rules icon indicating copy to clipboard operation
rules copied to clipboard
verified publisher icon falcosecurity

Sensitive file opened for reading by non-trusted program fires for initContainer runc

Open kyrofa opened this issue 9 months ago • 4 comments

Describe the bug

I have a pod that runs my web application. This pod has an initContainer that runs database migrations before the web application actually fires up. However, that initContainer is triggering the "Sensitive file opened for reading by non-trusted program" warning:

Image

It seems like the docker_binaries list should be taken into account for this rule, but I'm no expert here.

Environment

  • Falco version: v0.40.0
  • Cloud provider or hardware configuration: bare metal, server class hardware
  • OS: Debian 12
  • Kernel: 6.1.0
  • Installation method: Helm chart, v4.20.1

kyrofa avatar Mar 12 '25 21:03 kyrofa

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jun 10 '25 22:06 poiana

/remove-lifecycle stale

kyrofa avatar Jun 10 '25 22:06 kyrofa

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Sep 09 '25 04:09 poiana

/remove-lifecycle stale

kyrofa avatar Sep 09 '25 05:09 kyrofa