Closed incertum closed 1 year ago
I like the plan for Falco 0.35 maybe it is a little bit too rich :joy: On my side I can surely help and actively work on these topics:
Probably I won't work directly on these topics but I will try to experiment some possible way to address symlinks and similar stuff in a generic way:
BTW I would love to see something around this since it is currently one of the biggest issue we have :(
@Andreagit97 helping with modern_bpf production-readiness 🙃 https://github.com/falcosecurity/falco/issues/2451!
Probably I won't work directly on these topics but I will try to experiment some possible way to address symlinks and similar stuff in a generic way:
- (Threat Detection) Symlink resolution of executables in execve* system calls.
- (Threat Detection) "memfd+exec" flag for process executions.
Same happy to help here, @loresuso know you already looked into those, would you have some initial "Level of Effort" estimates or possible gotchas you already uncovered? Thanks a bunch in advance!
Hello everybody, @incertum yep I have looked a bit into it but never got my hands dirty to do actual symlink resolution.
What I'd like to say here, is that if we implement the resolution of symlink (it is needed in our bpf probes, d_path could be used from the kernel module) we probably solve also the memfd+exec problem, since the kernel puts a memfd:
prefix to the "internal" name that it gives to the file. Of course I am happy to help with this and work with you all!
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen
.
Mark the issue as fresh with /remove-lifecycle rotten
.
Provide feedback via https://github.com/falcosecurity/community. /close
@poiana: Closing this issue.
Motivation
Ad-hoc brainstorming as we are transitioning to a more formal roadmap process. Items listed below do not reflect a confirmed roadmap.
Falco 0.35 Top Features Priorities (Brainstorming)
Suggesting the following features. Only features requiring substantial engineering efforts and/or collaborations are listed below.
modern_bpf
production-readiness.-k
flag.Falco 0.36 Top Features Priorities (Brainstorming) - Start POCs / Scoping / Development leading up to 0.35
Falco 0.37 Top Features Priorities (Brainstorming) - Start POCs / Scoping / Development leading up to 0.36