nibalizer/unsolved falco events

## unsolved falco events
containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72 parent=containerd-shim k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T05:09:45.455656160Z", "output_fields": {"container.id":"host","evt.time":1558760985455656160,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72","proc.pname":"containerd-shim","user.name":"root"}}
{"output":"05:09:45.584579186: Notice Namespace change (setns) by unexpected program (user=root command=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72 parent=containerd-shim k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T05:09:45.584579186Z", "output_fields": {"container.id":"host","evt.time":1558760985584579186,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72","proc.pname":"containerd-shim","user.name":"root"}}
{"output":"05:09:45.584583207: Notice Namespace change (setns) by unexpected program (user=root command=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72 parent=containerd-shim k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T05:09:45.584583207Z", "output_fields": {"container.id":"host","evt.time":1558760985584583207,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72","proc.pname":"containerd-shim","user.name":"root"}}


{"output":"00:00:00.032644480: Informational Container with sensitive mount started (user=root command=container:57fdaf42e28a k8s.ns=<NA> k8s.pod=<NA> container=57fdaf42e28a image=registry.ng.bluemix.net/armada-master/ibm-kube-fluentd-collector:c16fe1602ab65db4af0a6ac008f99ca2a526e6f6 mounts=/etc/kubernetes/:/etc/kubernetes::false:private,/:/host::false:private,/var/log/:/var/log::false:private,/var/lib/docker:/var/lib/docker::false:private,/var/run/docker.sock:/var/run/docker.sock::false:private,/mnt/ibm-kube-fluentd-persist:/mnt/ibm-kube-fluentd-persist::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/logmet-secrets-volume:/mnt/logmet/secrets::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/fluentd-config:/fluentd/etc/config.d/logmet/::false:private,/var/data:/var/data::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/at-fluentd-config:/fluentd/etc/config.d/at/::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/activity-tracker-secrets-volume:/mnt/activity-tracker/secrets/::false:private,/var/log/at:/var/log/at::false:private,/var/log/at-no-rotate:/var/log/at-no-rotate::false:private,/run/containerd:/run/containerd::false:private,/run/containerd/containerd.sock:/run/containerd/containerd.sock::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/ibm-kube-fluentd-token-r7qdj:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/containers/fluentd/bf5c441c:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=57fdaf42e28a","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"1970-01-01T00:00:00.032644480Z", "output_fields": {"container.id":"57fdaf42e28a","container.image.repository":"registry.ng.bluemix.net/armada-master/ibm-kube-fluentd-collector","container.image.tag":"c16fe1602ab65db4af0a6ac008f99ca2a526e6f6","container.mounts":"/etc/kubernetes/:/etc/kubernetes::false:private,/:/host::false:private,/var/log/:/var/log::false:private,/var/lib/docker:/var/lib/docker::false:private,/var/run/docker.sock:/var/run/docker.sock::false:private,/mnt/ibm-kube-fluentd-persist:/mnt/ibm-kube-fluentd-persist::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/logmet-secrets-volume:/mnt/logmet/secrets::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/fluentd-config:/fluentd/etc/config.d/logmet/::false:private,/var/data:/var/data::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/at-fluentd-config:/fluentd/etc/config.d/at/::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/activity-tracker-secrets-volume:/mnt/activity-tracker/secrets/::false:private,/var/log/at:/var/log/at::false:private,/var/log/at-no-rotate:/var/log/at-no-rotate::false:private,/run/containerd:/run/containerd::false:private,/run/containerd/containerd.sock:/run/containerd/containerd.sock::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/ibm-kube-fluentd-token-r7qdj:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/containers/fluentd/bf5c441c:/dev/termination-log::true:private","evt.time":32644480,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:57fdaf42e28a","user.name":"root"}}
