Here is my rule:
- rule: My test rule
desc: Alert when cat is executed
condition: spawned_process and proc.name = cat
output: TEST_RULE_ALERT (command=%proc.cmdline pid=%proc.pid file=%fd.name user=%user.name user_loginuid=%user.loginuid container_id=%container.id image=%container.image.repository)
priority: notice
Here is the output when running cat /tmp/xyz:
Jun 03 14:31:56 cks-worker falco[21118]: 14:31:57.851590469: Notice TEST_RULE_ALERT (command=cat /tmp/xyz pid=59166 file=<NA> user=mark user_loginuid=1000 container_id=host image=<NA>)
What am I missing?
The spawned_process macro triggers the alert when you execute the cat command. However, the file isn't opened right at its execution but when the control has passed to the code of the cat command. In other words, you'd need to observe the event of opening a file, not executing the command.
Hence, you should observe syscalls like open, openat, and openat2, which are used to open files. Using the open_read macro would do that for you.