Why I do not see the file path in a simple falco rule output concerning the cat command?

Question

Here is my rule:

- rule: My test rule
  desc: Alert when cat is executed
  condition: spawned_process and proc.name = cat
  output: TEST_RULE_ALERT (command=%proc.cmdline pid=%proc.pid file=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
  priority: notice

Here is the output when running cat /tmp/xyz:

Jun 03 14:31:56 cks-worker falco[21118]: 14:31:57.851590469: Notice TEST_RULE_ALERT (command=cat /tmp/xyz pid=59166 file=<NA> user=mark user_loginuid=1000 container_id=host image=<NA>)

What am I missing?

score 0 · Accepted Answer · answered Jun 05 '23 at 12:31

The spawned_process macro triggers the alert when you execute the cat command. However, the file isn't opened right at its execution but when the control has passed to the code of the cat command. In other words, you'd need to observe the event of opening a file, not executing the command.

Hence, you should observe syscalls like open, openat, and openat2, which are used to open files. Using the open_read macro would do that for you.

Why I do not see the file path in a simple falco rule output concerning the cat command?

1 Answers1