{"output":"00:00:00.032644480: Informational Container with sensitive mount started (user=root command=container:e0b6f3cf1b82 k8s.ns=<NA> k8s.pod=<NA> container=e0b6f3cf1b82 image=docker.io/falcosecurity/falco:dev mounts=/run/containerd/containerd.sock:/host/run/containerd/containerd.sock::true:private,/dev:/host/dev::true:private,/proc:/host/proc::false:private,/boot:/host/boot::false:private,/lib/modules:/host/lib/modules::false:private,/usr:/host/usr::false:private,/etc:/host/etc/::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~configmap/falco-config:/etc/falco::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/falco-account-token-wrqjh:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/containers/falco/44c6fd56:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=e0b6f3cf1b82","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"1970-01-01T00:00:00.032644480Z", "output_fields": {"container.id":"e0b6f3cf1b82","container.image.repository":"docker.io/falcosecurity/falco","container.image.tag":"dev","container.mounts":"/run/containerd/containerd.sock:/host/run/containerd/containerd.sock::true:private,/dev:/host/dev::true:private,/proc:/host/proc::false:private,/boot:/host/boot::false:private,/lib/modules:/host/lib/modules::false:private,/usr:/host/usr::false:private,/etc:/host/etc/::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~configmap/falco-config:/etc/falco::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/falco-account-token-wrqjh:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/containers/falco/44c6fd56:/dev/termination-log::true:private","evt.time":32644480,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:e0b6f3cf1b82","user.name":"root"}}
{"output":"05:07:27.509358366: Error File below /etc opened for writing (user=root command=nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true parent=containerd-shim pcmdline=containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd file=/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem program=nginx-ingress gparent=containerd ggparent=systemd gggparent=<NA>) k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805 k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805","priority":"Error","rule":"Write below etc","time":"2019-05-25T05:07:27.509358366Z", "output_fields": {"container.id":"1634df6b1805","evt.time":1558760847509358366,"fd.name":"/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem","k8s.ns.name":"kube-system","k8s.pod.name":"public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv","proc.aname[2]":"containerd","proc.aname[3]":"systemd","proc.aname[4]":null,"proc.cmdline":"nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true","proc.name":"nginx-ingress","proc.pcmdline":"containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd","proc.pname":"containerd-shim","user.name":"root"}}
{"output":"05:07:29.464598714: Error File below /etc opened for writing (user=root command=nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true parent=containerd-shim pcmdline=containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd file=/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem program=nginx-ingress gparent=containerd ggparent=systemd gggparent=<NA>) k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805 k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805","priority":"Error","rule":"Write below etc","time":"2019-05-25T05:07:29.464598714Z", "output_fields": {"container.id":"1634df6b1805","evt.time":1558760849464598714,"fd.name":"/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem","k8s.ns.name":"kube-system","k8s.pod.name":"public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv","proc.aname[2]":"containerd","proc.aname[3]":"systemd","proc.aname[4]":null,"proc.cmdline":"nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true","proc.name":"nginx-ingress","proc.pcmdline":"containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd","proc.pname":"containerd-shim","user.name":"root"}}
{"output":"05:07:39.665620473: Informational Container with sensitive mount started (user=<NA> command=container:82ac57611108 k8s.ns=<NA> k8s.pod=<NA> container=82ac57611108 image=quay.io/prometheus/node-exporter:v0.15.2 mounts=/proc:/host/proc::false:private,/sys:/host/sys::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/node-exporter-token-phpg4:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/containers/node-exporter/f2f84ddc:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=82ac57611108","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"2019-05-25T05:07:39.665620473Z", "output_fields": {"container.id":"82ac57611108","container.image.repository":"quay.io/prometheus/node-exporter","container.image.tag":"v0.15.2","container.mounts":"/proc:/host/proc::false:private,/sys:/host/sys::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/node-exporter-token-phpg4:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/containers/node-exporter/f2f84ddc:/dev/termination-log::true:private","evt.time":1558760859665620473,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:82ac57611108","user.name":null}}

"output":"15:49:46.068759093: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.068759093Z", "output_fields": {"container.id":"host","evt.time":1558799386068759093,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
{"output":"15:49:46.068762979: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.068762979Z", "output_fields": {"container.id":"host","evt.time":1558799386068762979,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
