FedeDP
commented
2 years ago Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :)
Open Andreagit97 opened 2 years ago
FedeDP
commented
2 years ago Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :)
leodido
commented
2 years ago 
jasondellaluce
commented
2 years ago Linking this to https://github.com/falcosecurity/libs/issues/269
loresuso
commented
2 years ago Hi @Andreagit97, it seems to me that we are missing monitoring for the prctl syscall. I think it could be useful to add monitoring for it since it can be used to e.g. change a process name, paired with a subsequent fork! If you agree, let's add it to the list!
Ref: https://github.com/blackberry/Falco-bypasses/blob/main/fubers/fuber-fakeparents.c#L29
Andreagit97
commented
2 years ago Hi @Andreagit97, it seems to me that we are missing monitoring for the
prctlsyscall. I think it could be useful to add monitoring for it since it can be used to e.g. change a process name, paired with a subsequentfork! If you agree, let's add it to the list!
Completely agree with you @loresuso we need it! I wll add it to the list, thank you!
Ref: https://github.com/blackberry/Falco-bypasses/blob/main/fubers/fuber-fakeparents.c#L29
FedeDP
commented
1 year ago FedeDP
commented
1 year ago As a first step, we could try to add "string name" support for all of these, so that at least we don't receive UNKNOWN events. Then, we can later work on implementing driver fillers for them.
FedeDP
commented
1 year ago falcosecurity/libs#649 adds support for all the listed syscalls, as generic events.
poiana
commented
1 year ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
jasondellaluce
commented
1 year ago /remove-lifecycle stale
yo348
commented
1 year ago chown family of syscalls. I plan to submit a PR for it soon.
https://github.com/falcosecurity/libs/issues/892
Andreagit97
commented
1 year ago chown family of syscalls. I plan to submit a PR for it soon. https://github.com/falcosecurity/libs/issues/892
see https://github.com/falcosecurity/libs/issues/892#issuecomment-1433793604
poiana
commented
7 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Andreagit97
commented
7 months ago /remove-lifecycle stale
poiana
commented
4 months ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Andreagit97
commented
4 months ago /remove-lifecycle stale
poiana
commented
1 month ago Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Andreagit97
commented
1 month ago /remove-lifecycle stale
Motivation
I think we need an issue to track all the missing syscalls that can have a security value for
Falco. I detected these ones right now:fsconfighttps://github.com/falcosecurity/libs/pull/606fsmountfsopenfspickopen_treemove_mountmount_setattrmemfd_createhttps://github.com/falcosecurity/libs/pull/1127memfd_secretiopermkexec_file_loadkexec_load(it is already in our tables but there is no implementation)pidfd_getfdhttps://github.com/falcosecurity/libs/pull/1145pidfd_openhttps://github.com/falcosecurity/libs/pull/1187pidfd_send_signalpkey_allocpkey_mprotectpkey_freelandlock_create_rulesetquotactl_fdlandlock_restrict_selflandlock_add_ruleepoll_pwait2migrate_pagesmove_pagesmlock2https://github.com/falcosecurity/libs/pull/358preadv2pwritev2prctlarch_prctlumounthttps://github.com/falcosecurity/libs/pull/936mknodhttps://github.com/falcosecurity/libs/pull/1270mknodathttps://github.com/falcosecurity/libs/pull/1270init_modulehttps://github.com/falcosecurity/libs/pull/1242finit_modulehttps://github.com/falcosecurity/libs/pull/1242Please if you have in mind other syscalls, leave a comment under this issue and I will add them to the list. This issue could also be a point of reference for discussing which syscalls may be more relevant and therefore have a higher priority. I hope it could be helpful for all the
Falcocommunity :smiley: