/falco/falco_rules.yaml

 

...
- list: known_ptrace_binaries
  items: []
...

 

2) and addoneagenthelper like this:

 

...
- list: known_ptrace_binaries
  items: [oneagenthelper]
...

 

Example:

Romanenkov_Al3x_1-1709544630851.png

3) Restart service via systemctl (to find proper service you can use: systemctl list-units | grep falco

sudo systemctl restart falco-modern-bpf.service

or

sudo systemctl restart falco-bpf.service

 

Regards,

Alex Romanenkov

DT_NGINX_FORCE_UNKNOWN_VERSION_INSTRUMENTATION=1
Labels:
Reply
0 REPLIES 0
Ask a question

Featured Posts