{"output":"15:49:46.149588667: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.149588667Z", "output_fields": {"container.id":"host","evt.time":1558799386149588667,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
{"output":"15:49:46.149592895: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.149592895Z", "output_fields": {"container.id":"host","evt.time":1558799386149592895,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
{"output":"15:50:35.999624575: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=<NA> uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:50:35.999624575Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799435999624575,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null,"user.uid":4294967295}}
{"output":"15:51:32.838010775: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=runc:[2:INIT] init uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:51:32.838010775Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799492838010775,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc:[2:INIT] init","proc.pname":null,"user.name":null,"user.uid":4294967295}}
{"output":"15:51:34.928879814: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=<NA> uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:51:34.928879814Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799494928879814,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null,"user.uid":4294967295}}
{"output":"15:51:43.299514471: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=runc:[2:INIT] init uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:51:43.299514471Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799503299514471,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc:[2:INIT] init","proc.pname":null,"user.name":null,"user.uid":4294967295}}
	containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72 parent=containerd-shim k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T05:09:45.455656160Z", "output_fields": {"container.id":"host","evt.time":1558760985455656160,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72","proc.pname":"containerd-shim","user.name":"root"}}
	{"output":"05:09:45.584579186: Notice Namespace change (setns) by unexpected program (user=root command=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72 parent=containerd-shim k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T05:09:45.584579186Z", "output_fields": {"container.id":"host","evt.time":1558760985584579186,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72","proc.pname":"containerd-shim","user.name":"root"}}
	{"output":"05:09:45.584583207: Notice Namespace change (setns) by unexpected program (user=root command=runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72 parent=containerd-shim k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T05:09:45.584583207Z", "output_fields": {"container.id":"host","evt.time":1558760985584583207,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v1.linux/k8s.io/046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72/log.json --log-format json state 046e80497cccd28cd4768cd7aba56c91eebb7bf17b22dd2a2806e35199f28a72","proc.pname":"containerd-shim","user.name":"root"}}


	{"output":"00:00:00.032644480: Informational Container with sensitive mount started (user=root command=container:57fdaf42e28a k8s.ns=<NA> k8s.pod=<NA> container=57fdaf42e28a image=registry.ng.bluemix.net/armada-master/ibm-kube-fluentd-collector:c16fe1602ab65db4af0a6ac008f99ca2a526e6f6 mounts=/etc/kubernetes/:/etc/kubernetes::false:private,/:/host::false:private,/var/log/:/var/log::false:private,/var/lib/docker:/var/lib/docker::false:private,/var/run/docker.sock:/var/run/docker.sock::false:private,/mnt/ibm-kube-fluentd-persist:/mnt/ibm-kube-fluentd-persist::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/logmet-secrets-volume:/mnt/logmet/secrets::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/fluentd-config:/fluentd/etc/config.d/logmet/::false:private,/var/data:/var/data::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/at-fluentd-config:/fluentd/etc/config.d/at/::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/activity-tracker-secrets-volume:/mnt/activity-tracker/secrets/::false:private,/var/log/at:/var/log/at::false:private,/var/log/at-no-rotate:/var/log/at-no-rotate::false:private,/run/containerd:/run/containerd::false:private,/run/containerd/containerd.sock:/run/containerd/containerd.sock::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/ibm-kube-fluentd-token-r7qdj:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/containers/fluentd/bf5c441c:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=57fdaf42e28a","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"1970-01-01T00:00:00.032644480Z", "output_fields": {"container.id":"57fdaf42e28a","container.image.repository":"registry.ng.bluemix.net/armada-master/ibm-kube-fluentd-collector","container.image.tag":"c16fe1602ab65db4af0a6ac008f99ca2a526e6f6","container.mounts":"/etc/kubernetes/:/etc/kubernetes::false:private,/:/host::false:private,/var/log/:/var/log::false:private,/var/lib/docker:/var/lib/docker::false:private,/var/run/docker.sock:/var/run/docker.sock::false:private,/mnt/ibm-kube-fluentd-persist:/mnt/ibm-kube-fluentd-persist::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/logmet-secrets-volume:/mnt/logmet/secrets::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/fluentd-config:/fluentd/etc/config.d/logmet/::false:private,/var/data:/var/data::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~configmap/at-fluentd-config:/fluentd/etc/config.d/at/::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/activity-tracker-secrets-volume:/mnt/activity-tracker/secrets/::false:private,/var/log/at:/var/log/at::false:private,/var/log/at-no-rotate:/var/log/at-no-rotate::false:private,/run/containerd:/run/containerd::false:private,/run/containerd/containerd.sock:/run/containerd/containerd.sock::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/volumes/kubernetes.io~secret/ibm-kube-fluentd-token-r7qdj:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/f8b50f4f-7dfc-11e9-91ca-b24ec00b444a/containers/fluentd/bf5c441c:/dev/termination-log::true:private","evt.time":32644480,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:57fdaf42e28a","user.name":"root"}}
	{"output":"00:00:00.032644480: Informational Container with sensitive mount started (user=root command=container:e0b6f3cf1b82 k8s.ns=<NA> k8s.pod=<NA> container=e0b6f3cf1b82 image=docker.io/falcosecurity/falco:dev mounts=/run/containerd/containerd.sock:/host/run/containerd/containerd.sock::true:private,/dev:/host/dev::true:private,/proc:/host/proc::false:private,/boot:/host/boot::false:private,/lib/modules:/host/lib/modules::false:private,/usr:/host/usr::false:private,/etc:/host/etc/::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~configmap/falco-config:/etc/falco::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/falco-account-token-wrqjh:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/containers/falco/44c6fd56:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=e0b6f3cf1b82","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"1970-01-01T00:00:00.032644480Z", "output_fields": {"container.id":"e0b6f3cf1b82","container.image.repository":"docker.io/falcosecurity/falco","container.image.tag":"dev","container.mounts":"/run/containerd/containerd.sock:/host/run/containerd/containerd.sock::true:private,/dev:/host/dev::true:private,/proc:/host/proc::false:private,/boot:/host/boot::false:private,/lib/modules:/host/lib/modules::false:private,/usr:/host/usr::false:private,/etc:/host/etc/::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~configmap/falco-config:/etc/falco::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/falco-account-token-wrqjh:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/e57da11c-7ea9-11e9-93ff-4ef7489e5fc3/containers/falco/44c6fd56:/dev/termination-log::true:private","evt.time":32644480,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:e0b6f3cf1b82","user.name":"root"}}
	{"output":"05:07:27.509358366: Error File below /etc opened for writing (user=root command=nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true parent=containerd-shim pcmdline=containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd file=/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem program=nginx-ingress gparent=containerd ggparent=systemd gggparent=<NA>) k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805 k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805","priority":"Error","rule":"Write below etc","time":"2019-05-25T05:07:27.509358366Z", "output_fields": {"container.id":"1634df6b1805","evt.time":1558760847509358366,"fd.name":"/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem","k8s.ns.name":"kube-system","k8s.pod.name":"public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv","proc.aname[2]":"containerd","proc.aname[3]":"systemd","proc.aname[4]":null,"proc.cmdline":"nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true","proc.name":"nginx-ingress","proc.pcmdline":"containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd","proc.pname":"containerd-shim","user.name":"root"}}
	{"output":"05:07:29.464598714: Error File below /etc opened for writing (user=root command=nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true parent=containerd-shim pcmdline=containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd file=/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem program=nginx-ingress gparent=containerd ggparent=systemd gggparent=<NA>) k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805 k8s.ns=kube-system k8s.pod=public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv container=1634df6b1805","priority":"Error","rule":"Write below etc","time":"2019-05-25T05:07:29.464598714Z", "output_fields": {"container.id":"1634df6b1805","evt.time":1558760849464598714,"fd.name":"/etc/nginx/ssl/istio-system-nibz-nightly-2019-05-24.pem","k8s.ns.name":"kube-system","k8s.pod.name":"public-cr80b4ed6966ed485b8e8faf72640fc07a-alb1-55f444dcb4-t8xlv","proc.aname[2]":"containerd","proc.aname[3]":"systemd","proc.aname[4]":null,"proc.cmdline":"nginx-ingress -v=3 --nginx-configmaps=kube-system/ibm-cloud-provider-ingress-cm -logtostderr=true","proc.name":"nginx-ingress","proc.pcmdline":"containerd-shim -namespace k8s.io -workdir /var/data/cripersistentstorage/io.containerd.runtime.v1.linux/k8s.io/1634df6b1805ca7aba6d713f216f397e5ec651f526e4b75b706e549c019ecbd3 -address /run/containerd/containerd.sock -containerd-binary /usr/local/bin/containerd","proc.pname":"containerd-shim","user.name":"root"}}
	{"output":"05:07:39.665620473: Informational Container with sensitive mount started (user=<NA> command=container:82ac57611108 k8s.ns=<NA> k8s.pod=<NA> container=82ac57611108 image=quay.io/prometheus/node-exporter:v0.15.2 mounts=/proc:/host/proc::false:private,/sys:/host/sys::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/node-exporter-token-phpg4:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/containers/node-exporter/f2f84ddc:/dev/termination-log::true:private) k8s.ns=<NA> k8s.pod=<NA> container=82ac57611108","priority":"Informational","rule":"Launch Sensitive Mount Container","time":"2019-05-25T05:07:39.665620473Z", "output_fields": {"container.id":"82ac57611108","container.image.repository":"quay.io/prometheus/node-exporter","container.image.tag":"v0.15.2","container.mounts":"/proc:/host/proc::false:private,/sys:/host/sys::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/volumes/kubernetes.io~secret/node-exporter-token-phpg4:/var/run/secrets/kubernetes.io/serviceaccount::false:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/etc-hosts:/etc/hosts::true:private,/var/data/kubelet/pods/fb9c3849-7eaa-11e9-93ff-4ef7489e5fc3/containers/node-exporter/f2f84ddc:/dev/termination-log::true:private","evt.time":1558760859665620473,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"container:82ac57611108","user.name":null}}

	"output":"15:49:46.068759093: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.068759093Z", "output_fields": {"container.id":"host","evt.time":1558799386068759093,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
	{"output":"15:49:46.068762979: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.068762979Z", "output_fields": {"container.id":"host","evt.time":1558799386068762979,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
	{"output":"15:49:46.149588667: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.149588667Z", "output_fields": {"container.id":"host","evt.time":1558799386149588667,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
	{"output":"15:49:46.149592895: Notice Namespace change (setns) by unexpected program (user=<NA> command=<NA> parent=<NA> k8s.ns=<NA> k8s.pod=<NA> container=host) k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Change thread namespace","time":"2019-05-25T15:49:46.149592895Z", "output_fields": {"container.id":"host","evt.time":1558799386149592895,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null}}
	{"output":"15:50:35.999624575: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=<NA> uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:50:35.999624575Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799435999624575,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null,"user.uid":4294967295}}
	{"output":"15:51:32.838010775: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=runc:[2:INIT] init uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:51:32.838010775Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799492838010775,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc:[2:INIT] init","proc.pname":null,"user.name":null,"user.uid":4294967295}}
	{"output":"15:51:34.928879814: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=<NA> uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:51:34.928879814Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799494928879814,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"<NA>","proc.pname":null,"user.name":null,"user.uid":4294967295}}
	{"output":"15:51:43.299514471: Notice Unexpected setuid call by non-sudo, non-root program (user=<NA> cur_uid=4294967295 parent=<NA> command=runc:[2:INIT] init uid=root) k8s.ns=<NA> k8s.pod=<NA> container=host k8s.ns=<NA> k8s.pod=<NA> container=host","priority":"Notice","rule":"Non sudo setuid","time":"2019-05-25T15:51:43.299514471Z", "output_fields": {"container.id":"host","evt.arg.uid":"root","evt.time":1558799503299514471,"k8s.ns.name":null,"k8s.pod.name":null,"proc.cmdline":"runc:[2:INIT] init","proc.pname":null,"user.name":null,"user.uid":4294967295}}