[Feature] Improve args in `bpf` exit event

falcosecurity / libs

libsinsp, libscap, the kernel module driver, and the eBPF driver sources

https://falcosecurity.github.io/libs/

Apache License 2.0

231 stars 164 forks source link

[Feature] Improve args in `bpf` exit event #1343

Open incertum opened 1 year ago

incertum commented 1 year ago

Based on a discussion between @Andreagit97 @darryk10 and myself a few ideas shared by Andrea to improve bpf syscall based alerting in falco rules:

[ ] add the possibility to check the return value, possibly expose evt.arg.cmd also in the exit event to have all fields of interest in one event
[x] introduce the BPF commands name, so use evt.arg.cmd == BPF_PROG_LOAD instead of evt.arg.cmd == 5 -> https://github.com/falcosecurity/libs/pull/1545
[ ] expose also the name of the BPF prog injected (not easy at all) -> comment @incertum not sure how valuable it would be for detections, maybe not really needed at the moment.

Andreagit97 commented 1 year ago

this is a duplicate of #1342 but it is more detailed, I will close mine :)

incertum commented 1 year ago

oh 🤦‍♀️ I should have maybe checked before opening this issue.

Rohith-Raju commented 1 year ago

@Andreagit97 @incertum Would love to work on this!!

incertum commented 1 year ago

Awesome, you have any additional questions? Else please feel free to go ahead :) Thanks!

Rohith-Raju commented 1 year ago

I'm going to solve them one by one and will reach out if I get stuck 😄.

incertum commented 1 year ago

Great! Suggesting to focus on the first 2 items in one PR -> easy wins, add direct value to Falco rules in the next release.

The last one may need to be queued depending on prioritization, not a top priority feature.

incertum commented 11 months ago

/milestone TBD

incertum commented 10 months ago

/milestone 0.15.0

incertum commented 8 months ago

Changed milestone to TBD since 2 items are still open and to be discussed. @Rohith-Raju are you still interested in exploring the other 2 items in the future? No immediate urgency.

Rohith-Raju commented 8 months ago

@incertum Yes, I'd love to!!

incertum commented 8 months ago

Awesome @Rohith-Raju likely these items would be for the summer after Falco 0.38.0, but dev and PR review can happen any time before of course!

Rohith-Raju commented 8 months ago

Sure!! I'll reach out to you if I need more info!!

poiana commented 5 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 5 months ago

/remove-lifecycle stale

poiana commented 2 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Andreagit97 commented 2 months ago

/remove-lifecycle stale