04 Mar 2024 09:54 AM - edited 04 Mar 2024 09:55 AM
Hello everyone!
You can see some noisy alerts from Falco after installation Dynatrace with
Dynatrace operator, mode classicfullstack.
Warning Detected ptrace PTRACE_ATTACH attempt (proc_pcmdline=oneagenthelper... |
This is example alert from falco for proc.name oneagenthelper
To avoid this behavior you can easly add oneagenthelper in list know_ptrace_binaries:
1) You can easly disable this noisy alert with changing rules configuration.
sudo vi /etc/falco/falco_rules.yaml |
...
- list: known_ptrace_binaries
items: []
...
2) and addoneagenthelper like this:
...
- list: known_ptrace_binaries
items: [oneagenthelper]
...
Example:
3) Restart service via systemctl (to find proper service you can use: systemctl list-units | grep falco
sudo systemctl restart falco-modern-bpf.service |
or
sudo systemctl restart falco-bpf.service |
Regards,
Alex Romanenkov