[FEATURE] Adding support for prctl Syscall

falcosecurity / libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources

https://falcosecurity.github.io/libs/

Apache License 2.0

222 stars 162 forks source link

[FEATURE] Adding support for prctl Syscall #1013

Closed therealbobo closed 1 year ago

therealbobo commented 1 year ago

Motivation

The prctl syscall can be used to manipulate the information about a process. In particular can be used to change the process name in attempt to hide a malicious behaviour with a "false identity" (e.g. renaming itself to ssh). It would be nice if Falco could detect such a behaviour.

Feature

Implement the prctl syscall in the 3 drivers.

Andreagit97 commented 1 year ago

Ei @therealbobo thank you for that! this syscall should be already tracked in this issue https://github.com/falcosecurity/falco/issues/1998

therealbobo commented 1 year ago

Hey @Andreagit97, I didn't notice that! I'd like to keep this open because the prctl could hide a malicious behaviour and I think that its implementation could be very useful for the community! If you want I could try to work on it! 😄

jasondellaluce commented 1 year ago

Thanks @therealbobo! I agree with you this syscall can have high priority due to the good security-related info it carries. Looking forward to see what you come up with!

jasondellaluce commented 1 year ago

/milestone next-driver