Open Andreagit97 opened 2 years ago
Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :)
Linking this to https://github.com/falcosecurity/libs/issues/269
Hi @Andreagit97, it seems to me that we are missing monitoring for the prctl
syscall. I think it could be useful to add monitoring for it since it can be used to e.g. change a process name, paired with a subsequent fork
! If you agree, let's add it to the list!
Ref: https://github.com/blackberry/Falco-bypasses/blob/main/fubers/fuber-fakeparents.c#L29
Hi @Andreagit97, it seems to me that we are missing monitoring for the
prctl
syscall. I think it could be useful to add monitoring for it since it can be used to e.g. change a process name, paired with a subsequentfork
! If you agree, let's add it to the list!
Completely agree with you @loresuso we need it! I wll add it to the list, thank you!
Ref: https://github.com/blackberry/Falco-bypasses/blob/main/fubers/fuber-fakeparents.c#L29
As a first step, we could try to add "string name" support for all of these, so that at least we don't receive UNKNOWN events. Then, we can later work on implementing driver fillers for them.
falcosecurity/libs#649 adds support for all the listed syscalls, as generic events.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
chown
family of syscalls. I plan to submit a PR for it soon.
https://github.com/falcosecurity/libs/issues/892
chown family of syscalls. I plan to submit a PR for it soon. https://github.com/falcosecurity/libs/issues/892
see https://github.com/falcosecurity/libs/issues/892#issuecomment-1433793604
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
/remove-lifecycle stale
Motivation
I think we need an issue to track all the missing syscalls that can have a security value for
Falco
. I detected these ones right now:fsconfig
https://github.com/falcosecurity/libs/pull/606fsmount
fsopen
fspick
open_tree
move_mount
mount_setattr
memfd_create
https://github.com/falcosecurity/libs/pull/1127memfd_secret
ioperm
kexec_file_load
kexec_load
(it is already in our tables but there is no implementation)pidfd_getfd
https://github.com/falcosecurity/libs/pull/1145pidfd_open
https://github.com/falcosecurity/libs/pull/1187pidfd_send_signal
pkey_alloc
pkey_mprotect
pkey_free
landlock_create_ruleset
quotactl_fd
landlock_restrict_self
landlock_add_rule
epoll_pwait2
migrate_pages
move_pages
mlock2
https://github.com/falcosecurity/libs/pull/358preadv2
pwritev2
prctl
arch_prctl
umount
https://github.com/falcosecurity/libs/pull/936mknod
https://github.com/falcosecurity/libs/pull/1270mknodat
https://github.com/falcosecurity/libs/pull/1270init_module
https://github.com/falcosecurity/libs/pull/1242finit_module
https://github.com/falcosecurity/libs/pull/1242Please if you have in mind other syscalls, leave a comment under this issue and I will add them to the list. This issue could also be a point of reference for discussing which syscalls may be more relevant and therefore have a higher priority. I hope it could be helpful for all the
Falco
community :smiley: