[UMBRELLA] Missing syscalls #1998
Comments
|
Relevant blog post: https://falco.org/blog/falco-monitoring-new-syscalls/ :) |
|
Linking this to falcosecurity/libs#269 |
|
Hi @Andreagit97, it seems to me that we are missing monitoring for the |
Completely agree with you @loresuso we need it! I wll add it to the list, thank you!
|
|
As a first step, we could try to add "string name" support for all of these, so that at least we don't receive UNKNOWN events. |
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
|
falcosecurity/libs#649 adds support for all the listed syscalls, as generic events. |
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
…ies at startup time. We use a lazy generation, ie: first time `scap_get_syscall_info_table` is called, we fill the table. The table is filled with correct names; the category is either fetched from the event_table, or EC_UNKNOWN (for syscalls that have no event attached, and use the generic one). Moreover, added generic event support for falcosecurity/falco#1998 syscalls; they won't use any specific filler, just the automatic generic one, and there is no even mapping for them. Signed-off-by: Federico Di Pierro <[email protected]>
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
|
|
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
Motivation
I think we need an issue to track all the missing syscalls that can have a security value for
Falco. I detected these ones right now:fsconfignew: fsconfig support libs#606fsmountfsopenfspickopen_treemove_mountmount_setattrmemfd_createnew: Support for memfd_create syscall libs#1127memfd_secretiopermkexec_file_loadkexec_load(it is already in our tables but there is no implementation)pidfd_getfdFeat: Support for pidfd_getfd syscall libs#1145pidfd_openSupport pidfd_open syscall libs#1187pidfd_send_signalpkey_allocpkey_mprotectpkey_freelandlock_create_rulesetquotactl_fdlandlock_restrict_selflandlock_add_ruleepoll_pwait2migrate_pagesmove_pagesmlock2update(driver): add support for mlock2 syscall libs#358preadv2pwritev2prctlarch_prctlumountfix(driver): remove some inconsistencies in our event tables libs#936mknodfeat(driver): support for mknod/mknodat syscall libs#1270mknodatfeat(driver): support for mknod/mknodat syscall libs#1270init_modulefeat(driver): support for init_module, finit_module syscalls libs#1242finit_modulefeat(driver): support for init_module, finit_module syscalls libs#1242Please if you have in mind other syscalls, leave a comment under this issue and I will add them to the list.
This issue could also be a point of reference for discussing which syscalls may be more relevant and therefore have a higher priority.
I hope it could be helpful for all the
Falcocommunity 😃The text was updated successfully, but these errors were encountered: