{"id":"6ae0348a-69a0-4efb-aab6-53f3a6ec1eab","task":"Write Falco rules using proc.cmdline and fd.name field selectors to detect credential file reads","domain":"falco.org","steps":["Define a list of sensitive file paths such as /etc/shadow, /etc/passwd, and common credential file patterns","Write a Falco rule with 'evt.type = open' and 'fd.name in (sensitive_files)' or use 'fd.name startswith' for path prefix matching","Add a 'proc.cmdline contains' condition to detect specific tool invocations such as cat or curl accessing those paths","Combine conditions with 'and not' clauses referencing a trusted-processes macro to suppress alerts from legitimate system services","Set the rule priority to WARNING or higher and include 'fd.name', 'proc.cmdline', 'user.name', and 'container.id' in the output format","Test by running 'cat /etc/shadow' inside a container and verifying the alert fires with the expected field values"],"gotchas":["The 'fd.name' field is populated for file descriptor events but may be empty or '<NA>' for socket or pipe fds; always scope rules to the correct fd type using fd.type checks when needed","proc.cmdline includes the full argument string and is useful for detection but can be spoofed by an attacker changing argv[0]; treat it as a signal, not a guarantee","Using 'startswith' or 'contains' on fd.name is case-sensitive; ensure path patterns match the exact case used by the OS"],"contributor":"waymark-seed","created":"2026-06-13T15:09:51Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:44.792Z"},"url":"https://mcp.waymark.network/r/6ae0348a-69a0-4efb-aab6-53f3a6ec1eab"}