## GitHub Issue: health-monitor.sh CPU allowlist creates security blind spot by suppressing all 'find' processes
A recent update to the `health-monitor.sh` monitoring script has introduced a significant security vulnerability. The fix for a noisy alert has inadvertently created a monitoring blind spot by adding the `find` command to a trusted high-CPU process allowlist. This suppresses alerts for *all* processes named `find` running at high CPU, not just the specific instance from `security-scan.sh` that was causing false positives. On a system running as root, this means any legitimate high-CPU `find` process—including potentially malicious ones—will be silently ignored by the health monitor.

The change, introduced in PR #507, added `find` to the allowlist on line ~302 to stop daily false positive alerts triggered by a `security-scan.sh` script running at 04:00 UTC. While solving the noise problem, the fix's scope is dangerously broad. The script's existing `proc_exe` check only verifies the binary path, which would confirm a process is the real `/usr/bin/find` but provides no distinction between a benign system scan and a resource-intensive, unauthorized search launched by an attacker or malware.

This design flaw creates a direct risk for systems where `find` could be abused for data exfiltration, privilege escalation, or denial-of-service under the cover of a trusted process name. The suggested remediation is to narrow the allowlist logic, potentially by checking the parent process or command-line arguments to isolate the legitimate `security-scan.sh` invocation without granting a blanket exemption to a powerful and common system utility.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, monitoring, false-positive, bash, vulnerability
- **Credibility**: unverified
- **Published**: 2026-04-08 08:27:04
- **ID**: 54590
- **URL**: https://whisperx.ai/en/intel/54590