open_file_failed -- failed

[cccsss01]

Not sure if this is an issue w/ the docs or a bug

Failed file open attempts, useful to detect threat actors making mistakes

https://man7.org/linux/man-pages/man3/errno.3.html

evt.res=ENOENT - No such file or directory

evt.res=EACCESS - Permission denied

• macro: open_file_failed condition: (evt.type in (open,openat,openat2) and fd.typechar='f' and fd.num=-1 and evt.res startswith E)
• list: file_operation_paths items: [/bob]
• macro: create_symlink condition: (evt.type in (symlink, symlinkat) and evt.dir=<)
• macro: open_write condition: (evt.type in (open,openat,openat2) and evt.is_open_write=true and fd.typechar='f' and fd.num>=0)
• macro: open_read condition: (evt.type in (open,openat,openat2) and evt.is_open_read=true and fd.typechar='f' and fd.num>=0)
• macro: open_file_failed condition: (evt.type in (open,openat,openat2) and fd.typechar='f' and fd.num=-1 and evt.res startswith E)
• macro: rename condition: evt.type in (rename, renameat)
• macro: mkdir condition: evt.type = mkdir
• macro: remove condition: evt.type in (rmdir, unlink, unlinkat)
• macro: modify condition: rename or remove
• macro: file_operation condition: (open_read or open_write or modify or open_file_failed or create_symlink or evt.type in (link,linkat))
• rule: Any File Related Operation in Path desc: Detect any file operation on a single path condition: (fs.path.name pmatch (file_operation_paths) or fs.path.source pmatch (file_operation_paths) or fs.path.target pmatch (file_operation_paths) or fd.name pmatch (file_operation_paths)) and file_operation output: > Some File Related Operation on Path (evt.type=%evt.type path=%fs.path.name source=%fs.path.source target=%fs.path.target %user.name=%user.name proc.cmdline=%proc.cmdline proc.pcmdline=%proc.pcmdline container.id=%container.id container.name=%container.name image=%container.image.repository) priority: DEBUG source: syscall

tried w/ 'E' and that failed as well (edited)

How to reproduce it

Expected behaviour

I expected a new Detect to be shown for open_file_failed, which it did not. Screenshots

Environment

• Falco version:

  Tried on 0.35 and 0.36 Falco version: 0.35.0 Libs version: 0.11.2 Plugin API: 3.0.0 Engine: 17 Driver: API version: 4.0.0 Schema version: 2.0.0 Default driver: 5.0.1+driver Falco version: 0.36.2 Libs version: 0.13.4 Plugin API: 3.1.0 Engine: 26 Driver: API version: 5.0.0 Schema version: 2.0.0 Default driver: 6.0.1+driver

• System info:

  5.14.0-362.13.1.el9_3.x86_64

• Cloud provider or hardware configuration:

• OS: NAME="AlmaLinux" VERSION="9.3 (Shamrock Pampas Cat)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.3" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.3 (Shamrock Pampas Cat)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.3" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.3"

• Kernel:
• Installation method:

  RPM Additional context

[cccsss01]

entirely my fault, open file failed not same as rm.