Closed therealbobo closed 1 year ago
Ei @therealbobo thank you for that! this syscall should be already tracked in this issue https://github.com/falcosecurity/falco/issues/1998
Hey @Andreagit97, I didn't notice that! I'd like to keep this open because the prctl
could hide a malicious behaviour and I think that its implementation could be very useful for the community! If you want I could try to work on it! 😄
Thanks @therealbobo! I agree with you this syscall can have high priority due to the good security-related info it carries. Looking forward to see what you come up with!
/milestone next-driver
Motivation
The
prctl
syscall can be used to manipulate the information about a process. In particular can be used to change the process name in attempt to hide a malicious behaviour with a "false identity" (e.g. renaming itself tossh
). It would be nice if Falco could detect such a behaviour.Feature
Implement the
prctl
syscall in the 3 drivers.