https://community.dynatrace.com/t5/Dynatrace-tips/Exclude-noisy-alerts-from-Falco-classicfullstack-Warning/m-p/238789#M1192 <P><SPAN class="">Hello</SPAN><SPAN>&nbsp;everyone!<span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="falco.png" style="width: 89px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18040i53DBEA8F3CEE6B3D/image-dimensions/89x89?v=v2" width="89" height="89" role="button" title="falco.png" alt="falco.png" /></span></SPAN></P><P>You can see some noisy alerts from Falco&nbsp; after installation Dynatrace with</P><P><STRONG>Dynatrace operator, mode classicfullstack</STRONG>.</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%" height="30px"><SPAN>Warning Detected ptrace PTRACE</SPAN><SPAN>_ATTACH attempt </SPAN><SPAN>(proc</SPAN><SPAN>_pcmdline</SPAN><SPAN>=oneagenthelper...</SPAN></TD></TR></TBODY></TABLE><P>This is example alert from falco for&nbsp;<SPAN>proc</SPAN><SPAN>.name&nbsp;</SPAN><SPAN>oneagenthelper</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Romanenkov_Al3x_0-1709544058086.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18037i81BE10EEE44F55F5/image-size/large?v=v2&amp;px=999" role="button" title="Romanenkov_Al3x_0-1709544058086.png" alt="Romanenkov_Al3x_0-1709544058086.png" /></span></P><P>To avoid this behavior you can easly add oneagenthelper in list know_ptrace_binaries:</P><P>1) You can easly disable this noisy alert with changing <A href="https://github.com/falcosecurity/rules/blob/dc7970d175a921aa01090d10461ce76974848022/rules/falco_rules.yaml#L1090C1-L1091C12" target="_self">rules configuration</A>.&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">sudo vi /etc/falco/falco_rules.yaml</TD></TR></TBODY></TABLE><P>&nbsp;</P><LI-CODE lang="markup">... - list: known_ptrace_binaries items: [] ...</LI-CODE><P>&nbsp;</P><P>2) and addoneagenthelper like this:</P><P>&nbsp;</P><LI-CODE lang="markup">... - list: known_ptrace_binaries items: [oneagenthelper] ...</LI-CODE><P>&nbsp;</P><P>Example:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Romanenkov_Al3x_1-1709544630851.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18038i9E9346295ED510FA/image-size/medium?v=v2&amp;px=400" role="button" title="Romanenkov_Al3x_1-1709544630851.png" alt="Romanenkov_Al3x_1-1709544630851.png" /></span></P><P>3) <STRONG>Restart service</STRONG> via systemctl (to find proper service you can use: <STRONG>systemctl list-units | grep falco</STRONG></P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">sudo systemctl restart falco-modern-bpf.service</TD></TR></TBODY></TABLE><P>or</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">sudo systemctl restart falco-bpf.service</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Regards,</P><P>Alex Romanenkov</P> Mon, 04 Mar 2024 09:55:26 GMT Romanenkov_Al3x 2024-03-04T09:55:26Z https://community.dynatrace.com/t5/Dynatrace-tips/Exclude-noisy-alerts-from-Falco-classicfullstack-Warning/m-p/238789#M1192 <P><SPAN class="">Hello</SPAN><SPAN>&nbsp;everyone!<span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="falco.png" style="width: 89px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18040i53DBEA8F3CEE6B3D/image-dimensions/89x89?v=v2" width="89" height="89" role="button" title="falco.png" alt="falco.png" /></span></SPAN></P><P>You can see some noisy alerts from Falco&nbsp; after installation Dynatrace with</P><P><STRONG>Dynatrace operator, mode classicfullstack</STRONG>.</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%" height="30px"><SPAN>Warning Detected ptrace PTRACE</SPAN><SPAN>_ATTACH attempt </SPAN><SPAN>(proc</SPAN><SPAN>_pcmdline</SPAN><SPAN>=oneagenthelper...</SPAN></TD></TR></TBODY></TABLE><P>This is example alert from falco for&nbsp;<SPAN>proc</SPAN><SPAN>.name&nbsp;</SPAN><SPAN>oneagenthelper</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Romanenkov_Al3x_0-1709544058086.png" style="width: 999px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18037i81BE10EEE44F55F5/image-size/large?v=v2&amp;px=999" role="button" title="Romanenkov_Al3x_0-1709544058086.png" alt="Romanenkov_Al3x_0-1709544058086.png" /></span></P><P>To avoid this behavior you can easly add oneagenthelper in list know_ptrace_binaries:</P><P>1) You can easly disable this noisy alert with changing <A href="https://github.com/falcosecurity/rules/blob/dc7970d175a921aa01090d10461ce76974848022/rules/falco_rules.yaml#L1090C1-L1091C12" target="_self">rules configuration</A>.&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">sudo vi /etc/falco/falco_rules.yaml</TD></TR></TBODY></TABLE><P>&nbsp;</P><LI-CODE lang="markup">... - list: known_ptrace_binaries items: [] ...</LI-CODE><P>&nbsp;</P><P>2) and addoneagenthelper like this:</P><P>&nbsp;</P><LI-CODE lang="markup">... - list: known_ptrace_binaries items: [oneagenthelper] ...</LI-CODE><P>&nbsp;</P><P>Example:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Romanenkov_Al3x_1-1709544630851.png" style="width: 400px;"><img src="https://community.dynatrace.com/t5/image/serverpage/image-id/18038i9E9346295ED510FA/image-size/medium?v=v2&amp;px=400" role="button" title="Romanenkov_Al3x_1-1709544630851.png" alt="Romanenkov_Al3x_1-1709544630851.png" /></span></P><P>3) <STRONG>Restart service</STRONG> via systemctl (to find proper service you can use: <STRONG>systemctl list-units | grep falco</STRONG></P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">sudo systemctl restart falco-modern-bpf.service</TD></TR></TBODY></TABLE><P>or</P><TABLE border="1" width="100%"><TBODY><TR><TD width="100%">sudo systemctl restart falco-bpf.service</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Regards,</P><P>Alex Romanenkov</P> Mon, 04 Mar 2024 09:55:26 GMT https://community.dynatrace.com/t5/Dynatrace-tips/Exclude-noisy-alerts-from-Falco-classicfullstack-Warning/m-p/238789#M1192 Romanenkov_Al3x 2024-03-04T09:55:26Z