I’m seeing false positives for the "Sensitive file opened for reading by non-trusted program" rule after logging in via SSH. It doesn’t happen every time, but it occurs often.
{
"hostname":"***",
"output":"16:33:28.675482344: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=<NA> ggparent=<NA> gggparent=<NA> evt_type=openat user=root user_uid=0 user_loginuid=-1 process=9 proc_exepath=/usr/lib/systemd/systemd-executor parent=systemd command=9 --deserialize 88 --log-level info --log-target journal-or-kmsg terminal=0 container_id=host container_name=host)",
"output_fields":{
"container.id":"host",
"container.name":"host",
"evt.time":1738334008675482344,
"evt.type":"openat",
"fd.name":"/etc/shadow",
"proc.aname[2]":null,
"proc.aname[3]":null,
"proc.aname[4]":null,
"proc.cmdline":"9 --deserialize 88 --log-level info --log-target journal-or-kmsg",
"proc.exepath":"/usr/lib/systemd/systemd-executor",
"proc.name":"9",
"proc.pname":"systemd",
"proc.tty":0,
"user.loginuid":-1,
"user.name":"root",
"user.uid":0
},
"priority":"Warning",
"rule":"Read sensitive file untrusted",
"source":"syscall",
"tags":[
"T1555",
"container",
"filesystem",
"host",
"maturity_stable",
"mitre_credential_access"
],
"time":"2025-01-31T14:33:28.675482344Z"
}
Falco version: 0.40.0
Libs version: 0.20.0
Plugin API: 3.10.0
Engine: 0.46.0
Driver:
API version: 8.0.0
Schema version: 3.5.0
Default driver: 8.0.0+driver
{
"machine": "x86_64",
"nodename": "***",
"release": "6.8.0-52-generic",
"sysname": "Linux",
"version": "#53-Ubuntu SMP PREEMPT_DYNAMIC Sat Jan 11 00:06:25 UTC 2025"
}
Hey,
I’m seeing false positives for the "Sensitive file opened for reading by non-trusted program" rule after logging in via SSH. It doesn’t happen every time, but it occurs often.
The issue seems to be that
proc.nameis reported as9instead ofsystemd. But I'm not sure if that's an issue on my side.Here's an example log:
Environment
Ubuntu 24.04.1 LTSLinux 6.8.0-52-genericDEB