[Brainstorming] Key Features Discussion for Falco 0.35 + Falco 0.36, 0.37 outlook -> integrate outcomes into new roadmap process

[incertum]

Motivation

Ad-hoc brainstorming as we are transitioning to a more formal roadmap process. Items listed below do not reflect a confirmed roadmap.

Falco 0.35 Top Features Priorities (Brainstorming)

Suggesting the following features. Only features requiring substantial engineering efforts and/or collaborations are listed below.

• [x] (Performance) modern_bpf production-readiness.
• [ ] (Threat Detection) Symlink resolution of executables in execve* system calls.
• [ ] (Threat Detection) "memfd+exec" flag for process executions.
• [ ] (Stability) Issues around running Falco binary remain relevant -> re-audit each exception and attempt to accomplish a more intuitive user experience. Improve debugging and user guides as well. Same applies for making rules usage and validations more intuitive and other related issues that have been raised.
• [ ] (Stability, Performance) Issues around k8s plugin -k flag.
• [ ] (Stability) Race conditions or other issues can cause container engine to fail enrichment for otherwise same events / conditions. This can also apply to the parent process lineage -> re-audit existing capabilities for production stability and scale, especially container engines and process cache / state engine, possibly more aspects such as other filter/display fields that have been raised as being occasionally incorrect.
• [x] (Performance) Stable solution for system call activation in the kernel drivers based on Falco rules and new config options.
• [ ] (Performance) Native support for resource utilization metrics and specialized metrics.
• [ ] ...

Falco 0.36 Top Features Priorities (Brainstorming) - Start POCs / Scoping / Development leading up to 0.35

• [ ] (Threat Detection) LSM hooks / kprobes for eBPF.
• [ ] (Threat Detection) Symlink resolution for file related events and logging of interpreter scripts binary paths.
• [ ] (Threat Detection) is_upper_layer, ctime, mtime for files.
• [ ] (Threat Detection) Extension of rules expression language to enable more compact and powerful rules.
• [ ] (Threat Detection) Improve DNS capabilities
• [ ] (Enrichment) Docker in Docker container engine extension.
• [ ] (Stability) ...
• [ ] (Performance) ...
• [ ] ...

Falco 0.37 Top Features Priorities (Brainstorming) - Start POCs / Scoping / Development leading up to 0.36

• [ ] (Threat Detection) on host application behavior anomaly detection
• [ ] (Threat Detection) detect more memory based attacks and other attacks that currently can be evaded
• [ ] (Stability) ...
• [ ] (Performance) ...
• [ ] ...

[Andreagit97]

I like the plan for Falco 0.35 maybe it is a little bit too rich :joy: On my side I can surely help and actively work on these topics:

• (Performance) modern_bpf production-readiness.
• (Performance) Stable solution for system call activation in the kernel drivers based on Falco rules and new config options.
  • Refinement and enhancement of the tracepoint logic
  • Cleanup of tables inconsistencies

Probably I won't work directly on these topics but I will try to experiment some possible way to address symlinks and similar stuff in a generic way:

• (Threat Detection) Symlink resolution of executables in execve* system calls.
• (Threat Detection) "memfd+exec" flag for process executions.

BTW I would love to see something around this since it is currently one of the biggest issue we have :(

• (Stability, Performance) Issues around k8s plugin -k flag.

[incertum]

@Andreagit97 helping with modern_bpf production-readiness 🙃 https://github.com/falcosecurity/falco/issues/2451!

[incertum]

Probably I won't work directly on these topics but I will try to experiment some possible way to address symlinks and similar stuff in a generic way:

• (Threat Detection) Symlink resolution of executables in execve* system calls.
• (Threat Detection) "memfd+exec" flag for process executions.

Same happy to help here, @loresuso know you already looked into those, would you have some initial "Level of Effort" estimates or possible gotchas you already uncovered? Thanks a bunch in advance!

[loresuso]

Hello everybody, @incertum yep I have looked a bit into it but never got my hands dirty to do actual symlink resolution. What I'd like to say here, is that if we implement the resolution of symlink (it is needed in our bpf probes, d_path could be used from the kernel module) we probably solve also the memfd+exec problem, since the kernel puts a memfd: prefix to the "internal" name that it gives to the file. Of course I am happy to help with this and work with you all!

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[poiana]

Rotten issues close after 30d of inactivity.

Reopen the issue with /reopen.

Mark the issue as fresh with /remove-lifecycle rotten.

Provide feedback via https://github.com/falcosecurity/community. /close

[poiana]

@poiana: Closing this issue.

In response to [this](https://github.com/falcosecurity/falco/issues/2441#issuecomment-1741794031): >Rotten issues close after 30d of inactivity. > >Reopen the issue with `/reopen`. > >Mark the issue as fresh with `/remove-lifecycle rotten`. > >Provide feedback via https://github.com/falcosecurity/community. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.