Supports observation ability on the file content of `(rename and renameat).oldpath`.

[MagpieRYL]

Motivation

There are so many attacking tricks overwriting sensitive files for gaining control, like ~/.ssh/authorized_keys, /etc/crontab, ~/.bashrc, etc.

Sometimes, getting the content buffer written to files is helpful for threaten detection, but the content buffer cannot be observed by Falco when overwriting file by mv command, because mv actually works based on the rename syscall without any buffer arg.

So, if any attacker overwrites sensitive files using mv command, Falco just lost the observation ability on the written content.

some examples:

1. C2 commands like reverse-shell written to /etc/crontab, ~/.bashrc: buffer detection.
2. Mal-script's path inside a container is written to the core_pattern file of a mounted procfs from host, leading to container escape: buffer detection.
3. Mal-script's path inside a container is written to the release_agent file of a mounted cgroupfs from host, leading to container escape: buffer detection.

Feature

Supports observation ability on the file content of (rename and renameat).oldpath.

[MagpieRYL]

anyone notice this request ?

[Andreagit97]

Ei @MagpieRYL yes we noticed it, sorry for not answering! In this release, we will try to tackle the symlink resolution issue https://github.com/falcosecurity/libs/issues/1111...unfortunately we have no many developers working on our drivers so we cannot implement many features in parallel BTW we really appreciate all your feature suggestions, they are really valuable! Looking at all the issues you seem to have a deep knowledge of security/detection...could you be interested in helping us develop some of these features? Someone with your skills would really benefit the project and would allow us to accelerate the development of new security features

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[Andreagit97]

/remove-lifecycle stale

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale