Skip to content

update(falco_rules): exclude systemd helpers from Read sensitive file…#374

Open
mayanksekhar wants to merge 1 commit into
falcosecurity:mainfrom
mayanksekhar:fix-read-sensitive-file-systemd-fp
Open

update(falco_rules): exclude systemd helpers from Read sensitive file…#374
mayanksekhar wants to merge 1 commit into
falcosecurity:mainfrom
mayanksekhar:fix-read-sensitive-file-systemd-fp

Conversation

@mayanksekhar

Copy link
Copy Markdown

/kind bug

/area rules

/area maturity-stable

What this PR does / why we need it:

The Read sensitive file untrusted rule (maturity_stable) fires false positives on modern systemd hosts when systemd's own short-lived helper processes read account/PAM files during normal operation.

The rule already attempts to exclude systemd, but those exclusions match on proc.name, which is unusable for these helpers: it is a bare file-descriptor number (e.g. 16) for systemd-executor, and comm-truncated to 15 chars (systemd-userwor) for systemd-userwork. The existing name-based exclusions therefore never match, and the rule alerts.

This adds a systemd_sensitive_file_readers macro that matches on proc.exepath instead. proc.exepath is kernel-resolved and cannot be influenced by argv[0], and each entry is anchored to its expected systemd parent so the exclusion stays tight rather than blanket-trusting /usr/lib/systemd/*. Two helpers are covered:

  • systemd-executor — unit (re)exec deserialize handoff
  • systemd-userwork — userdb (User/Group Record Lookup) query worker

Per the repo's versioning guidelines this is a backward-compatible patch change (adding an exception to an existing rule; no required_engine_version change).

Which issue(s) this PR fixes:

Fixes #291
Related: falcosecurity/falco#3480

Special notes for your reviewer:

The systemd-userwork variant was reproduced locally on systemd 259 / Falco 0.44.1 and verified by deterministic capture replay: replaying the same .scap against the rule produces 2 Read sensitive file untrusted alerts before this change and 0 after, while a genuine untrusted read (cat /etc/shadow) still fires.

I could not reproduce the systemd-executor variant on my systemd version, but it is documented with full field dumps in #291 (thanks to @marwinski, who identified that proc.name matching was the blocker) and in falcosecurity/falco#3480.

If you'd prefer to land this incrementally, I'm happy to scope it down to systemd-userwork only — the case I reproduced directly — and track systemd-executor separately.

Does this PR introduce a user-facing change?:

update(falco_rules): exclude legitimate systemd helper processes (systemd-executor, systemd-userwork) from false positives in `Read sensitive file untrusted`

… untrusted

systemd spawns short-lived helper processes that legitimately read sensitive
account and PAM files during normal operation. Because these helpers report a
bare-number or comm-truncated proc.name, they cannot be matched by name, so the
existing systemd exclusions in the rule do not cover them and the rule fires a
false positive on every affected host.

This adds a systemd_sensitive_file_readers macro that matches on proc.exepath
(kernel-resolved and unspoofable) anchored to the expected systemd parent,
covering two observed helpers:

  - systemd-executor  (unit re-exec deserialize handoff)
  - systemd-userwork  (userdb User/Group Record Lookup worker)

The systemd-userwork case was reproduced locally on systemd 259 / Falco 0.44.1
and verified by deterministic capture replay. The systemd-executor case is
reported in falcosecurity#291 and falcosecurity/falco#3480.

Signed-off-by: MayankSekhar <mayankshekharsingh@gmail.com>
@poiana

poiana commented Jul 2, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mayanksekhar
Once this PR has been reviewed and has the lgtm label, please assign loresuso for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana added the area/maturity-stable See the Rules Maturity Framework label Jul 2, 2026
@poiana

poiana commented Jul 2, 2026

Copy link
Copy Markdown

Welcome @mayanksekhar! It looks like this is your first PR to falcosecurity/rules 🎉

@poiana poiana added the size/S label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/maturity-stable See the Rules Maturity Framework area/rules dco-signoff: yes kind/bug Something isn't working size/S

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

Fase positive event supposedly triggered by new systemd feature

2 participants