pid=-1 in few events

[xmlijhu]

Describe the bug

We follow this using dup syscalls to detect reverse shell, and it works perfect. Until recently we find a few pid=-1 trigger the alert like below, while during time we don't find any dropped events/syscalls. As we can see, except the fd information, all other information is missing.

Warning Redirect stdout/stdin to net ipvx (user=<NA> user_id=4294967295 user_loginname=<NA> user_loginuid=-1 program={*{ <NA> }*} parent={*{ <NA> }*} gparent=<NA> ggparent=<NA> gggparent=<NA> ggggparent=<NA> gggggparent=<NA>  g6parent=<NA> g7parent=<NA> pid=-1 ppid=<NA> container_name=host container_id=host image=<NA> file=10.150.211.130:46444->3.5.155.125:443 fd.num=1 fd.type=ipv4 fd.l4proto=udp fd.sip=3.5.155.125 fd.cip=10.150.211.130 fd.sport=443 command={*{ <NA> }*} pcmdline={*{ <NA> }*})

Environment

This happens in either faco version 0.37/0.39/0.40, and either on legacy ebpf or modern bpf mode.
The OS: amazon Linux 2 (5.10.217-205.860.amzn2.aarch64)

[xmlijhu]

/kind bug

[xmlijhu]

Update: we also found a system with light load, while having few pid=-1 issue.
systen running legacy ebpf mode

[root ]# falco --version
Wed Apr 16 13:25:04 2025: Falco version: 0.37.0 (x86_64)
Wed Apr 16 13:25:04 2025: CLI args: falco --version
Wed Apr 16 13:25:04 2025: Falco initialized with configuration file: /etc/falco/falco.yaml
Wed Apr 16 13:25:04 2025: DEPRECATION NOTICE: 'syscall_buf_size_preset' config is deprecated and will be removed in Falco 0.38! Use 'engine.<driver>.buf_size_preset' config instead
Wed Apr 16 13:25:04 2025: System info: Linux version 4.14.322-244.536.amzn2.x86_64 (mockbuild@ip-10-0-55-163) (gcc version 7.3.1 20180712 (Red Hat 7.3.1-15) (GCC)) #1 SMP Wed Aug 16 04:58:21 UTC 2023
Falco version: 0.37.0
Libs version:  0.14.2
Plugin API:    3.2.0
Engine:        0.31.0
Driver:
  API version:    8.0.0
  Schema version: 2.0.0
  Default driver: 7.0.0+driver



[root ]# cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

total falco event 195, while having 12 events with pid=-1

[root]# wc -l falco-events.log 
195 falco-events.log
[roo]# ip-10-40-74-9 log]# grep -a 'pid=-1' falco-events.log  | wc -l
12

[incertum]

Within the eBPF programs (legacy Falco ebpf or modern_ebpf), we use the BPF helper bpf_get_current_pid_tgid() to associate the thread ID and process ID with the dup* syscall. Since this is done on the kernel side, I wonder if the race condition is something we can even address.

Would you be able to test the kernel module and determine whether it shows a statistical improvement?

---

Regarding the other missing information, if the PID is already missing, we can't retrieve any other values from the process cache in userspace. Therefore, this issue is a follow-up issue rather than the root cause.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten